Ransom.Win64.RECRANS.THEOHBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Public%\2134A99F204DAB9E5574EE51B87C57DCF7483B6F
• %Public%\noise.bmp

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following processes:

• reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
• reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
• reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
• cd %userprofile%\documents\
• attrib Default.rdp -s -h
• del Default.rdp
• for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
• /c del {Malware File Path} > nul

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
Wallpaper = %Public%\noise.bmp

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
WallpaperStyle = 4

(Note: The default value data of the said registry entry is 0.)

It sets the system's desktop wallpaper to the following image:

• %Public%\noise.bmp
  

Other Details

This Ransomware does the following:

• It encrypts files found in the following drives:
  • Unkown Drive
  • No Root Directory Drive
  • Removable Drive
  • Fixed Drive
  • Remote Drive
• It shows its logs within the command prompt.
  
• It deletes itself after execution.

It accepts the following parameters:

• /f → Used for encrypting only the designated file
• /d → Used for encrypting only the designated directory
• /s → displays only the argument used

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• $RECYCLE.BIN
• .vscode
• AVG
• Avast
• Avira
• COMODO
• Chrome
• Common Files
• Common7 Dell
• Dr.Web
• ESET
• Firefox
• Install Shield Installation Information
• Intel
• Internet Explorer
• Kaspersky Lab
• McAfee
• Microsoft
• Microsoft Help
• Microsoft SDKs
• Microsoft Shared
• Microsoft VS Code
• Microsoft Visual
• Studio Microsoft.NET
• MovieMaker
• Mozilla Mozilla Firefox
• NVIDIA Corporation
• Opera
• Package Cache
• Packages
• Reference assemblies
• Spytechsoftware Symantec
• Symantec Client Security
• System Volume Information
• Temp
• Windows
• Windows App Certification Kit
• Windows Defender
• Windows Kits
• Windows Mail
• Windows Media Player
• Windows Multimedia Platform
• Windows NT
• Windows Phone Kits
• Windows Phone Silverlight Kits
• Windows Photo Viewer
• Windows Portable Devices
• Windows Security
• Windows Sidebar
• WindowsApps
• WindowsPowerShell
• Wsus
• Yandex Browser
• sysconfig

It appends the following extension to the file name of the encrypted files:

• .rec_rans

It drops the following file(s) as ransom note:

• {Encrypted Directory}/HOW_TO_RECOVERY_FILES.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .drv
• .exe
• .hlp
• .hta
• .icns
• .ico
• .ics
• .idx
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .sys
• .theme
• .themepack
• .wpx