Ransom.Win32.LOCKBIT.EOA

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Prozesse hinzu:

• if -safe is used:
  • bcdedit /set {current} safeboot network

Prozessbeendigung

Beendet die folgenden Dienste, wenn sie auf dem betroffenen System gefunden werden:

• backup
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• sophos
• sql
• svc$
• veeam
• vss

Beendet Prozesse oder Dienste, die einen oder mehrere dieser Zeichenfolgen enthalten, wenn sie im Speicher des betroffenen Systems ausgeführt werden:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuaclt
• xfssvccon

Andere Details

Es macht Folgendes:

• If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC
• It encrypts fixed, removable and network drives
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It deletes the following services:
  • wdnissvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService
• It attempts logging in to infected machine using specific sets of email and password.