Ransom.Win32.CONTI.J

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Path}\{Filename from -log argument}.txt → If -log argument is used

It adds the following processes:

• cmd.exe /c %System%\wbem\WMIC.exe shadowcopy where "ID={Shadowcopy ID}" delete → It will repeat this process depending on the number of shadow copies.

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• lslaif8aisuuugnzxbvmdjk

Other Details

This Ransomware does the following:

• Accepts the following arguments:
  • -h {txtfile containing list of hosts to encrypt}
  • -p {txtfile containing list of folders} - Will encrypt first the folders in the list before proceeding to the others
  • -m {all|local|net|backups}
    • all - combination of net and local
    • local - delete backups and encrypt only locally found drives
    • net - delete backupds and encrypt only network shares
    • backups - delete backups
  • -log {Filename} - Outputs log on {Malware Path}\{Filename}.txt
  • -prockiller enabled - Terminate process not found in the following list:
    • spoolsv.exe
    • explorer.exe
    • sihost.exe
    • fontdrvhost.exe
    • cmd.exe
    • dwm.exe
    • LogonUI.exe
    • SearchUI.exe
    • lsass.exe
    • csrss.exe
    • smss.exe
    • winlogon.exe
    • services.exe
    • conhost.exe
    • svchost.exe
    • lsm.exe
    • wininit.exe
    • system
    • taskhost.exe
    • audiodg.exe
    • SearchIndexer.exe
    • sppsvc.exe
    • msdtc.exe
    • MSTASK.EXE
    • {Current Process}
  • -pids {process ids} - Contains list of pids (separated by comma) to be exempted from prockiller
• When encrypting network shares it will check if the IP address starts with the following to ensure that it is encrypting local, non-Internet, systems:
  • 172.
  • 192.168.
  • 10.
  • 169.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .dll
• .exe
• .lnk
• .msi
• .sys
• .KZDBB
• R3ADM3.txt
• {Filename from -log argument}.txt

It avoids encrypting files with the following strings in their file path:

• $Recycle.Bin
• $RECYCLE.BIN
• System Volume Information
• Boot
• Windows
• temp
• tmp
• winnt
• thumb
• Trend Micro

It appends the following extension to the file name of the encrypted files:

• .KZDBB

It drops the following file(s) as ransom note:

• {Encrypted Directory}\R3ADM3.txt