Ransom.Win32.GIVEMETHEKEY.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\_MEI{Random numbers}\_bz2.pyd
• %User Temp%\_MEI{Random numbers}\_cffi_backend.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\_ctypes.pyd
• %User Temp%\_MEI{Random numbers}\_decimal.pyd
• %User Temp%\_MEI{Random numbers}\_hashlib.pyd
• %User Temp%\_MEI{Random numbers}\_lzma.pyd
• %User Temp%\_MEI{Random numbers}\_multiprocessing.pyd
• %User Temp%\_MEI{Random numbers}\_queue.pyd
• %User Temp%\_MEI{Random numbers}\_socket.pyd
• %User Temp%\_MEI{Random numbers}\_ssl.pyd
• %User Temp%\_MEI{Random numbers}\_win32sysloader.pyd
• %User Temp%\_MEI{Random numbers}\base_library.zip
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_ARC4.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_chacha20.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_aes.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_aesni.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_arc2.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_blowfish.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_cast.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_cbc.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_cfb.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_ctr.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_des.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_des3.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_ecb.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_eksblowfish.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_ocb.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_raw_ofb.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Cipher\_Salsa20.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_BLAKE2b.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_BLAKE2s.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_ghash_clmul.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_ghash_portable.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_keccak.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_MD2.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_MD4.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_MD5.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_poly1305.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_RIPEMD160.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_SHA1.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_SHA224.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_SHA256.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_SHA384.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Hash\_SHA512.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Math\_modexp.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Protocol\_scrypt.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\PublicKey\_ec_ws.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Util\_cpuid_c.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\Crypto\Util\_strxor.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\AUTHORS.rst
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\INSTALLER
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\LICENSE
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\LICENSE.APACHE
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\LICENSE.BSD
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\LICENSE.PSF
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\METADATA
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\RECORD
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\top_level.txt
• %User Temp%\_MEI{Random numbers}\cryptography-2.9.2-py3.7.egg-info\WHEEL
• %User Temp%\_MEI{Random numbers}\cryptography\hazmat\bindings\_constant_time.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\cryptography\hazmat\bindings\_openssl.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\cryptography\hazmat\bindings\_padding.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\finalall.exe.manifest
• %User Temp%\_MEI{Random numbers}\Include\pyconfig.h
• %User Temp%\_MEI{Random numbers}\lib2to3\Grammar.txt
• %User Temp%\_MEI{Random numbers}\lib2to3\Grammar3.7.3.final.0.pickle
• %User Temp%\_MEI{Random numbers}\lib2to3\PatternGrammar.txt
• %User Temp%\_MEI{Random numbers}\lib2to3\PatternGrammar3.7.3.final.0.pickle
• %User Temp%\_MEI{Random numbers}\lib2to3\tests\data\README
