- Threat Encyclopedia
- Malware
- RANSOM_HDDCRYPTOR.AUSE
Windows
Dropped by other malware, Downloaded from the Internet
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
1111552 bytes
EXE
Yes
29 Jul 2017
Restarts system, Executes files, Displays message/message boxes, Encrypts files
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following file(s)/component(s):
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This Ransomware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
ImagePath = %System%\drivers\dcrypt.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
ImagePath = {Malware Path and Filename}.exe {password} /accepteula
It adds and runs the following services:
Other System Modifications
This Ransomware adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Instances
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Enum
It adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
Type = 00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
Start = 00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
ErrorControl = 00000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
DisplayName = DiskCryptor driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
Group = Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
DependOnService = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt
DependOnGroup = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\config
Flags = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\config
Hotkeys = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\config
sysBuild = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Instances
DefaultInstance = dcrypt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Instances\
dcrypt
Altitude = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Instances\
dcrypt
Flags = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Security
Security = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Enum
0 = {string values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Enum
Count = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\dcrypt\Enum
NextInstance = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
Type = 00000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
Start = 00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
ErrorControl = 00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
DisplayName = DefragmentService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService
FailureActions = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Security
Security = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Enum
0 = {string values}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Enum
Count = 00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\DefragmentService\Enum
NextInstance = 00000001
Other Details
This Ransomware does the following:
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
NOTES:
After another reboot, this ransomware displays the following ransom note upon boot up:
9.850
13.568.08
29 Jul 2017
13.569.00
30 Jul 2017
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restore your system's Master Boot Record (MBR)
To restore your system's Master Boot Record (MBR):
• On Windows 2000, XP, and Server 2003:
• On Windows Vista, 7, and Server 2008:
• On Windows 8, 8.1, and Server 2012:
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Restart in Safe Mode
Step 5
Disable this malware service
Step 6
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 7
Search and delete these files
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as RANSOM_HDDCRYPTOR.AUSE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.