Ransom.Win32.BEAST.YPEGI

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\default.key

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• BEAST HERE?

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• msexchange
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• sophos
• sql
• stc_raw_agent
• svc$
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• wscsvc
• wuauserv
• YooBackup
• YooIT
• zhudongfangyu
• MSSQLFDLauncher
• MSSQLSERVER
• SQLSERVERAGENT
• SQLBrowser
• SQLTELEMETRY
• MsDtsServer130
• SSISTELEMETRY130
• SQLWriter
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• MSSQL
• SQLAgent
• MSSQLServerADHelper100
• MSSQLServerOLAPService
• MsDtsServer100
• ReportServer
• SQLTELEMETRY$HL
• TMBMServer
• MSSQL$PROGID
• MSSQL$WOLTERSKLUWER
• SQLAgent$PROGID
• SQLAgent$WOLTERSKLUWER
• MSSQLFDLauncher$OPTIMA
• MSSQL$OPTIMA
• SQLAgent$OPTIMA
• ReportServer$OPTIMA
• msftesql$SQLEXPRESS
• postgresql-x64-9.4

It terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• encsvc.exe
• isqlplussvc.exe
• apache.exe
• backup.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefox.exe
• firefoxconfig.exe
• infopath.exe
• isqlplussvc.exe
• kingdee.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld-nt.exe
• mysqld-opt.exe
• mysqld.exe
• ncsvc.exe
• notepad.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlserver.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• tomcat.exe
• tomcat6.exe
• u8.exe
• ufida.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

Other Details

This Ransomware connects to the following URL(s) to get the affected system's IP address:

• https://{BLOCKED}er.co/162c65.torrent51

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntdetect.com
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• #recycle.EFI
• Boot.EFI
• Microsoft
• $Recycle.Bin
• $Windows.~bt
• $Windows.~ws
• All Users
• AppData
• Application Data
• Avast Software
• Bitdefender
• Boot
• Common Files
• config.msi
• Embedded Lockdown Manager
• Google
• GoogleChrome
• inetpublogs
• intel
• Internet Explorer
• Microsoft Help
• Microsoft.NET
• Microsoft
• Mozilla Firefox
• Mozilla
• MSBuild
• MSOCache
• nvidia
• Opera Software
• Opera
• Package Cache
• PerfLogs
• Reference Assemblies
• System Volume Information
• Tor Browser
• Trend Micro
• Windows Defender Advanced Threat Protection
• Windows Defender
• Windows Journal
• Windows Mail
• Windows Media Player
• Windows Multimedia Platform
• Windows NT
• Windows Photo Viewer
• Windows Portable Devices
• Windows Security
• Windows Sidebar
• Windows.old
• Windows
• WindowsPowerShell

It appends the following extension to the file name of the encrypted files:

• .{{GUID}-BCC19668745C}.Cooseagroup

It drops the following file(s) as ransom note:

• {Encrypted directory}\README.TXT
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• search-ms
• shs
• spl
• sys
• theme
• themepack
• wpx