• %User Temp%\_MEI{Random numbers}\lib_arpack-.ZXK5WXHVNE3NXJUG2IYOCKDT7MOJHCNX.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\lib_blas_su.ZSGJ76YVG65H2EKSPFADO4FGUEFYONAA.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\lib_test_fo.6QS7HUU6UWQ3ZZ2H5HU3YC3T72Y24U6T.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libansari.Q4BAGRNANLWD2YZJOKYPOAUIOLXW2LXK.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libbanded5x.D5L3TW4FBYU4M4SSWHSSJA3VKGXKPEY6.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libbispeu.OAANPWJKKXZRFOCA7BPAXPEXKORTJQMF.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libblkdta00.F6PETDFK5XUZGOGQPBKUJ6R4PFQVUGMI.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libchkder.23IDUBONJEDQJXE3WT2KTJUEFGPJBH5V.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libcobyla2.MZIYBZPTVTYIHRT7JCIZN4FNMM5IPWLD.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libcrypto-1_1.dll
• %User Temp%\_MEI{Random numbers}\libd_odr.SRKXTZ2WBR7FHCPACBFOKFNNXQW2WRIW.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdcosqb.3VZOXZKO53O75NWVYHOUJGPASB2ZKGJ5.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdcosqb.BSF6YTIPIV6BF3DZBNWD4YMH3UDU6DI7.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdcsrch.CTD6WPTKUW4MYYPI2KYOJ4427ZGGSXEQ.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdet.YR52LDB35H4SDHBZPZCBUM676NGM5MXK.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdfft_sub.TJ3WE7RJ5OM5VARELJBIMD3IVQYIMJ2Q.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdfitpack.EXJWQURDNSA2B5QGBXJD4H5UREUPFPDG.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdgamln.UCHKKUIEYOTHUI65E2O6FPFYIEBYGPMK.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdop853.ZDB77F5S63EPO7WWG3LICXZSBW2LFM2N.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libdqag.JWWOBYFB44QIUJK2OQATSHONDZL77PON.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libgetbreak.CUPZ6P6H5MNPZ4N7FUJXRBXBBC5JGRKJ.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\liblbfgsb.BB2JSI5RV24B7QMZTIJ2MHTBXOBV6UCX.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libmvndst.UEXYY5YZLETRZLLV7GKDGWYVIASLDNJ6.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libnnls.GX3LBH56JRQ7JMAOG7UBTDQJYFS6BPRN.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libopenblas.FN5FF57TWHUYLRG54LA6B33EZPHYZZL4.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libslsqp_op.CVAJHOQHKECBN7VLKMGEOZQ54GU3YWV7.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libspecfun.I7OMDT5L33XVQM2MTW5AACQJUBYEOUFN.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libssl-1_1.dll
• %User Temp%\_MEI{Random numbers}\libvode.EOEE2OUEBBEST2LUYNLN6ZKKONMUVA7Q.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libwrap_dum.72W37AF5MCRJTCTC5GFVFBOD5WYGVNC5.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\libwrap_dum.ETCPKOZO6C37NOIM6NI3WE6BMXLI37RX.gfortran-win32.dll
• %User Temp%\_MEI{Random numbers}\mfc140u.dll
• %User Temp%\_MEI{Random numbers}\numpy\core\_multiarray_tests.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\numpy\core\_multiarray_umath.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\numpy\fft\fftpack_lite.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\numpy\linalg\_umath_linalg.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\numpy\linalg\lapack_lite.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\numpy\random\mtrand.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\pyexpat.pyd
• %User Temp%\_MEI{Random numbers}\python37.dll
• %User Temp%\_MEI{Random numbers}\pythoncom37.dll
• %User Temp%\_MEI{Random numbers}\pywintypes37.dll
• %User Temp%\_MEI{Random numbers}\scipy\_lib\_ccallback_c.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\scipy\_lib\_fpumode.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\scipy\_lib\messagestream.cp37-win32.pyd
• %User Temp%\_MEI{Random numbers}\select.pyd
• %User Temp%\_MEI{Random numbers}\unicodedata.pyd
• %User Temp%\_MEI{Random numbers}\VCRUNTIME140.dll
• %User Temp%\_MEI{Random numbers}\win32api.pyd
• %User Temp%\_MEI{Random numbers}\win32com\shell\shell.pyd
• %User Temp%\_MEI{Random numbers}\win32gui.pyd
• %User Temp%\_MEI{Random numbers}\win32pdh.pyd
• %User Temp%\_MEI{Random numbers}\win32trace.pyd
• %User Temp%\_MEI{Random numbers}\win32ui.pyd
• %User Temp%\_MEI{Random numbers}\win32wnet.pyd
• %Desktop%\EMAIL_ME
• %Desktop%\ciave.txt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• {Malware full path}
• %System%\notepad.exe "%Desktop%\RANSOM_NOTE.txt"

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Temp%\_MEI{Random numbers}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Ransomware does the following:

• It does not append any extension to the encrypted files

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .txt
• .log
• .tmp
• .dat
• .jpg
• .xls
• .xlsx
• .doc
• .docx
• .ppt
• .pptx
• .png
• .jpg
• .jpeg
• .zip
• .rar
• .css
• .emf
• .htm
• .gif
• .bmp
• .xml
• .html
• .db
• .json
• .bak
• .mdb
• .pot
• .php
• .csv

It drops the following file(s) as ransom note:

• %Desktop%\RANSOM_NOTE.txt