Ransom.Win64.DECAF.YXBKO

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\cipher.exe /w {Drive Letter} → removes deleted files permanently
• net stop {service name}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Appinfo
• AppMgmt
• AudioEndpointBuilder
• AudioSrv
• BFE
• BITS
• Browser
• COMSysApp
• CryptSvc
• CscService
• DcomLaunch
• Dhcp
• Dnscache
• DPS
• eventlog
• EventSystem
• fdPHost
• FDResPub
• FontCache
• gpsvc
• HomeGroupProvider
• IKEEXT
• iphlpsvc
• LanmanServer
• LanmanWorkstation
• lmhosts
• MMCSS
• MpsSvc
• MSDTC
• Netman
• netprofm
• NlaSvc
• nsi
• PcaSvc
• PlugPlay
• PolicyAgent
• Power
• ProfSvc
• RpcEptMapper
• RpcSs
• SamSs
• Schedule
• SENS
• ShellHWDetection
• Spooler
• SSDPSRV
• SysMain
• Themes
• TrkWks
• TrustedInstaller
• UxSms
• vmvss
• VSS
• WdiServiceHost
• Wersvc
• WinDefend
• WinHttpAutoProxySvc
• Winmgmt
• WMPNetworkSvc
• wscsvc
• WSearch
• wuauserv

Other Details

This Ransomware does the following:

• Encrypts all available drives except for CDROMs

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .1gc
• .1ua
• .1wx
• .4d1
• .4dd
• .aaa
• .aac
• .abs
• .abx
• .adb
• .ade
• .adf
• .adn
• .adp
• .agr
• .alf
• .ask
• .asp
• .avi
• .bak
• .bat
• .bmp
• .btr
• .cat
• .cdb
• .ckp
• .cma
• .cmd
• .com
• .cpd
• .cpp
• .css
• .csv
• .dad
• .das
• .db2
• .db3
• .dbb
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dbx
• .dcb
• .dct
• .dcx
• .dd1
• .dll
• .doc
• .dp1
• .dqy
• .dsk
• .dsn
• .dwg
• .dx1
• .eco
• .ecx
• .edb
• .exe
• .fcd
• .fdb
• .fic
• .fm5
• .fmp
• .fo1
• .fp3
• .fp4
• .fp5
• .fp7
• .fpt
• .frm
• .gdb
• .gif
• .gwi
• .hdb
• .his
• .htm
• .ibd
• .ico
• .idb
• .ihx
• .itw
• .jar
• .jet
• .jpg
• .jsp
• .jtx
• .kdb
• .ldf
• .m3u
• .m4a
• .maf
• .maq
• .mar
• .mas
• .mav
• .maw
• .mdb
• .mdf
• .mdn
• .mdt
• .mfd
• .mid
• .mkv
• .mov
• .mp3
• .mp4
• .mpa
• .mpd
• .mpg
• .mrg
• .mud
• .mwb
• .myd
• .myi
• .ndf
• .nnt
• .ns2
• .ns3
• .ns4
• .nsf
• .nv2
• .nyf
• .odb
• .odt
• .ogg
• .oqy
• .ora
• .orx
• .owc
• .p96
• .p97
• .pan
• .pdb
• .pdf
• .pdm
• .php
• .png
• .pnz
• .ppt
• .psd
• .qry
• .qvd
• .rar
• .rbf
• .rod
• .rpd
• .rsd
• .rtf
• .sbf
• .scx
• .sdb
• .sdc
• .sdf
• .sis
• .sln
• .spq
• .sq1
• .sql
• .tif
• .tmd
• .tps
• .trc
• .trm
• .txt
• .udb
• .udl
• .usr
• .v12
• .vdi
• .vhd
• .vis
• .vpd
• .vvv
• .wav
• .wdb
• .wrk
• .x1d
• .x1s
• .xdb
• .xls
• .xm1
• .xm7
• .zip

It avoids encrypting files with the following strings in their file name:

• autorun.inf
• bootfont.bin
• boot.ini
• bootmgr
• bootnxt
• ntuser.ini
• ntuser.dat
• iconcache.db
• ntldr
• ntuser.dat.log
• thumbs.db
• bootsect.bak
• readme.txt

It avoids encrypting files found in the following folders:

• intel
• Program Files (x86)
• Program Files
• MSOCache
• Boot
• Tor Browser
• $Recycle.bin
• $windows.~ws
• System Volume Information
• perflogs
• google
• Application Data
• AppData
• Windows
• ProgramData
• Windows.old
• Mozilla

It appends the following extension to the file name of the encrypted files:

• .dst

It drops the following file(s) as ransom note:

• {Infected Directory}\readme.txt