Ransom.Win64.LOCKBIT.YADCK.enc

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Encrypted Directory}\_r_e_a_d_m_e.txt
• %User Temp%\zcennqz.bmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\notepad.exe “{path of cy.exe}” --run={4 digit password} --pt={path of winutils.dll} --cg={path of config.ini} --we={path of cy.exe}
• vssadmin.exe Delete Shadows /All /Quiet ← Deletes shadow copies
• bcdedit.exe /set {default} recoveryenabled No ← Disables recovery
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures ← Ignore any boot failures
• wbadmin.exe DELETE SYSTEMSTATEBACKUP ← Delete system state backup
• wbadmin.exe DELETE SYSTEMSTATEBACKUP –deleteOldest
• wbadmin.exe delete catalog –quiet ← Delete the backup catalog for Windows Server Backup
• wbadmin.exe delete backup ← Delete the backup
• wbadmin.exe delete systemstatebackup -keepversions:0
• wevtutil.exe clear-log Application ← Clears application logs
• wevtutil.exe clear-log Security ← Clears security logs
• wevtutil.exe clear-log System ← Clears system logs
• wevtutil.exe clear-log "windows powershell" ← Clears windows powershell logs
• wmic.exe SHADOWCOPY /nointeractive
• Stop the following services using "net.exe stop"
  • net.exe stop MSDTC
  • net.exe stop SQLSERVERAGENT
  • net.exe stop MSSQLSERVER
  • net.exe stop vds
  • net.exe stop SQLWriter
  • net.exe stop SQLBrowser
  • net.exe stop MSSQLSERVER
  • net.exe stop MSSQL$CONTOSO1
• netsh.exe advfirewall set currentprofile state off
• netsh.exe firewall set opmode mode=disable ← Disables Windows firewall

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\ComputerName\ActiveComputerName
ComputerName = {Username}

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\zcennqz.bmp

File Infection

This Ransomware avoids infecting folders containing the following strings:

• .
• ..
• #recycle
• $Recycle.Bin
• Ahnlab
• All Users
• AppData
• Boot
• bootmgr
• Google
• Internet Explorer
• Mozilla
• Mozilla Firefox
• NETLOGON
• ntldr
• Opera
• Opera Software
• Policies
• Program Files
• Program Files (x86)
• ProgramData
• scripts
• SYSVOL
• Tor Browser
• Windows
• WINDOWS

It avoids infecting files that contain the following strings in their names:

• .exe
• .dll
• .sys
• .com
• .EXE
• .DLL
• .SYS
• .COM

It avoids infecting the following files:

• 1_config.ini
• AUTOEXEC.BAT
• autoexec.bat
• autorun.inf
• begin.txt
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr.efi
• bootsect.bak
• config.ini
• desktop.ini
• finish.txt
• iconcache.db
• ntuser.dat
• NTUSER.DAT
• ntuser.dat.log
• ntuser.dat.LOG1
• ntuser.dat.LOG2
• ntuser.ini
• thumbs.db
• Windows.old

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• sophos
• sql
• stc_raw_agent
• svc$
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• YooBackup
• YooIT
• zhudongfangyu

It terminates the following processes if found running in the affected system's memory:

• AcronisAgent
• AcrSch2Svc
• agntsvc.exe
• BackExecRPCService
• backup
• BackupExecAgentAccelerator
• BackupExecDiveciMediaService
• BackupExecJobEngine
• bedbg
• CAARCUpdateSvc
• ccEvtMgr
• Culserver
• dbeng50.exe
• dbeng8
• dbsnmp.exe
• dbsrv12.exe
• DefWatch
• encsvc.exe
• excel.exe
• firefox.exe
• infopath.exe
• Intuit.QuickBooks.FCS
• isqlplussvc.exe
• memtas
• mepocs
• msaccess.exe
• MSExchange
• msftesql-Exchange
• msmdsrv
• mspub.exe
• MSSQL
• mydesktopqos.exe
• mydesktopservice.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• PDVFSService
• powerpnt.exe
• QBCFMonitorService
• QBFCService
• QBIDPService
• SavRoam
• sophos
• sqbcoreservice.exe
• sql.exe
• sqladhlp
• SQLADHLP
• sqlagent
• SQLAgent
• SQLAgent$SHAREPOINT
• SQLBrowser
• SQLWriter
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• tomcat6
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• visio.exe
• vmware-converter
• vmware-usbarbitator64
• WinSAT.exe
• winword.exe
• wordpad.exe
• wrapper.exe
• WSBExchange
• xfssvccon.exe
• YooBackup

Other Details

This Ransomware does the following:

• Requires the "-run={4 digit password}" parameter to execute the ransomware
• Delete itself and the files used to execute the ransomware after execution
• The ransomware does not encrypt files and shuts down if the default language of the system or user is one of the following:
  • Russian
  • Ukrainian
  • Belarusia
  • Tajik
  • Armenian
  • Azerbaijani Latin
  • Azerbaijani Cyrillic
  • Georgian
  • Kazakh
  • Kyrgyz
  • Turkmen
  • Uzbek Latin
  • Uzbek Cyrillic
  • Russian Moldova

It accepts the following parameters:

• -run={4 digit password} ← Password needed to execute the sample
• -nomutex ← Do not check the mutex
• -log ← Create log files
• -nodel ← Do not self-delete on execution
• -path={path} ← Encrypt only the specified path
• -noshare ← Do not encrypt shares
• -pt={path of winutils.dll} ← State the loader DLL
• -cg={path of config.ini} ← State the configuration file that stores the ransomware
• -we={path of cy.exe} ← State the main executable
• -diskpart ← Use diskpart.exe to clear the “Read-only” attribute of disk volumes
• -nobk ← Do not change the wallpaper of the infected machine.
• -thread={Number of threads per CPU}
• -at={yyyy/MM/dd HH:mm:ss} ← Specify local time when file encryption should start.
• -nomail ← Do not create a ransom note.
• -hostfile={Host file path} ← Path to a text file with a list of hosts to encrypt files on their shared resources.
• -listen={Address:Port} ← Listen mode.
• -srv={Address:Port}

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• .slpqne{2 digit number from 00 to 98}

It drops the following file(s) as ransom note:

• {Encrypted Directory}\_r_e_a_d_m_e.txt