Ransom.Win32.BLACKCAT.D

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Desktop%\RECOVER-7xdxxdp-FILES.txt.png → used to change wallpaper

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\cmd.exe" /c "iisreset.exe /stop"
• "%System%\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
• "{Malware File Path}\{Malware File Name}" --child --access-token {ACCESS_TOKEN} → Executed multiple times
• "%System%\cmd.exe" /c "vssadmin.exe Delete Shadows /all quiet"
• "%System%\cmd.exe" /c arp -a
• "%System%\cmd.exe" /c "wmic.exe Shadowcopy Delete"
• "%System%\cmd.exe" /c bcdedit set {default} recoveryenabled No
• "%System%\cmd.exe" /c "wevtutil.exe el"
• "%System%\cmd.exe" /c "wevutil.exe cl \"{Windows Event Logs}"
• "%System%\cmd.exe" /c fsutil behavior set SymlinkEvaluation R2R:1
• "%System%\cmd.exe" /c fsutil behavior set SymlinkEvaluation R2L:1
• wmic csproduct get UUID
• "powershell.exe -encodedCommand {Base 64 encoded command} → used to terminate services that has "sql" in its name
• bcdedit /c set {current} safeboot minimal → if the --safeboot parameter is used
• bcdedit /c set {current} safeboot network → if the --safeboot-network parameter is used
• bcdedit /c deletevalue {current} safeboot

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following entries to allow itself to run on safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\3969357994888896545222593337177876501
ImagePath = {Malware File Path}\{Malware File Name} --access-token {ACCESS_TOKEN} --prop-arg-safeboot --safeboot-entry --no-net --no-prop --no-impers → if --safeboot parameter is used

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\3969357994888896545222593337177876501
ImagePath = {Malware File Path}\{Malware File Name} --access-token {ACCESS_TOKEN} --prop-arg-safeboot-network --safeboot-entry → if --safeboot-network parameter is used

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
MaxMpxCt = 65535

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Desktop%\RECOVER-7xdxxdp-FILES.txt.png

It sets the system's desktop wallpaper to the following image:

• %Desktop%\RECOVER-7xdxxdp-FILES.txt.png
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss
• msexchange
• sql$
• mysql
• mysql$
• sophos
• MSExchange
• MSExchange$
• WSBExchange
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• GxBlr
• GxVss
• GxClMgrS
• GxCVD
• GxCIMgr
• GXMMM
• GxVssHWProv
• GxFWD
• SAPService
• SAP
• SAP$
• SAPD$
• SAPHostControl
• SAPHostExec
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• AcronisAgent
• VeeamNFSSvc
• VeeamDeploymentService
• VeeamTransportSvc
• MVArmor
• MVarmor64
• VSNAPVSS
• AcrSch2Svc
• services that has "sql" in its name

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• *sql*
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• QBIDPService
• QBDBMgrN
• QBCFMonitorService
• SAP
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• CVMountd
• cvd
• cvfwd
• CVODS
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• DellSystemDetect
• EnterpriseClient
• VeeamNFSSvc
• VeeamTransportSvc
• VeeamDeploymentSvc

Other Details

This Ransomware does the following:

• It terminates ESXi VMs.
• It clears event logs
• It uses PsExec to propagate.

It accepts the following parameters:

• --access-token {ACCESS_TOKEN} → Access Token
• --drag-and-drop → Invoked with drag and dropped
• --drop-drag-and-drop-target → Drop drag and drop target batch file
• --extra-verbose → Log more to console
• -h, --help → Print help information
• --log-file {LOG_FILE} → Enable logging to specified file
• --no-impers → Do not spawn impersonated processes on Windows
• --no-net → Do not discover network shares on Windows
• --no-prop → Do not self propagate on Windows
• --no-prop-servers {NO_PROP_SERVERS} → Do not propagate to defined servers
• --no-vm-kill → Do not stop VMs on ESXi
• --no-vm-kill-names {NO_VM_KILL_NAMES} → Do not stop defined VMs on ESXi
• --no-vm-snapshot-kill → Do not wipe VMs snapshots on ESXi
• --no-wall → Do not update desktop wallpaper on Windows
• -p, --path {PATHS} → Only process files inside defined paths
• --prop-file {PROP_FILE} → Propagate specified file
• --safeboot → Reboot in safe mode before running on Windows
• --safeboot-instance → Run as safeboot instance on Windows
• --safeboot-network → Reboot in safe mode with networking before running on Windows
• --sleep-restart {SLEEP_RESTART} → Sleep for duration in seconds after successful run and then restart. This is soft persistence, keeps process alive no longer than defined in --sleep-restart duration, 24 hours by default.
• --sleep-restart-duration {SLEEP_RESTART_DURATION} → Keep soft persistence alive for duration in seconds. 24 hours by default.
• --sleep-restart-until {SLEEP_RESTART_UNTIL} → Keep soft persistence alive until defined UTC time in millis. Defaults to 24 hours since launch.
• --ui → Show user interface
• -v, --verbose → Log to console

