Ransom.MSIL.JUDGE.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It terminates itself if it detects it is being run in a virtual environment.

It encrypts files with specific file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\Cry.img - Ransomnote used as Desktop Wallpaper(rename to *.png to view)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• {Malware Filepath}\{Malware Filename}.exe

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {vYtzIm0SDgeCYX5eq8g7}

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\%Namee% - dropped copy of itself
• %User Startup%\vYtzIm0SDgeCYX5eq8g7.exe - dropped copy of itself

Other System Modifications

This Ransomware also creates the following registry entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
G\0
Runcount.cry = {random encrypted value using ProcessorId, BIOS SerialNumber, BaseBoard SerialNumber, VideoController}

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
F\0
Runcount.cry = {random encrypted value using ProcessorId, BIOS SerialNumber, BaseBoard SerialNumber, VideoController}

HKEY_CIRRENT_USER\Software\VB and VBA Program Settings\
H\0
Runcount.cry = {Hours until ransom price increase}

HKEY_CIRRENT_USER\Software\VB and VBA Program Settings\
M\0
Runcount.cry = {Minutes until ransom price increase}

HKEY_CIRRENT_USER\Software\VB and VBA Program Settings\
S\0
Runcount.cry = {Seconds until ransom price increase}

It sets the system's desktop wallpaper to the following image:

Other Details

This Ransomware terminates itself if it detects it is being run in a virtual environment.

It does the following:

• Has a UI to view infected files and to input decryption password, after 3 failed attempts the malware will delete all encrypted files.

It checks if the following virtual machine or sandbox related module(s) is loaded in the affected system:

• sbieDll.dll - sandboxie

It does not proceed to its malicious routine if it detects that it is being debugged.

It uses Windows Management Instrumentation (WMI) to do the following:

• Delete Restore Points via SRRemoveRestorePoint()

Mobile Malware Routine

This Ransomware accesses the following possibly malicious URL(s):

• http://{BLOCKED}i.com/line/?fields=hosting - exits process if contains "True"
• http://{BLOCKED}x.tokyo/t1122990/log.php

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .3dm
• .3g2
• .3gp
• .aaf
• .accdb
• .aep
• .aepx
• .txt
• .aet
• .ai
• .aif
• .arw
• .as
• .as3
• .asf
• .asp
• .asx
• .avi
• .bay
• .bmp
• .cdr
• .cer
• .class
• .cpp
• .cr2
• .crt
• .crw
• .cs
• .csv
• .db
• .dbf
• .dcr
• .der
• .dng
• .doc
• .docb
• .docm
• .docx
• .exee
• .dot
• .dotm
• .dotx
• .dwg
• .dxf
• .dxg
• .efx
• .eps
• .erf
• .fla
• .flv
• .idml
• .iff
• .indb
• .indd
• .indl
• .indt
• .inx
• .jar
• .java
• .jpeg
• .jpg
• .kdc
• .m3u
• .m3u8
• .m4u
• .max
• .mdb
• .mdf
• .mef
• .mid
• .mov
• .mp3
• .mp4
• .mpa
• .mpeg
• .mpg
• .mrw
• .msg
• .nef
• .nrw
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt
• .orf
• .p12
• .p7b
• .p7c
• .pdb
• .pdf
• .pef
• .pem
• .pfx
• .php
• .plb
• .pmd
• .pot
• .potm
• .potx
• .ppam
• .ppj
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .prel
• .prproj
• .ps
• .psd
• .pst
• .ptx
• .r3d
• .ra
• .raf
• .rar
• .raw
• .rb
• .rtf
• .rw2
• .rwl
• .sdf
• .sldm
• .sldx
• .sql
• .sr2
• .srf
• .srw
• .svg
• .swf
• .tif
• .vcf
• .vob
• .wav
• .wb2
• .wma
• .wmv
• .wpd
• .wps
• .x3f
• .xla
• .xlam
• .xlk
• .xll
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xqx
• .zip
• .iso
• .png

It avoids encrypting files with the following strings in their file path:

• Bin
• indows
• tings
• system volume information
• cache
• very
• rogram files (x86)
• rogram Files
• boot
• efi
• old

It appends the following extension to the file name of the encrypted files:

• .[{BLOCKED}ebackup@tutanota.com].judge

It leaves text files that serve as ransom notes containing the following text:

• --------------------------------
• YOUR DEVICE ID: {DEVICE ID}
• BTC Address: 1M3EDJdQtPNY5t2nHAeRTgQRFDu2U6QNCG
• BTC Price: 100$
• E-Mail: {BLOCKED}ebackup@tutanota.com
• Telegram: @{BLOCKED}ackup
• --------------------------------
• What happened to my device?
• If you access this page so your device has been encrypted.
• Many of your documents, photos, videos, databases and other files are no longer
• accessible because they have been encrypted, Maybe you are busy looking for a way to recover
• your files, but do not waste your time. NOBODY can recover your files without our decryption service.
• How Recover My Files?
• Sure, We guarantee that you can recover all your files safely and easily, But you have not so enough time,
• After the end of the specified time, which is listed below, the price will be raised to double the specified amount
• Speed is required, We will close all our accounts after a certain period, so you will never be able to retrieve your files if u late.
• How To Pay?
• Only one payment is accepted (Bitcoin)
• Please check the current price of Bitcoin and buy some bitcoins
• And send the correct amount to the address
• After payment
• After you send the specified amount to the Bitcoin wallet immediately,
• click on Contact Us and send us an email with the ID of your device and the transfer number for the bitcoins
• --------------------------------
• YOUR DEVICE ID: {DEVICE ID}
• BTC Address: 1M3EDJdQtPNY5t2nHAeRTgQRFDu2U6QNCG
• BTC Price: 100$
• E-Mail: {BLOCKED}ebackup@tutanota.com
• Telegram: @{BLOCKED}ackup
• --------------------------------
• What happened to my device?
• If you access this page so your device has been encrypted.
• Many of your documents, photos, videos, databases and other files are no longer
• accessible because they have been encrypted, Maybe you are busy looking for a way to recover
• your files, but do not waste your time. NOBODY can recover your files without our decryption service.
• How Recover My Files?
• Sure, We guarantee that you can recover all your files safely and easily, But you have not so enough time,
• After the end of the specified time, which is listed below, the price will be raised to double the specified amount
• Speed is required, We will close all our accounts after a certain period, so you will never be able to retrieve your files if u late.
• How To Pay?
• Only one payment is accepted (Bitcoin)
• Please check the current price of Bitcoin and buy some bitcoins
• And send the correct amount to the address
• After payment
• After you send the specified amount to the Bitcoin wallet immediately,
• click on Contact Us and send us an email with the ID of your device and the transfer number for the bitcoins