Ransom.Win32.LOCKBIT.YADLVT

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %ProgramData%\670IGylFT.ico → icon used for all encrypted files.
• %ProgramData%\670IGylFT.bmp → image used as Desktop wallpaper.

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\{Generated Hash}

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.670IGylFT
{Default} = 670IGylFT

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
670IGylFT\DefaultIcon
{Default} = %ProgramData%\670IGylFT.ico

Modifica las siguientes entradas de registro:

HKEY_CURRENT_USER\Control Panel\Desktop
WallPaper = %ProgramData%\670IGylFT.bmp

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = 10

Este malware establece la imagen siguiente como fondo de escritorio del sistema:

• %ProgramData%\670IGylFT.bmp:
  

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuauclt
• xfssvccon

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
.670IGylFT

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
670IGylFT\DefaultIcon

Requiere los componentes adicionales siguientes para ejecutarse correctamente:

• {Malware Path}\PP.bat → detected as Ransom.BAT.LOCKBIT.A

Hace lo siguiente:

• It changes the encrypted file's icon to the following image:
  
• It encrypts fixed, removable and network shares.
• It uses WQL to delete volume shadow copies.
• It terminates if the machine has the following system language:
  • Arabic (Syria)
  • Armenian (Armenia)
  • Azerbaijani (Cyrillic Azerbaijan)
  • Azerbaijani (Latin Azerbaijan)
  • Belarusian (Belarus)
  • Georgian (Georgia)
  • Kazakh (Kazakhstan)
  • Kyrgyz (Kyrgyzstan)
  • Russian (Moldova)
  • Russian (Russia)
  • Tajik (Cyrillic Tajikistan)
  • Tatar (Russia) Romanian (Moldova)
  • Turkmen (Turkmenistan)
  • Ukranian (Ukraine)
  • Uzbek (Cyrillic Uzbekistan)
  • Uzbek (Latin Uzbekistan)
• It deletes the following services if found running on the affected system:
  • EventLog
  • SecurityHealthService
  • Sense
  • sppsvc
  • vmicvss
  • vmvss
  • VSS
  • WdBoot
  • WdFilter
  • WdNisDrv
  • WdNisSvc
  • WinDefend
  • wscsvc
• It contains the following export functions which can be loaded using command line arguments:
  • del → function responsible for deleting itself.
  • gdel → function responsible for deleting group policy.
  • gmod → function responsible for updating group policy.
  • wdll → function responsible for installing the icon and changing the Desktop wallpaper.
  • gdll → function responsible for encrypting the infected system.
  • sdll → function responsible for restarting the system in safe mode.
  • pmod