Ransom.Win32.LOCKBIT.SMYXCGU

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops and executes the following files:

• %Program Data%\7O80AqiSH.ico → icon used for encrypted files
• %Program Data%\7O80AqiSH.bmp → image used as wallpaper after encryption
• %Program Data%\E6F6.tmp → Detected as Trojan.Win32.KCALBREPUS.THCAIBE
• {Encrypted Directory}\7O80AqiSH.README.txt

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.7O80AqiSH
{Default} = 7O80AqiSH

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
7O80AqiSH\DefaultIcon
{Default} = %Program Data%\7O80AqiSH.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = 36

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Program Data%\7O80AqiSH.bmp

It sets the system's desktop wallpaper to the following image:

• %Program Data%\7O80AqiSH.bmp

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• sql.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefox.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• notepad.exe
• msexchange.exe

Other Details

This Ransomware does the following:

• It encrypts fixed, removable, and network shares
• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.
• It empties the recycle bin.
• It changes the file icon of the encrypted files into the following image:
  

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• Program Files
• Program Files (x86)
• #recycle
• 7O80AqiSH

It avoids encrypting files with the following strings in their file path:

• AppData
• Boot
• Windows
• Windows.old
• Tor Browser
• Internet Explorer
• Google
• Opera
• Opera Software
• Mozilla
• Mozilla Firefox
• $Recycle.Bin
• ProgramData
• All Users

It appends the following extension to the file name of the encrypted files:

• .7O80AqiSH

It drops the following file(s) as ransom note:

• {Encrypted Directory}\7O80AqiSH.README.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .icl
• .icns
• .ico
• .ics
• .idx
• .ldf
• .lnk
• .mod
• .mpa
• .msc
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx
• .lock
• .key
• .hta
• .msi
• .pdb
• .search-ms