Ransom.Win32.TRIGONA.YMDBJ

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• "%System%\mshta.exe" "%User Temp%\how_to_decrypt.hta"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 4E8F43A8-15C1-803C2BEC → derived from computer name

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Generated ID 1} = {malware file path}\{malware name}.exe

Information Theft

This Ransomware gathers the following data:

• OS Version
• Available disk drives
• Free disk space on all available drives
• Keyboard Layout
• System Locale
• Username
• Computer Name
• Network Configuration Information

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Generated ID 2} = %User Temp%\how_to_decrypt.hta

It does the following:

• By default, It encrypts local drives and network drives.
• It displays its ransom note after encryption.

It accepts the following parameters:

• /r → Allows the encryption of files in a random order
• /full → Encrypt the whole content of the target file (if not used, only the first 0x80000 bytes/512kb are encrypted)
• /erase → Deletes the content of the target files.
• /!autorun → Does not create the autorun registry entry.
• /is_testing → For testing purposes, used with /test_cid and /test_vid
• /test_cid → Uses the specified Computer ID instead of generating one
• /test_vid → Uses the specified Victim ID instead of the one in the configurations
• /p → Specifies the path to encrypt
• /path → Specifies the path to encrypt
• /!local → Avoids encrypting local files
• /!lan → Avoids encrypting network shares
• /shdwn →Forces shutdown of the machine after encryption
• /autorun_only → Create Autorun registry entry

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• how_to_decrypt.hta
• how_to_decrypt.txt

It avoids encrypting files with the following strings in their file path:

• Windows
• System32

It renames encrypted files using the following names:

• available_for_trial.{random}.{random}._locked
• {random}.{random}._locked

It drops the following file(s) as ransom note:

• %User Temp%\how_to_decrypt.hta
• {Encrypted Directory}\how_to_decrypt.hta
• {Drive Letter}\how_to_decrypt.hta