Ransom.Linux.DARKANGLE.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware File Path}/{User Input} → the file dropped is wrkman.log by default but if the parameter -l is passed, the user input will be the file name used; contains log of actions done
• {Malware File Path}/{User Input} → dropped if ran with the argument -s

Other Details

This Ransomware accepts the following parameters:

• -m (10-20-25-33-50)
• {Starting Path} → Starting directory to encrypt
• -d → used to run program as daemon
• -l → used to specify file name for log file (default is wrkman.log)
• -s
• -v → used to enable verbose logging

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .a
• .so
• .la
• .o
• .iso
• .crypted
• .README_TO_RESTORE

It avoids encrypting files found in the following folders:

• /bin
• /boot
• /dev
• /etc
• /lost+found
• /proc
• /run
• /sys
• /usr
• /usr/include
• /usr/lib
• /usr/lib32
• /usr/lib64
• /usr/libexec
• /usr/sbin
• /usr/share
• /var/lib

It appends the following extension to the file name of the encrypted files:

• .crypted

It drops the following file(s) as ransom note:

• {Encrypted Path}/{Filename of Encrypted File}.{File Extension of Encrypted File}.crypted.README_TO_RESTORE