Ransom.Win32.SODINOKIBI.AUWUJDET

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{random characters}.bmp → used as wallpaper

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
K6a = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
kZpZ = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
28XOs = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
mlEdtU = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
SUdOP6A = .{appended extension}

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
etdwNrNw = {hex values}

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{random characters}.bmp

It sets the system's desktop wallpaper to the following image:

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• ARSM
• avbackup
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• GxBlr
• GxClMgrS
• GxCVD
• GxFWD
• GXMMM
• GxVssHWProv
• memtas
• mepocs
• MSExchange
• MSExchange$
• MSSQL
• MSSQL$
• MVArmor
• MVarmor64
• PDVFSService
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• SAP
• SAP$
• SAPD$
• SAPHostControl
• SAPHostExec
• SAPService
• sophos
• sql
• stc_raw_agent
• svc$
• teamviewer
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• WSBExchange

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• avagent
• avscc
• bedbh
• benetns
• bengien
• beserver
• CagService
• cvd
• cvfwd
• CVMountd
• CVODS
• dbeng50
• dbsnmp
• DellSystemDetect
• disk+work
• encsvc
• EnterpriseClient
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• raw_agent_svc
• SAP
• saphostexec
• saposcol
• sapstartsrv
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• TeamViewer.exe
• TeamViewer_Service.exe
• thebat
• thunderbird
• tv_w32.exe
• tv_x64.exe
• VeeamDeploymentSvc
• VeeamNFSSvc
• VeeamTransportSvc
• visio
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Information Theft

This Ransomware gathers the following data:

• Computer name
• Disk Size
• Operating System name
• System Architecture
• Username
• Volume Serial-ID
• Workgroup

Other Details

This Ransomware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter

It does the following:

• It will terminate itself if the affected system's keyboard layout is any of the following:
  • Arabic-Syria
  • Armenian-Armenia
  • Azerbaijani (Cyrillic)-Azerbaijan
  • Azerbaijani (Latin)-Azerbaijan
  • Belarusian
  • Georgian-Georgia
  • Kazakh-Kazakhstan
  • Kyrgyz-Kyrgyzstan
  • Romanian-Moldova
  • Russian
  • Russian-Moldova
  • Tajik
  • Tatar-Russia
  • Turkmen-Turkmenistan
  • Ukrainian
  • Uzbek (Cyrillic) - Uzbekistan
  • Uzbek (Latin)-Uzbekistan
• It checks if its privilege level is on SYSTEM level. If it is, it will impersonate the user that ran the first explorer.exe it has found.
• It removes the access control list permissions.

It accepts the following parameters:

• -silent → skips the following:
  • Termination of blacklisted processes and services
  • Removal of shadow copies
• -path → specifies directory to be encrypted
• -nolocal → avoids encrypting fixed and removable drives
• -nolan → avoids encrypting network and shared drives
• -fast → fast encryption mode

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• appdata
• application data
• boot
• google
• intel
• mozilla
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• system volume information
• tor browser
• windows.old

It appends the following extension to the file name of the encrypted files:

• .{random characters}

It leaves text files that serve as ransom notes containing the following text:

• {encrypted directory}\{appended extension}-readme.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx