RANSOM_HIDDENTEARSAHER.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It encrypts files found in specific folders.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %User Temp%\{Malware filename}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{value name} = {Malware file path}
where value name can be one of the following:

• Validator
• Adobe
• Validation
• DefinatelyNotMalware
• Default
• WindowsLogon
• Microsoft
• Microsoft Word

Other Details

This Ransomware does the following:

• Displays the following window:

  

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .jpg
• .jpeg
• .raw
• .PNG
• .tif
• .icon
• .php
• .gif
• .GIF
• .png
• .bmp
• .3dm
• .max
• .accdb
• .db
• .dbf
• .mdb
• .pdb
• .sql
• .dwg
• .dxf
• .c
• .cpp
• .cs
• .h
• .php
• .asp
• .rb
• .java
• .jar
• .class
• .py
• .js
• .aaf
• .aep
• .aepx
• .plb
• .prel
• .prproj
• .aet
• .ppj
• .dll
• .psd
• .indd
• .indl
• .indt
• .indb
• .inx
• .idml
• .pmd
• .xqx
• .xqx
• .ai
• .eps
• .ps
• .svg
• .swf
• .fla
• .as3
• .cerber3
• .as
• .txt
• .doc
• .dot
• .docx
• .docm
• .dotx
• .dotm
• .docb
• .rtf
• .wpd
• .wps
• .msg
• .pdf
• .xls
• .xlt
• .xlm
• .xlsx
• .xlsm
• .xltx
• .xltm
• .xlsb
• .xla
• .xlam
• .xll
• .xlw
• .ppt
• .pot
• .pps
• .pptx
• .pptm
• .potx
• .potm
• .ppam
• .ppsx
• .ppsm
• .sldx
• .sldm
• .wav
• .mp3
• .aif
• .iff
• .m3u
• .m4u
• .mid
• .mpa
• .wma
• .ra
• .avi
• .mov
• .mp4
• .3gp
• .mpeg
• .3g2
• .asf
• .asx
• .flv
• .mpg
• .wmv
• .vob
• .m3u8
• .dat
• .csv
• .efx
• .sdf
• .vcf
• .xml
• .ses
• .Qbw
• .QBB
• .QBM
• .QBI
• .QBR
• .Cnt
• .Des
• .v30
• .Qbo
• .Ini
• .Lgb
• .Qwc
• .Qbp
• .Aif
• .Qba
• .Tlg
• .Qbx
• .Qby
• .1pa
• .Qpd
• .Txt
• .Set
• .Iif
• .Nd
• .Rtp
• .Tlg
• .Wav
• .Qsm
• .Qss
• .Qst
• .Fx0
• .Fx1
• .Mx0
• .FPx
• .Fxr
• .Fim
• .ptb
• .Ai
• .Pfb
• .Cgn
• .exe
• .Vsd
• .Cdr
• .Cmx
• .Cpt
• .Csl
• .Cur
• .Des
• .Dsf
• .Ds4
• .Drw
• .Dwg
• .Eps
• .Ps
• .Prn
• .Gif
• .Pcd
• .Pct
• .Pcx
• .Plt
• .Rif
• .Svg
• .Swf
• .Tga
• .Tiff
• .Psp
• .Ttf
• .Wpd
• .Wpg
• .Wi
• .Raw
• .Wmf
• .Txt
• .Cal
• .Cpx
• .Shw
• .Clk
• .Cdx
• .Cdt
• .Fpx
• .Fmv
• .Img
• .Gem
• .Xcf
• .Pic
• .Mac
• .Met
• .PP4
• .Pp5
• .Ppf
• .Xls
• .Xlsx
• .Xlsm
• .Ppt
• .Nap
• .Pat
• .Ps
• .pl
• .py
• .Prn
• .Sct
• .Vsd
• .wk3
• .wk4
• .XPM
• .zip
• .rar

It encrypts files found in the following folders:

• %User Profile%

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It appends the following extension to the file name of the encrypted files:

• .Saher Blue Eagle