Ransom.Win32.LOCKBIT.X

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %ProgramData%\trevZifxf.ico → icon used for all encrypted files.
• %ProgramData%\trevZifxf.bmp → image to set as system wallpaper after encryption.
• %ProgramData%\{Random}.tmp → used to delete the malware, deleted afterwards

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following processes:

• %ProgramData%\{Random}.tmp
• "%System%\cmd.exe" /C DEL /F /Q %ProgramData%\{Random}.tmp >> NUL

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Generated Hash}

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\
.trevZifxf
(Default) = trevZifxf

HKEY_LOCAL_MACHINE\Software\Classes\
trevZifxf\DefaultIcon
(Default) = %ProgramData%\trevZifxf.ico

HKEY_CLASSES_ROOT\trevZifxf\DefaultIcon
(Default) = %ProgramData%\trevZifxf.ico

HKEY_CLASSES_ROOT\.trevZifxf
(Default) = trevZifxf

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\Software\Classes\
.trevZifxf

HKEY_LOCAL_MACHINE\Software\Classes\
trevZifxf

HKEY_LOCAL_MACHINE\Software\Classes\
trevZifxf\DefaultIcon

HKEY_CLASSES_ROOT\.trevZifxf

HKEY_CLASSES_ROOT\trevZifxf

HKEY_CLASSES_ROOT\trevZifxf\DefaultIcon

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_MACHINE\Control Panel\Desktop
WallPaper = %ProgramData%\trevZifxf.bmp

It sets the system's desktop wallpaper to the following image:

• %ProgramData%\trevZifxf.bmp
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• backup
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• sophos
• sql
• svc$
• veeam
• vss

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuauclt
• xfssvccon

Other Details

This Ransomware does the following:

• It changes the encrypted file icon to the following image:
  
• It encrypts fixed, removable and network shares
• If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC.
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It deletes the following services:
  • WdBoot
  • WdFilter
  • WdNisDrv
  • WdNisSvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService

It accepts the following parameters:

• -safe →Reboots in safeboot, then encrypts the user's machine
• -wall → Changes system Wallpaper and Print ransom note on printers then deletes itself after renaming for 26 times.
• -path {target} → Specifically encrypt the target, can be file or folder
• -del → Deletes itself after renaming for 26 times.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .trevZifxf

It drops the following file(s) as ransom note:

• {Encrypted Directory}\trevZifxf.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• search-ms
• shs
• spl
• sys
• theme
• themepack
• wpx