Ransom.Win64.LOCKBIT.C

This Ransomware drops files as ransom note. It avoids encrypting files with the following file extensions.

Installation

This Ransomware adds the following processes:

• cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where "ID='%s'" delete → used to delete shadow copies

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Mutex Name: hsfjuukjzloqu28oajh727190

Other Details

This Ransomware does the following:

• It also encrypts database related file extensions:
  • .4dd
  • .4dl
  • .accdb
  • .accdc
  • .accde
  • .accdr
  • .accdt
  • .accft
  • .adb
  • .ade
  • .adf
  • .adp
  • .arc
  • .ora
  • .alf
  • .ask
  • .btr
  • .bdf
  • .cat
  • .cdb
  • .ckp
  • .cma
  • .cpd
  • .dacpac
  • .dad
  • .dadiagrams
  • .daschema
  • .db
  • .db-shm
  • .db-wal
  • .db3
  • .dbc
  • .dbf
  • .dbs
  • .dbt
  • .dbv
  • .dbx
  • .dcb
  • .dct
  • .dcx
  • .ddl
  • .dlis
  • .dp1
  • .dqy
  • .dsk
  • .dsn
  • .dtsx
  • .dxl
  • .eco
  • .ecx
  • .edb
  • .epim
  • .exb
  • .fcd
  • .fdb
  • .fic
  • .fmp
  • .fmp12
  • .fmps1
  • .fol
  • .fp3
  • .fp4
  • .fp5
  • .fp7
  • .fpt
  • .frm
  • .gdb
  • grbd
  • .gwi
  • .hdb
  • .his
  • .ib
  • .idb
  • .ihx
  • .itdb
  • .itw
  • .kexi
  • .kexic
  • .kexis
  • .lwx
  • .jet
  • .jtx
  • .lgc
  • .kdb
  • .maf
  • .maq
  • .mar
  • .mas
  • .mav
  • .mdb
  • .mdf
  • .mpd
  • .mrg
  • .mud
  • .mwb
  • .myd
  • .ndf
  • .nnt
  • .nrmlib
  • .ns2
  • .ns3
  • .ns4
  • .nsf
  • .nv
  • .nv2
  • .nwdb
  • .nyf
  • .odb
  • .oqy
  • .orx
  • .owc
  • .p96
  • .p97
  • .pan
  • .pdb
  • .pdm
  • .pnz
  • .qry
  • .qvd
  • .rbf
  • .rctd
  • .rod
  • .rodx
  • .rpd
  • .rsd
  • .sbf
  • .scx
  • .sdb
  • .sdc
  • .sas7bdat
  • .sbf
  • .scx
  • .sis
  • .spq
  • .sdb
  • .sdc
  • .sdf
  • .sql
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .te
  • .temx
  • .tmd
  • .tps
  • .trc
  • .trm
  • .udb
  • .udl
  • .usr
  • .v12
  • .vis
  • .vpd
  • .vvv
  • .wdb
  • .wmdb
  • .wrk
  • .xdb
  • .xmlff
  • .abcddb
  • .xld
  • .abs
  • .abx
  • .accdw
  • .adn
  • .db2
  • .fm5
  • .hjt
  • .icg
  • .icr
  • .kdb
  • .lut
  • .maw
  • .mdn
  • .mdt
• It also encrypts disk image related files extensions:
  • .vdi
  • .vhd
  • .pvm
  • .vmx
  • .raw
  • .bin
  • .vsv
  • .iso
  • .vmdk
  • .vmem
  • .vmsn
  • .vmsd
  • .avhd
  • .vmrs
  • .vhdx
  • .avdx
  • .vmcx
  • .nvram
  • .qcow2
  • .subvol
• Checking if the network share starts with the IP address:
  • 172.
  • 192.168.
  • 10.
  • 169.
  It only encrypt files that are in the network share if it is in local network

It accepts the following parameters:

• -log {file name} – create log output base on the file name that you enter to parameter
• -size – {chunk mode}
• -nomutex – it doesn’t create mutex
• -m - delete all backups and encrypt all
• -p - encrypt specific folder first before proceeding to other folders
• -m -{local|net|backups}
  • local - delete backups and encrypt local drives
  • net - delete backups and encrypt network shares
  • backups - delete backups

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• CONTI_LOG.txt
• !!!-Restore-My-Files-!!!.txt

It avoids encrypting files with the following strings in their file path:

• tmp
• winnt
• temp
• thumb
• $Recycle.Bin
• $RECYCLE.BIN
• System Volume Information
• Boot
• Windows
• Trend Micro
• perflogs

It appends the following extension to the file name of the encrypted files:

• .6b226bbd

It drops the following file(s) as ransom note:

• {Encrypted Directory}\!!!-Restore-My-Files-!!!.txt
  

It avoids encrypting files with the following file extensions:

• .6b226bbd
• .exe
• .dll
• .lnk
• .sys
• .msi
• .bat