Ransom.Linux.HELLOKITTY.YXBHM

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Folder}/work.log → Contains log of actions done.

It adds the following processes:

• If ran with the argument -k:
  • esxcli vm process list
  • esxcli vm process kill -t=soft -w={id}
  • esxcli vm process kill -t=hard -w={id}
  • esxcli vm process kill -t=force -w={id}

Other Details

This Ransomware accepts the following parameters:

• -v - Enable Verbose Logging.
• -d - Run as Daemon.
• -k - Kill running EXSi VM.
• -e - Encrypt VM files.
• {Starting Folder} - Starting Directory to Encrypt.
• -m (10-20-25-33-50)

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• If ran with the argument -e:
  • .vmdk
  • .vmx
  • .vmsd
  • .vmsn

It avoids encrypting files with the following strings in their file name:

• .crypt
• .README_TO_RESTORE
• .tmp_
• If not ran with the argument -e:
  • .a
  • .so
  • .la
  • .xxx

It avoids encrypting files with the following strings in their file path:

• /bin
• /boot
• /dev
• /etc
• /lib
• /lib32
• /lib64
• /lost+found
• /proc
• /run
• /sbin
• /usr/bin
• /usr/include
• /usr/lib
• /usr/lib32
• /usr/lib64
• /usr/sbin
• /sys
• /usr/libexec
• /usr/share
• /var/lib

It appends the following extension to the file name of the encrypted files:

• .crypt

It drops the following file(s) as ransom note:

• {Encrypted Folder}/{Original Filename}.{Original File Extension}.tmp_.README_TO_RESTORE