RANSOM_SYNCRYPT.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Desktop%\README\AMMOUNT.txt
• %Desktop%\README\KEY
• %Desktop%\README\readme.png
• %User Temp%\tmp.bat
• %User Temp%\{random capital letters} ← contains list of files.

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Desktop%\README
• %User Temp%\BackupClient

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Ransomware does the following:

• It executes the following command:
  
  • cmd /c net view \{username}
  • "%System%\cmd.exe" /c dir {Drive letter}:\ /s /b /a-d >> {random capital letter}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It deletes itself after execution.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .accdb
• .accde
• .accdr
• .adp
• .ach
• .arw
• .asp
• .aspx
• .backup
• .backupdb
• .bak
• .bat
• .bay
• .bdb
• .bgt
• .blend
• .bmp
• .bpw
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .cer
• .cfg
• .class
• .cls
• .config
• .contact
• .cpp
• .craw
• .crt
• .crw
• .css
• .csv
• .d3dbsp
• .dbx
• .dcr
• .dcs
• .dds
• .der
• .dif
• .dit
• .doc
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .drf
• .drw
• .dwg
• .dxb
• .dxf
• .edb
• .eml
• .eps
• .fdb
• .flf
• .fpx
• .frm
• .gif
• .gpg
• .gry
• .hbk
• .hpp
• .html
• .hwp
• .jpe
• .jpeg
• .jpg
• .kdbx
• .kdc
• .key
• .jar
• .java
• .laccdb
• .latex
• .ldf
• .lit
• .lua
• .mapimail
• .max
• .mbx
• .mdb
• .mfw
• .mlb
• .mml
• .mmw
• .midi
• .moneywell
• .mocha
• .mpp
• .nef
• .nml
• .nrw
• .oab
• .odb
• .odc
• .odf
• .odg
• .odi
• .odm
• .odp
• .ods
• .odt
• .otg
• .oth
• .otp
• .ots
• .p12
• .pas
• .pab
• .pbm
• .pcd
• .pct
• .pcx
• .pdf
• .pef
• .pem
• .pfx
• .pgm
• .php
• .pict
• .pntg
• .potm
• .potx
• .ppam
• .ppm
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .ppz
• .prf
• .psd
• .ptx
• .pub
• .qbw
• .qbx
• .qpw
• .raf
• .rtf
• .safe
• .sav
• .save
• .sda
• .sdc
• .sdd
• .sdf
• .sdp
• .skp
• .sql
• .sqlite
• .sqlite3
• .sqlitedb
• .stc
• .std
• .sti
• .stm
• .stw
• .sxc
• .sxg
• .sxi
• .sxm
• .sxw
• .tex
• .txt
• .tif
• .tiff
• .vcf
• .wallet
• .wb1
• .wb2
• .wb3
• .wcm
• .wdb
• .wpd
• .wps
• .xlr
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlam
• .xlc
• .xlk
• .xlm
• .xlt
• .reg
• .rspt
• .profile
• .djv
• .djvu
• .ms11
• .ott
• .pls
• .png
• .pst
• .xltm
• .xltx
• .xlw
• .xml
• .r00
• .7z
• .7zip
• .vhd
• .aes
• .ait
• .apk
• .arc
• .asc
• .asm
• .asset
• .awg
• .back
• .bkp
• .brd
• .bsa
• .bz2
• .csh
• .das
• .dat
• .dbf
• .db_journal
• .ddd
• .ddoc
• .des
• .design
• .erbsql
• .erf
• .ffd
• .fff
• .fhd
• .fla
• .flac
• .iif
• .iiq
• .indd
• .iwi
• .jnt
• .kwm
• .lbf
• .litesql
• .lz
• .lzh
• .lzma
• .lzo
• .lzx
• .m2ts
• .m4a
• .mdf
• .mid
• .mny
• .mpa
• .mpe
• .mpeg
• .mpg
• .mpga
• .mrw
• .msg
• .mvb
• .myd
• .myi
• .ndf
• .nsh
• .nvram
• .nxl
• .nyf
• .obj
• .ogg
• .ogv
• .p7b
• .p7m
• .p7r
• .p7s
• .package
• .pages
• .pat
• .pdb
• .pdd
• .pfr
• .pnm
• .pot
• .ps
• .psafe3
• .pspimage
• .pwm
• .qba
• .qbb
• .qbm
• .qbr
• .qby
• .qcow
• .qcow2
• .ram
• .rar
• .ras
• .rat
• .raw
• .rdb
• .rgb
• .rjs
• .rtx
• .rvt
• .rwl
• .rwz
• .scd
• .sch
• .scm
• .sd2
• .ser
• .sh
• .shar
• .shw
• .sid
• .sit
• .sitx
• .skm
• .smf
• .snd
• .spl
• .srw
• .ssm
• .sst
• .stx
• .svg
• .svi
• .swf
• .tar
• .tbz
• .tbz2
• .tgz
• .tlz
• .txz
• .uop
• .uot
• .upk
• .ustar
• .vbox
• .vbs
• .vcd
• .vdi
• .vhdx
• .vmdk
• .vmsd
• .vmx
• .vmxf
• .vob
• .vor
• .wab
• .wad
• .wav
• .wax
• .wbmp
• .webm
• .webp
• .wks
• .wma
• .wp5
• .wri
• .wsc
• .wvx
• .xpm
• .xps
• .xsd
• .z
• .zip
• .zoo

It avoids encrypting files with the following strings in their file name:

• windows\
• program files (x86)\
• program files\
• programdata\
• winnt\
• \system volume information\
• \desktop\readme\
• \$recycle.bin\

It appends the following extension to the file name of the encrypted files:

• .kk

It drops the following file(s) as ransom note:

• %Desktop%\README\readme.html

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

NOTES:
The dropped ransom note may contain the following paragraph:

YOUR FILES WERE ENCRYPTED using military grade encryption. The encrypted files have the additional extension .kk. You won't be able to retrieve your data unless you purchase the software provided by us. YOU HAVE EXACTLY 48 HOURS TO MAKE A DECISION OR YOU'LL NEVER SEE YOUR FILES AGAIN. Any atempt to recover your files on your own could damage the files permanently. There is no workaround, that's how encryption is supposed to work. In order to retrieve your data, please follow the steps below:

1. Go to Desktop folder, and open AMMOUNT.txt from within README folder. Obtaining the decryption sofware requires that you send EXACTLY the ammount of Bitcoin (without the transaction fee) that is written within the text file to the following address:(BLOCKED) Note that if the ammount sent doesn't match EXACTLY the ammount in the text file, you will NOT receive the sofware, as it's the only way to validate and confirm the payment.
2. After the payment is done, send an email to ALL of the following addresses {BLOCKED}iles@keemail.me , {BLOCKED}iles@scryptmail.com , {BLOCKED}iles@mail2tor.com containg the file named KEY, located within the README folder on your Desktop, as an Attachment - this file is a locked version of the decryption key (that must be unlocked by us), used to recover your files. DO NOT delete it if you plan to get your files back. The transaction id of the Bitcoin payment Emails that dont contain the KEY file attached will be automatically rejected. As soon as we confirm the payment, you will receive on your email address the decription key together with the required software and the instructions to recover your files. Dont forget, TIME'S RUNNING OUT