RANSOM_CRYPBEE.A

This ransomware, also known as R980 ransomware, resembles some aspects of RANSOM_MADLOCKER as it drops files other than ransom notes. It also avoids certain file paths. It asks its victims to pay .5 bitcoin as ransom.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Temp%\taskhost.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following component file(s):

• %User Temp%\status.z
• %User Temp%\status2.z
• %User Temp%\k.z
• %User Temp%\rtext.txt (contains ransom note)
• %User Temp%\fnames.txt (contains filenames of encrypted files)
• %Desktop%\DECRYPTION INSTRUCTIONS.txt

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
BEECrypt = "%User Temp%\taskhost.exe"

Other System Modifications

This Trojan sets the system's desktop wallpaper to the following image:

Other Details

This Trojan connects to the following website to send and receive information:

• http://{BLOCKED}room.pk/assets/timepicker/x.php?

It encrypts files with the following extensions:

• .1cd
• .3dm
• .3ds
• .3fr
• .3g2
• .3ga
• .3gp
• .7z
• .DTD
• .PAS
• .RAW
• .a2c
• .aa3
• .aac
• .abu
• .acc
• .accdb
• .aepx
• .ai
• .aif
• .amr
• .ape
• .apnx
• .arc
• .ari
• .arp
• .arw
• .asf
• .asm
• .asp
• .aspx
• .ass
• .asx
• .av
• .ava
• .avi
• .azw
• .azw1
• .azw3
• .azw4
• .bad
• .bak
• .bas
• .bay
• .bdcr
• .bdcu
• .bdd
• .bdp
• .bds
• .bin
• .blend
• .bmp
• .bpdr
• .bpdu
• .bsdr
• .bsdu
• .c
• .cam
• .camproj
• .ccd
• .cdi
• .cdr
• .cer
• .cgi
• .cineon
• .class
• .cmf
• .cnf
• .conf
• .config
• .cpp
• .cr2
• .crt
• .crw
• .crwl
• .cry
• .cs
• .css
• .csv
• .ctl
• .cue
• .dash
• .dat
• .db
• .dbf
• .dbx
• .dcr
• .dd
• .dds
• .der
• .des
• .dgn
• .dicom
• .disc
• .dmg
• .dng
• .doc
• .docm
• .docx
• .dotm
• .dotx
• .dsc
• .dvd
• .dwg
• .dxf
• .dxg
• .eip
• .emf
• .eml
• .eps
• .erf
• .fdb
• .fff
• .fla
• .flv
• .fmb
• .fmt
• .fmx
• .gbr
• .gdb
• .gfx
• .gho
• .gif
• .groups
• .gsd
• .gsf
• .gzip
• .h
• .hdr
• .hpp
• .htm
• .html
• .iif
• .iiq
• .img
• .ims
• .indd
• .ini
• .iso
• .iss
• .jar
• .java
• .jfif
• .jge
• .jpe
• .jpeg
• .jpg
• .js
• .jsp
• .k25
• .kdc
• .key
• .kwm
• .lit
• .log
• .lst
• .lua
• .m
• .m3u
• .m4a
• .m4v
• .ma
• .max
• .md
• .mdb
• .mdf
• .mdk
• .mef
• .mkv
• .mobi
• .mov
• .movie
• .mp1
• .mp2
• .mp3
• .mp4
• .mp4v
• .mpa
• .mpe
• .mpeg
• .mpg
• .mpv2
• .mrw
• .msg
• .mts
• .nd
• .nef
• .nrg
• .nri
• .nrw
• .number
• .obj
• .odb
• .odm
• .odp
• .ods
• .odt
• .ogg
• .openexr
• .ora
• .orf
• .p12
• .p7b
• .p7c
• .pages
• .pas
• .pbm
• .pck
• .pdb
• .pdd
• .pdf
• .pef
• .pem
• .perl
• .pfx
• .pgm
• .php
• .pic
• .pkb
• .pks
• .pl
• .plb
• .pls
• .png
• .pot
• .potm
• .potx
• .ppam
• .ppm
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .prf
• .prn
• .ps
• .psb
• .psd
• .pspimage
• .pst
• .ptx
• .pwm
• .py
• .qba
• .qbm
• .qbr
• .qbw
• .qbx
• .qby
• .qfx
• .r3d
• .raf
• .ram
• .rar
• .raw
• .rdf
• .rdo
• .rep
• .rex
• .rf
• .rgx
• .rik
• .rm
• .rpf
• .rtf
• .rw2
• .rwl
• .safe
• .sdf
• .sldm
• .sldx
• .sql
• .sqllite
• .sr2
• .srf
• .srt
• .srw
• .sti
• .stl
• .svg
• .swf
• .sxi
• .tax
• .tex
• .tga
• .thmx
• .tif
• .tiff
• .tlg
• .toast
• .txt
• .v2i
• .vbs
• .vcd
• .vdi
• .vlc
• .vob
• .vpd
• .vsd
• .wb2
• .wma
• .wmv
• .wpd
• .wps
• .x3f
• .xbm
• .xlam
• .xlk
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xltm
• .xml
• .xps
• .xsl
• .yaml
• .yuv
• .zip

It renames encrypted files using the following names:

• {original file name and file extension}.crypt

NOTES:

This ransomware avoids encryption on the following file paths:

• Users\All Users
• $Recycle.Bin
• Program Files (x86)\\Google\\Chrome
• Program Files (x86)\\Mozilla Firefox
• Program Files\\Google\\Chrome
• Program Files\\Mozilla Firefox

It drops the following ransom note: