RANSOM_MAKTUB.A

This new ransomware variant is known for the unique graphic designs of its ransom notes. Similar to other ransomware variants, it encrypts files and arrives via email.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Temp%\{random filename}.cab - archive containing the RTF document
• %User Temp%\{malware filename}.rtf - non-malicious document
• {folders containing encrypted files}\_DECRYPT_INFO_{extension name}.html - ransom note
• %User Temp%\{extension name}.gif - Maktub Locker logo

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan modifies the following file(s):

• It encrypts files and appends a random extension to the encrypted files

Other Details

This Trojan encrypts files with the following extensions:

• apk
• arch00
• arw
• asset
• avi
• bar
• bay
• bc6
• bc7
• big
• bik
• bkf
• bkp
• blf
• blob
• bsa
• bup
• cab
• cas
• cat
• cdf-ms
• cdr
• cer
• cfr
• chm
• com
• cpl
• cr2
• crt
• crw
• css
• csv
• cur
• d3dbsp
• das
• dat
• dayzprofile
• dazip
• db0
• dba
• dbf
• dbfv
• dcr
• der
• desc
• dll
• dmp
• dng
• doc
• docm
• docx
• dot
• dotx
• drv
• dwg
• dxf
• dxg
• epk
• eps
• erf
• esm
• exe
• exif
• ff
• flv
• fon
• forge
• fos
• fpk
• fsh
• gdb
• gho
• gif
• gpd
• hkdb
• hkx
• hlp
• hplg
• htm
• html
• hvpl
• ibank
• ico
• icxs
• idl
• ifo
• indd
• inf
• inf_loc
• ini
• itdb
• itl
• itm
• iwd
• iwi
• jfif
• jpe
• jpeg
• jpg
• js
• kdb
• kdc
• kf
• layout
• lbf
• lck
• lib
• litemod
• lnk
• log
• log1
• log2
• lrf
• ltx
• lvl
• m2
• m3u
• m4a
• man
• manifest
• map
• mcgame
• mcmeta
• mdb
• mdbackup
• mddata
• mdf
• mef
• menu
• mht
• mlwivc
• mlx
• mof
• mov
• mp4
• mpg
• mpp
• mpqge
• mrw
• mrwref
• msg
• msi
• msp
• mui
• mum
• ncf
• nef
• nlp
• nls
• nrw
• ntl
• ocx
• odb
• odc
• odm
• odp
• ods
• odt
• orf
• p12
• p7b
• p7c
• pak
• pdb
• pdd
• pdf
• pef
• pem
• pfx
• pgp
• pkpass
• pnf
• png
• ppd
• ppsx
• ppt
• pptm
• pptx
• psd
• psk
• pst
• ptx
• py
• qdf
• qic
• r3d
• raf
• raw
• rb
• rdp
• re4
• regtrans-ms
• resx
• rgss3a
• rim
• rofl
• rtf
• rw2
• rwl
• sav
• sb
• sc2save
• scr
• shs
• sid
• sidd
• sidn
• sie
• sis
• slm
• snx
• so
• sql
• sr2
• srf
• srw
• sum
• svg
• swf
• syncdb
• sys
• t12
• t13
• tax
• tc
• thm
• thmx
• tif
• tor
• ttf
• txt
• unity3d
• upk
• vcf
• vdf
• vfs0
• vob
• vpk
• vpp_pc
• vsd
• vtf
• w3x
• wallet
• wav
• wb2
• wma
• wmf
• wmo
• wmv
• wotreplay
• wpd
• wps
• x3f
• xdr
• xf
• xlk
• xls
• xlsb
• xlsm
• xlsx
• xml
• xrm-ms
• xsd
• xxx
• ztmp

NOTES:

This malware deletes shadow copies by executing the following command:

%System%\vssadmin.exe delete shadows /all /Quiet

It opens the dropped document file:

It displays the following window after file encryption:

The dropped html component contains the ransom note:

Upon visiting the website, it asks for the decryption key:

It then redirects users to the main webpage: