Ransom.MSIL.HAKBIT.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It downloads a file from a certain URL then renames it before storing it in the affected system. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes itself after execution.

It encrypts files with specific file extensions. It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %User Startup%\{renamed malware}.exe
• %System%\cmd.exe /C choice /C Y /N /D Y /T 3 & Del {malware filename}
• %System%\vssadmin.exe delete shadows /all /quiet
• %System%\notepad.exe %Desktop%\HELP_ME_RECOVER_MY_FILES.txt
• %User Temp%\{random}.exe m=psexec -i={host ip address} -d={target ip address} -f=%User Startup%\{randomly picked name}.exe -e=%User Temp%\{random}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• {malware name}.exe renamed with any of the following names:
  • lsass.exe
  • svchst.exe
  • crcss.exe
  • chrome32.exe
  • firefox.exe
  • calc.exe
  • mysqld.exe
  • dllhst.exe
  • opera32.exe
  • memop.exe
  • spoolcv.exe
  • ctfmom.exe
  • SkypeApp.exe

Other System Modifications

This Ransomware deletes the following files:

• %User Temp%\{random}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Download Routine

This Ransomware accesses the following websites to download files:

• https://hakbit.{BLOCKED}hostapp.com/013.jpg → %User Temp%\wallpaper.bmp
  However, as of this writing, the said site is inaccessible

It downloads files from the following URLs then renames them before storage in the affected system:

• https://raw.{BLOCKED}sercontent.com/anthemtotheego/SharpExec/master/CompiledBinaries/SharpExec_{XX}.exe → %User Temp%\{random}.exe
  where {XX} can be 32 or 64 depending on the OS architecture.

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Ransomware deletes itself after execution.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• txt
• jpeg
• gif
• jpg
• png
• php
• cs
• cpp
• rar
• zip
• html
• htm
• xlsx
• avi
• mp4
• ppt
• doc
• docx
• xlsx
• sxi
• sxw
• odt
• hwp
• zip
• rar
• tar
• bz2
• mp4
• mkv
• eml
• msg
• ost
• pst
• edb
• sql
• accdb
• mdb
• dbf
• odb
• myd
• php
• java
• cpp
• pas
• asm
• key
• pfx
• pem
• p12
• csr
• gpg
• aes
• vsd
• odg
• raw
• nef
• svg
• psd
• vmx
• vmdk
• vdi
• lay6
• sqlite3
• sqlitedb
• accdb
• java
• class
• mpeg
• djvu
• tiff
• backup
• pdf
• cert
• docm
• xlsm
• dwg
• bak
• qbw
• nd
• tlg
• lgb

It encrypts files found in the following folders:

• Drives A to Z
• %Desktop%
• %User Profile%\My Pictures
• %User Profile%\My Documents

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It appends the following extension to the file name of the encrypted files:

• .crypted

It drops the following file(s) as ransom note:

• %Desktop%\HELP_ME_RECOVER_MY_FILES.txt
• {Encrypted Folder}\HELP_ME_RECOVER_MY_FILES.txt