Ransom.MSIL.CRYNG.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra y ejecuta los archivos siguientes:

• {malware directory}\kill.bat
• {malware directory}\killme.bat

Se ejecuta y, a continuación, se elimina.

Otros detalles

Hace lo siguiente:

• It requires the argument "cc" to be able to run.
• Through the dropped file, kill.bat, it forcefully deletes files with the following strings and file extensions using del /s /f /q command in drives D:\, E:\, F:\, G:\, and H:\ if available:
  • *.VHD
  • *.bac
  • *.bak
  • *.wbcat
  • *.bkf
  • Backup*.*
  • backup*.*
  • *.set
  • *.win
  • *.dsk
• If not executed as administrator:
  • It will encrypt files.
  • It will not drop ransom notes.
  • It will not be able to create killme.bat, and thus will not be able to delete itself.
  • It will encounter problems upon attempting to write in the System drive (C:\)
• In executing kill.bat, it forcefully terminates the following programs through taskkill /IM /F command:
  • mspub.exe
  • mydesktopqos.exe
  • mydesktopservice.exe
• If run without arguments, the program will write the following message in a console and terminate itself:
  • "donot cry :)"
• It will log the files it successfully encrypted and display the following message in a console:
  • "Finished :("
• It checks for either conditions before accessing a drive for encryption:
  • Drive is not a Fixed Drive nor a Removable Drive.
  • Drive is ready or accessible for read/write operations.