Ransom.Win64.REDPANDA.YADKTT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Filepath}\{Malware name}.log → contains logs and system information
• {%User Temp%}\{Random Characters}.bat → used to delete itself

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %User Temp%\{Random Characters}.bat "{Malware File path}\{Malware name}"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Classes\
.crypted\shell\open\
command
{Default} = explorer.exe {Ransom note} → displays the ransom note when an encrypted file is opened.

Process Termination

This Ransomware terminates the following services if found on the affected system:

• SQL
• database
• msexchange

It terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• encsvc.exe
• ocautoupds.exe
• mydesktopservice.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• sqlserver.exe
• thebat.exe
• steam.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• QBW32.exe
• QBW64.exe
• ipython.exe
• wpython.exe
• python.exe
• dumpcap.exe
• procmon.exe
• procmon64.exe
• procexp.exe
• procexp64.exe

Information Theft

This Ransomware gathers the following data:

• Core count
• Total memory size
• Operating system information (e.g. version, architecture)
• Computer name
• User name
• Flag to indicate if executed as administrator
• Domain and group into which the machine is included

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\Classes\
.crypted

It does the following:

• It propagates in the network via LDAP domain query in Active Directories and drops copies of itself as:
  • \C$\ProgramData\{Random Character}.exe
• It propagates to the following file paths if found for higher privilege execution:
  • \ADMIN$
  • \IPC$

It accepts the following parameters:

• /LOGON= → specify network username for propagation
• /PASSWORD= → specify network password for propagation
• /CONSOLE → Display log activity through console
  
• /NODEL → disable self-deletion
• /NOKILL→ disable service and process termination
• /NOLOG → Disable logging
• /SHAREALL → encrypt all shared resources
• /NETWORK → encrypt all shared resources
• /PARAMS= → specify command line parameters for launching on other machines
• /TARGET= → specify a path to a file or a directory to encrypt
• /FAST=→ specify buffer size for fast encryption
• /MIN=→ specify minimum file size to encrypt
• /MAX=→ specify minimum file size to encrypt
• /FULLPD→ enable encryption in Program Files, Program Files (x86), ProgramData, and SQL
• /MARKER=→ specify an infection marker file name to drop in each encrypted drive

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• :\windows\
• :\System Volume Information\
• :\$RECYCLE.BIN\
• :\SYSTEM.SAV
• :\WINNT
• :\$WINDOWS.~BT\
• :\windows.old\
• :\PerfLog\
• :\Boot
• :\ProgramData\Microsoft\
• :\ProgramData\Packages\
• $\Windows\
• $\System Volume Information\
• $\$RECYCLE.BIN\
• $\SYSTEM.SAV
• $\WINNT
• $\$WINDOWS.~BT\
• $\windows.old\
• $\PerfLog\
• $\Boot
• $\ProgramData\Microsoft\
• $\ProgramData\Packages\
• \WindowsApps\
• \Microsoft\windows\
• \Local\Packages\
• \Windows Defender
• \microsoft shares\
• \Google\Chrome\
• \Mozilla Firefox\
• \Mozilla\Firefox\
• \Internet Explorer\
• \MicrosoftEdge\
• \Tor Browser\
• \AppData\Local\Temp\

It appends the following extension to the file name of the encrypted files:

• .crypted

It drops the following file(s) as ransom note:

• {Encrypted Directory}\HOWTORECOVER.html
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• sys
• msi
• mui
• inf
• cat
• bat
• cmd
• ps1
• vbs
• ttf
• fon
• lnk