RANSOM_CLICOCRYP.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• C:\ClicoCrypter\aaa.png
• C:\ClicoCrypter\aaa.vbs
• C:\ClicoCrypter\bbb.vbs
• C:\ClicoCrypter\Clicocryptor.jar
• C:\ClicoCrypter\encryption.key
• C:\ClicoCrypter\READMYFIRST.info
• C:\ClicoCrypter\sandblast.pdf
• C:\ClicoCrypter\testtest.txt.txt

It adds the following processes:

• cmd.exe /c "REG add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /t REG_SZ /d "abc.exe" /f /v ccrpt"
• cmd.exe /c "taskkill.exe /f /im Microsoft.Exchange.*"
• cmd.exe /c "taskkill.exe /f /im MsExchange*"
• cmd.exe /c "taskkill.exe /f /im sqlserver.exe"
• cmd.exe /c "taskkill.exe /f /im sqlwriter.exe"
• cmd.exe /c "taskkill.exe /f /im mysqld.exe"
• cmd.exe /c "vssadmin Delete Shadows /ALL /quiet"
• cmd.exe /c "wmic shadowcopy delete"
• cmd.exe /c "bcdedit.exe /set recoveryenabled no"
• cmd.exe /c "REG add "HKEY_CURRENT_USER\Control Panel\Desktop" /t REG_SZ /d "%System Root%\ClicoCrypter\aaa.bmp" /f /v Wallpaper"
• cmd.exe /c "reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v WallpaperStyle /f /t REG_SZ /d 10"
• cmd.exe /c "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters "

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

• C:\ClicoCrypter\

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ccrpt = "abc.exe"

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "C:\ClicoCrypter\aaa.bmp"

Other Details

This Ransomware encrypts files with the following extensions:

• .der
• .pfx
• .crt
• .csr
• .pem
• .odt
• .ott
• .sxw
• .stw
• .uot
• .max
• .ods
• .ots
• .sxc
• .stc
• .dif
• .slk
• .odp
• .otp
• .sxd
• .std
• .uop
• .odg
• .otg
• .sxm
• .mml
• .lay
• .lay6
• .asc
• .sqlite3
• .sqlitedb
• .sql
• .accdb
• .mdb
• .dbf
• .odb
• .frm
• .myd
• .myi
• .ibd
• .mdf
• .ldf
• .sln
• .suo
• .cpp
• .pas
• .asm
• .cmd
• .bat
• .vbs
• .dip
• .dch
• .sch
• .brd
• .jsp
• .php
• .asp
• .class
• .wav
• .swf
• .fla
• .wmv
• .mpg
• .vob
• .mpeg
• .asf
• .avi
• .mov
• .mkv
• .flv
• .wma
• .mid
• .djvu
• .svg
• .psd
• .nef
• .tiff
• .tif
• .cgm
• .raw
• .gif
• .bmp
• .jpg
• .jpeg
• .vcd
• .iso
• .backup
• .zip
• .rar
• .tgz
• .tar
• .bak
• .tbk
• .PAQ
• .ARC
• .aes
• .gpg
• .vmx
• .vmdk
• .vdi
• .sldm
• .sldx
• .sti
• .sxi
• .hwp
• .snt
• .onetoc2
• .dwg
• .pdf
• .wks
• .rtf
• .csv
• .txt
• .vsdx
• .vsd
• .edb
• .eml
• .msg
• .ost
• .pst
• .potm
• .potx
• .ppam
• .ppsx
• .ppsm
• .pps
• .pot
• .pptm
• .pptx
• .ppt
• .xltm
• .xltx
• .xlc
• .xlm
• .xlt
• .xlw
• .xlsb
• .xlsm
• .xlsx
• .xls
• .dotx
• .dotm
• .dot
• .docm
• .docb
• .docx
• .doc

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• C:\

NOTES:
This ransomware is possibly a research-type ransomware.

C:\ClicoCrypter\READMYFIRST.info contains:

It shows following window after execution:

Sets the Desktop background to:

It connects to the following URL after encryption: