Ransom.Win32.WASTEDLOCKER.AC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %System%\{Generated String}.exe
  • It generates the filename from a list created from registry keys stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
• %Application Data%\{Generated String}:bin -> Alternate Data Stream containing a copy of itself

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\{Malware Filename}.dmp -> deleted afterwards
• %User Temp%\{Generated String}.dmp -> deleted afterwards
• %Application Data%\{Generated String} -> Random Dll or Exe file from %System%
• %User Temp%\lck.log -> Log file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

• %Application Data%\{Generated String}:bin -r
• %System%\vssadmin.exe Delete Shadows /All /Quiet
• %System%\takeown.exe /F %System%\{Generated String}.exe
• %System%\icacls.exe %System%\{Generated String}.exe /reset
• cmd /c choice /t 10 /d y & attrib -h "%Application Data%\{Generated String}" & del "%Application Data%\{Generated String}"
• cmd /c choice /t 10 /d y & attrib -h "{Malware Path}\{Malware Filename}.exe" & del "{Malware Path}\{Malware Filename}.exe"

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware deletes the following files:

• %System%\{Generated String}.exe
• {Malware Path}\{Malware Filename}.exe
• %Application Data%\{Generated String}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Ransomware does the following:

• It accepts the following arguments:
  • -r -> Delete shadow copies
  • Copies the ransomware binary file to %System% directory, take ownership of the file, and reset Access Control List permissions
  • Create and run a service. It deletes the service after execution
  • Service Name: {Generated String}
  • Image Path: %System%\{Generated String}.exe -s
  • -s -> Executed Created Service
• This Ransomware encrypts the following drives:
  • Removable Drives
  • Fixed Drives
  • Remote (Network) Drives

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• \NTLDR
• \BOOTMGR
• \GRLDR

It avoids encrypting files with the following strings in their file path:

• \bin\
• \Boot\
• \boot\
• \dev\
• \etc\
• \lib\
• \initdr\
• \sbin\
• \sys\
• \vmlinuz\
• \run\
• \var\
• \System Volume Information\
• \$RECYCLE.BIN\
• \WebCache\
• \Caches\
• \WindowsApps\
• \AppData\
• \ProgramData\
• \Users\All Users\

It avoids encrypting files found in the following folders:

• %All Users Profile%
• %Windows%
• %User Temp%
• %Application Data%
• %System Root%\Recovery
• %Program Files%
• %System Root%\Program Files(x86)

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It appends the following extension to the file name of the encrypted files:

• {Original Filename}.{Original Extension}.{Target Company Name}wasted

It drops the following file(s) as ransom note:

• {Encrypted Directory}\{Original Filename}.{Original Extension}.{Target Company Name}wasted_info
  • The ransom note is created for each encrypted file
  
  

  

It avoids encrypting files with the following file extensions:

• .{Target Company Name}wasted
• .{Target Company Name}wasted_info
• .386
• .ps1
• .msu
• .ani
• .wpx
• .hlp
• .ocx
• .com
• .cpl
• .adv
• .cmd
• .lnk
• .drv
• .sys
• .icl
• .nls
• .cab
• .bat
• .theme
• .bin
• .key
• .themepack
• .msi
• .icns
• .ics
• .idx
• .hta
• .scr
• .msstyles
• .diagcfg
• .nomedia
• .msc
• .cur
• .mod
• .msp
• .ini
• .dat
• .sdi
• .wim
• .dll
• .exe