Ransom.MSIL.TENCRYPT.THCAABD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
• %System%\cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
• %System%\cmd.exe /C wbadmin delete catalog -quiet

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
RESTORE_FILES-{Computer Name} = {Malware File Path}\{Malware File Name}.{Malware File Extension}

Other System Modifications

This Ransomware sets the system's desktop wallpaper to the following image:

• %User Temp%\{9 Random Characters}.jpg
  

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc
• CNTAoSMgr
• code
• dbeng50
• dbsnmp
• encsvc
• excel
• firefoxconfig
• infopath
• isqlplussvc
• mbamtray
• msaccess
• msftesql
• mspub
• mydesktopqos
• mydesktopservice
• mysqld
• mysqld-nt
• mysqld-opt
• Ntrtscan
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• PccNTMon
• powerpnt
• ProcessHacker
• sqbcoreservice
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• steam
• synctime
• tbirdconfig
• thebat
• thebat64
• thunderbird
• tmlisten
• VBoxSVC
• VirtualBoxVM
• visio
• vmplayer
• winword
• wordpad
• wps
• xfssvccon
• zoolz

Other Details

This Ransomware does the following:

• It checks if the size of the file to encypt is less than or greater than 524,288 bytes
  • If it is less than 524,288 bytes, it will encrypt the whole file.
  • If it is greater than 524,288 bytes, it will use intermittent encryption - First 131,072 bytes, another 131,072 bytes from the middle of the file, and the last 131,072 bytes
• It empties the recycle bin.
• It encrypts its targeted files twice.
• It avoids encrypting files with the following file names:
  • autorun.inf
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • desktop.ini
  • iconcache.db
  • ntuser.dat
  • ntuser.ini
  • RESTORE_FILES-{Computer Name}.txt
  • thumbs.db

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• c:\perflogs
• c:\program files
• c:\program files (x86)
• c:\programdata
• c:\users\all users
• c:\users\default
• c:\windows
• c:\windows.old

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• appdata
• documents and settings
• intel
• mozilla
• PerfLogs
• perflogs
• program files
• program files (x86)
• programdata
• system volume information
• windows
• windows.old
• windows.old.old

It appends the following extension to the file name of the encrypted files:

• .crypted

It drops the following file(s) as ransom note:

• {Encrypted File Path}\RESTORE_FILES-{Computer Name}.txt
  

It avoids encrypting files with the following file extensions:

• {Files with no file extension}
• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .crypted
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .pdb
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx