Ransom.Win32.PHOBOS.JSHSML

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %AppDataLocal%\{Malware File Name.exe}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %AppDataLocal%\{Malware File Name.exe}
• netsh advfirewall set currentprofile state off
• netsh firewall set opmode mode=disable
• "%System%\mshta.exe" "%Desktop%\info.hta"
• "%System%\mshta.exe" "%Public%\Desktop\info.hta"

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware File Name} = %AppDataLocal%\{Malware File Name}.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware File Name} = %AppDataLocal%\{Malware File Name}.exe

It drops the following file(s) in the Startup Items folder to enable its automatic execution at every system startup:

• %User Startup%\{Malware File Name.exe}
• %Common Startup%\{Malware File Name.exe}

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefoxconfig.exe
• infopath.exe
• isqlplussvc.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• info.hta
• info.txt
• boot.ini
• bootfont.bin
• ntldr
• ntdetect.com
• io.sys
• {Malware File Name}.exe

It avoids encrypting files with the following strings in their file path:

• Windows

It appends the following extension to the file name of the encrypted files:

• .id[ID-Volume Serial Number].[theblackarrow@{BLOCKED}a.io].devil

It drops the following file(s) as ransom note:

• %Desktop%\info.hta
• %Public%\Desktop\info.hta
  

It leaves text files that serve as ransom notes containing the following text:

• %Desktop%\info.txt
• %Public%\Desktop\info.txt
  

It avoids encrypting files with the following file extensions:

• .actin
• .acton
• .actor
• .acuff
• .acuna
• .acute
• .adage
• .adair
• .adame
• .banhu
• .banjo
• .banks
• .banta
• .barak
• .caleb
• .cales
• .caley
• .calix
• .calle
• .calum
• .calvo
• .deuce
• .dever
• .devil
• .devoe
• .devon
• .devos
• .dewar
• .eight
• .eject
• .eking
• .elbie
• .elbow
• .elder
• .phobos
• .help
• .blend
• .bqux
• .com
• .mamba
• .karlos
• .ddos
• .phoenix
• .plut
• .karma
• .bbc
• .capital
• .wallet