Ransom.Win64.PROTOZOLA.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\cmd.exe /c vssadmin Delete Shadows /all /quiet
• %System%\cmd.exe /c bcdedit /set {default} recoveryenabled No
• %System%\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
• %System%\cmd.exe /c wmic SHADOWCOPY /nointeractive

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 4B991369-7C7C-47AA-A81E-EF6ED1F5E24C

Autostart Technique

This Ransomware drops the following file(s) in the Startup Items folder to enable its automatic execution at every system startup:

• {victim ID}.exe → dropped copy

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Proton
public = {hex values}

HKEY_CURRENT_USER\Software\Proton
full = {hex values}

It sets the system's desktop wallpaper to the following image:

• %Program Data%\{victim ID}.bmp
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• wrapper
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• Sqlservr
• sqlagent
• sqladhlp
• Culserver
• RTVscan
• sqlbrowser
• SQLADHLP
• QBIDPService
• IntuitQuickBooksFCS
• QBCFMonitorService
• msmdsrv
• tomcat6
• zhudongfangyu
• vmware-usbarbitator64
• vmware-converter
• dbsrv12
• dbeng8
• MSSQL$MICROSOFT##WID
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• SQLBrowser
• SQLWriter
• FishbowlMySQL
• MSSQL$MICROSOFT##WID
• MySQL57
• MSSQL$KAV_CS_ADMIN_KIT
• MSSQLServerADHelper100
• SQLAgent$KAV_CS_ADMIN_KIT
• msftesql-Exchange
• MSSQL$MICROSOFT##SSEE
• MSSQL$SBSMONITORING
• MSSQL$SHAREPOINT
• MSSQLFDLauncher$SBSMONITORING
• MSSQLFDLauncher$SHAREPOINT
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• QBFCService
• QBVSS
• YooBackup
• YooIT
• vss
• sql
• svc$
• MSSQL
• MSSQL$
• memtas
• mepocs
• sophos
• veeam
• backup
• bedbg
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• MVArmor
• MVarmor64
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• AcronisAgent
• ARSM
• AcrSch2Svc
• CASAD2DWebSvc
• CAARCUpdateSvc
• WSBExchange
• MSExchange
• MSExchange$

It terminates the following processes if found running in the affected system's memory:

• wxServer
• wxServerView
• sqlmangr
• RAgui
• supervise
• Culture
• Defwatch
• winword
• QBW32
• QBDBMgr
• qbupdate
• axlbridge
• httpd
• fdlauncher
• MsDtSrvr
• java
• 360se
• 360doctor
• wdswfsafe
• fdhost
• GDscan
• ZhuDongFangYu
• QBDBMgrN
• mysqld
• AutodeskDesktopApp
• acwebbrowser
• Creative Cloud
• Adobe Desktop Service
• CoreSync
• Adobe CEF
• Helper
• node
• AdobeIPCBroker
• sync-taskbar
• sync-worker
• InputPersonalization
• AdobeCollabSync
• BrCtrlCntr
• BrCcUxSys
• SimplyConnectionManager
• SimplySystemTrayIcon
• fbguard
• fbserver
• ONENOTEM
• wsa_service
• koaly-exp-engine-service
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• TitanV
• Ssms
• notepad
• RdrCEF
• sam
• oracle
• ocssd
• dbsnmp
• synctime
• agntsvc
• isqlplussvc
• xfssvccon
• mydesktopservice
• ocautoupds
• encsvc
• tbirdconfig
• mydesktopqos
• ocomm
• dbeng50
• sqbcoreservice
• excel
• infopath
• msaccess
• mspub
• onenote
• outlook
• powerpnt
• steam
• thebat
• thunderbird
• visio
• wordpad
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• DellSystemDetect
• EnterpriseClient
• ProcessHacker
• Procexp64
• Procexp
• GlassWire
• GWCtlSrv
• WireShark
• dumpcap
• j0gnjko1
• Autoruns
• Autoruns64
• Autoruns64a
• Autorunsc
• Autorunsc64
• Autorunsc64a
• Sysmon
• Sysmon64
• procexp64a
• procmon
• procmon64
• procmon64a
• ADExplorer
• ADExplorer64
• ADExplorer64a
• tcpview
• tcpview64
• tcpview64a
• avz
• tdsskiller
• RaccineElevatedCfg
• RaccineSettings
• Raccine_x86
• Raccine
• Sqlservr
• RTVscan
• sqlbrowser
• tomcat6
• QBIDPService
• notepad++
• SystemExplorer
• SystemExplorerService
• SystemExplorerService64
• Totalcmd
• Totalcmd64
• VeeamDeploymentSvc

Other Details

This Ransomware does the following:

• It empties the Recycle Bin.
• It terminates itself if the keyboard layout is the following:
  • Persian

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• ntldr
• ntuser.dat.log
• bootsect.bak
• autorun.inf
• thumbs.db
• iconcache.db
• #read-for-recovery.txt

It avoids encrypting files found in the following folders:

• intel
• msocache
• $recycle.bin
• system volume information
• $windows.~bt
• $windows.~ws
• boot
• windows nt
• msbuild
• all users
• microsoft
• common files

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.amgdecode@proton.me.Zola

It drops the following file(s) as ransom note:

• %Desktop%\#Read-for-recovery.txt
• {encrypted directory}\#Read-for-recovery.txt
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .msi
• .bmp
• .ico
• .zola