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• File Extensions:
  • .deskthemepack
  • .dll
  • .drv
  • .exe
  • .lnk
  • .lock
  • .msc
  • .msstyles
  • .msu
  • .sys
  • .theme
  • .themepack
• File Names:
  • NTUSER.DAT
  • autorun.inf
  • boot.ini
  • desktop.ini
• Directories:
  • \$windows.~bt
  • \$windows.~ws
  • \AppData\Local\Microsoft\GameDVR
  • \AppData\Local\Microsoft\Internet Explorer
  • \AppData\Local\Packages\Microsoft
  • \AppData\Local\Packages\MicrosoftWindows
  • \Boot
  • \PerfLogs
  • \Program Files (x86)\*Edge*
  • \Program Files (x86)\Common Files
  • \Program Files (x86)\Common Files\Microsoft Shared
  • \Program Files (x86)\Common Files\Services
  • \Program Files (x86)\Common Files\System
  • \Program Files (x86)\Internet Explorer
  • \Program Files (x86)\Microsoft.NET
  • \Program Files (x86)\Microsoft\*Edge*
  • \Program Files (x86)\Microsoft\Temp
  • \Program Files (x86)\Windows Defender
  • \Program Files (x86)\Windows Mail
  • \Program Files (x86)\Windows Media Player
  • \Program Files (x86)\Windows Multimedia Platform
  • \Program Files (x86)\Windows NT
  • \Program Files (x86)\Windows Photo Viewer
  • \Program Files (x86)\Windows Portable Devices
  • \Program Files (x86)\Windows Security
  • \Program Files (x86)\Windows Sidebar
  • \Program Files (x86)\WindowsPowerShell
  • \Program Files\Common Files\microsoft shared
  • \Program Files\Common Files\Services
  • \Program Files\Common Files\System
  • \Program Files\Internet Explorer
  • \Program Files\ModifiableWindowsApps
  • \Program Files\Uninstall Information
  • \Program Files\Windows Defender
  • \Program Files\Windows Mail
  • \Program Files\Windows Media Player
  • \Program Files\Windows NT
  • \Program Files\Windows Photo Viewer
  • \Program Files\Windows Portable Devices
  • \Program Files\Windows Security
  • \Program Files\Windows Sidebar
  • \Program Files\WindowsApps
  • \Program Files\WindowsPowerShell
  • \ProgramData\Microsoft\Device Stage
  • \ProgramData\Microsoft\DeviceSync
  • \ProgramData\Microsoft\Diagnosis
  • \ProgramData\Microsoft\DiagnosticLogCSP
  • \ProgramData\Microsoft\DRM
  • \ProgramData\Microsoft\EdgeUpdate
  • \ProgramData\Microsoft\Event Viewer
  • \ProgramData\Microsoft\IdentityCRL
  • \ProgramData\Microsoft\MapData
  • \ProgramData\Microsoft\MF
  • \ProgramData\Microsoft\NetFramework
  • \ProgramData\Microsoft\Network
  • \ProgramData\Microsoft\Provisioning
  • \ProgramData\Microsoft\Search
  • \ProgramData\Microsoft\SmsRouter
  • \ProgramData\Microsoft\Spectrum
  • \ProgramData\Microsoft\Speech_OneCore
  • \ProgramData\Microsoft\Storage Health
  • \ProgramData\Microsoft\User Account Pictures
  • \ProgramData\Microsoft\Vault
  • \ProgramData\Microsoft\WDF
  • \ProgramData\Microsoft\Windows
  • \ProgramData\Microsoft\Windows Defender
  • \ProgramData\Microsoft\Windows NT
  • \ProgramData\Microsoft\Windows Security Health
  • \ProgramData\Microsoft\WinMSIPC
  • \ProgramData\Microsoft\WPD
  • \ProgramData\Packages\Microsoft
  • \ProgramData\Packages\MicrosoftWindows
  • \ProgramData\Packages\USOPrivate
  • \ProgramData\Packages\USOShared
  • \ProgramData\Packages\WindowsHolographicDevices
  • \ProgramData\ssh\
  • \ProgramData\USOPrivate
  • \ProgramData\USOShared
  • \windows
  • \windows.old

It appends the following extension to the file name of the encrypted files:

• .7xdxxdp

It drops the following file(s) as ransom note:

• {Encrypted Directory}\RECOVER-7xdxxdp-FILES.txt
• %Desktop%\RECOVER-7xdxxdp-FILES.txt