Ransom.Win32.FOG.THDODBE

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware File Path}\DbgLog.sys → logs the behavior of the sample upon execution
• %Application Data%\Microsoft\Crypto\RSA\{SID}}\{Generated Hash}{GUID}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\NOTEPAD.EXE" %Desktop%\RANSOMNOTE.txt
• %System%\vssadmin.exe delete shadows /all /quiet
• cmd.exe /c net config Workstation → Gathers computer name, domain/workgroup, and logged-on user information.
• cmd.exe /c systeminfo → Gathers OS version, build, architecture, boot time, and system manufacturer.
• cmd.exe /c hostname → Gathers local system hostname.
• cmd.exe /c net users → Gathers local user accounts and metadata (e.g., last set, expiry).
• cmd.exe /c ipconfig /all → Gathers IP configuration, DNS, DHCP, MAC addresses, and adapter info.
• cmd.exe /c route print → Gathers routing table and interface metrics.
• cmd.exe /c arp -A → Gathers ARP cache entries (discovered local hosts and MACs).
• cmd.exe /c netstat -ano → Gathers active network connections, listening ports, and process IDs.
• cmd.exe /c netsh firewall show state → Gathers current firewall state and global policy settings.
• cmd.exe /c netsh firewall show config → Gathers full firewall configuration including rules and exceptions.
• cmd.exe /c schtasks /query /fo LIST /v → Gathers scheduled tasks, triggers, actions, and user contexts.
• cmd.exe /c tasklist /SVC → Gathers running processes and associated services.
• cmd.exe /c net start → Gathers currently running services.
• cmd.exe /c DRIVERQUERY → Gathers loaded drivers, types, and load dates.

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 6jSf6QFH0VGR5XL4RGYarc5YVpB4W1H3

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Dhcp
• Dnscache
• *sql*

It terminates the following processes if found running in the affected system's memory:

• notepad.exe
• calc.exe
• *sql*

Other Details

This Ransomware does the following:

• It empties the recycle bin of the affected machine.

It accepts the following parameters:

• -nomutex - Disable mutex creation
• -target {Target Direcory} - Specify target directory
• -console - Display log output in command prompt
• -procoff - Disable process termination
• -uncoff - Disable network share enumeration and encryption

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• tmp
• winnt
• Application Data
• AppData
• temp
• thumb
• $Recycle.Bin
• System Volume Information
• Windows
• Boot

It appends the following extension to the file name of the encrypted files:

• .flocked

It drops the following file(s) as ransom note:

• %Desktop%\RANSOMNOTE.txt
  
• {Encrypted Directory\readme.txt
  

It avoids encrypting files with the following file extensions:

• *.dll
• .exe
• .dll
• .lnk
• .sys
• .CONTI