Ransom.Linux.BLACKCAT.YXDLU

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware accepts the following parameters:

• {launch string} → required to proceed to its encryption routine
  • -p | --path {Directory}→ Path to encrypt.
  • -f | --paths-file {File path}→ Load path from file. One or many
  • -o | --override-credentials {User credentials} → Override config credentials.
  • -R | --disable-recursion → Disable encrypting sub-folders within the specified directory in "--path" parameter.
  • -N | --disable-network → Disable automatic network discovery.
  • -K | --disable-elevate-to-system → Do not attempt to elevate access token to system.
  • -E | --disable-self-propagation → Disable network self propagation.
  • -s | --suspend → Initialize and wait for incoming client connections.
  • --xi {Include VM to kill} →Only include Wildcar pattern while killing VMs(default: *)
  • --xe {Exclude VM to kill}→Exclude all matching wildcard pattern while killing VMs
  • -w | --watch {Time} → Server will remain active after execution and repeat discovery on given time.
  • -v | --verbose → Print log to console.
  • -X | --self-destuct → Delete file after execution.
  • -h | --help → Print help information.
  • -t | toolkit → Various tools.
  • help → Print help information.
  • server →Start local server and discover resources.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .log
• .vmdk
• .vmem
• .vswp
• .vmsn
• .vmsd
• .iso
• .zip
• .txt
• .vmx
• .nvram
• .vmxf
• .backup
• .sql
• .txt
• .doc
• .rtf
• .xls
• .jpg
• .jpeg
• .png
• .gif
• .webp
• .tiff
• .psd
• .raw
• .bmp
• .pdf
• .docx
• .docm
• .dotx
• .dotm
• .odt
• .xlsx
• .xlsm
• .xltx
• .xltm
• .xlsb
• .xlam
• .ods
• .pptx
• .pptm
• .ptox
• .potm
• .ppsx
• .ppsm
• .odp
• .mdf
• .msc
• .sys
• .lnk
• .exe
• .drv
• .dll
• .msu
• .search-ms

It avoids encrypting files with the following strings in their file path:

• \$windows.~ws
• \$windows.~bt
• \windows
• \windows.old
• \NTUSER.DAT
• \autorun.inf
• \boot.ini
• \desktop.ini
• \system volume information
• \Boot
• \DumpStack.log.tmp
• \PerfLogs
• \Users\Microsoft_Corporation\.config
• \AppData\Local\Microsoft\GameDVR
• \AppData\Local\Packages\Microsoft
• \AppData\Local\Packages\MicrosoftWindows
• \AppData\Local\Packages\Internet Explorer
• \AppData\Local\Packages\Internet Explorer
• \AppData\Local\Temp
• \Program Files\Common Files\microsoft shared
• \Program Files\Common Files\Services
• \Program Files\Common Files\System
• \Program Files\Internet Explorer
• \Program Files\ModifiableWindowsApps
• \Program Files\Uninstall Information
• \Program Files\Windows Defender
• \Program Files\Windows Mail
• \Program Files\Windows Media Player
• \Program Files\Windows NT
• \Program Files\Windows Photo Viewer
• \Program Files\Windows Portable Devices
• \Program Files\Windows Security
• \Program Files\Windows Sidebar
• \Program Files\WindowsApps
• \Program Files\WindowsPowerShell
• \Program Files (x86)\Common Files
• \Program Files (x86)\Common Files\Microsoft Shared
• \Program Files (x86)\Common Files\Services
• \Program Files (x86)\Common Files\System
• \Program Files (x86)\Internet Explorer
• \Program Files (x86)\Microsoft\Edge
• \Program Files (x86)\Microsoft\Temp
• \Program Files (x86)\Microsoft.NET
• \Program Files (x86)\Windows Defender
• \Program Files (x86)\Windows Mail
• \Program Files (x86)\Windows Media Player
• \Program Files (x86)\Windows Multimedia Platform
• \Program Files (x86)\Windows NT
• \Program Files (x86)\Windows Photo Viewer
• \Program Files (x86)\Windows Portable Devices
• \Program Files (x86)\Windows Security
• \Program Files (x86)\Windows Sidebar
• \Program Files (x86)\WindowsPowerShell
• \ProgramData\ssh
• \ProgramData\ntuser.pol
• \ProgramData\regid..com.microsoft
• \ProgramData\USOPrivate
• \ProgramData\USOShared
• \ProgramData\Microsoft\UEV
• \ProgramData\Microsoft\Device Stage
• \ProgramData\Microsoft\DeviceSync
• \ProgramData\Microsoft\Diagnosis
• \ProgramData\Microsoft\DiagnosticLogCSP
• \ProgramData\Microsoft\DRM
• \ProgramData\Microsoft\EdgeUpdate
• \ProgramData\Microsoft\Event Viewer
• \ProgramData\Microsoft\IdentityCRL
• \ProgramData\Microsoft\MapData
• \ProgramData\Microsoft\MF
• \ProgramData\Microsoft\NetFramework.
• \ProgramData\Microsoft\Network
• \ProgramData\Microsoft\Provisioning.
• \ProgramData\Microsoft\Search.
• \ProgramData\Microsoft\SmsRouter
• \ProgramData\Microsoft\Spectrum
• \ProgramData\Microsoft\Speech_OneCore
• \ProgramData\Microsoft\Storage Health
• \ProgramData\Microsoft\User Account Pictures
• \ProgramData\Microsoft\Vault
• \ProgramData\Microsoft\WDF
• \ProgramData\Microsoft\Windows
• \ProgramData\Microsoft\Windows Defender
• \ProgramData\Microsoft\Windows NT
• \ProgramData\Microsoft\Windows Security Health
• \ProgramData\Microsoft\WinMSIPC
• \ProgramData\Microsoft\WPD
• \ProgramData\Microsoft\Crypto\RSA\MachineKeys\
• \ProgramData\Microsoft\ServerManager\Events\FileServer.Events.xml
• \ProgramData\Packages\USOPrivate
• \ProgramData\Packages\USOShared
• \ProgramData\Packages\WindowsHolographicDevices
• \ProgramData\Packages\MicrosoftWindows
• \ProgramData\Packages\Microsoft

It avoids encrypting files found in the following folders:

• /bin
• /sbin
• /boot
• /cdrom
• /etc
• /lib
• /proc
• /root
• /run
• /srv
• /sys
• /tmp
• /usr

It appends the following extension to the file name of the encrypted files:

• {Original file name}.{Original extension}.{Random Characters}.6nc4n2q

It drops the following file(s) as ransom note:

• {Encrypted Directory}\{Random Characters}.txt
  

It avoids encrypting files with the following file extensions:

• .lock
• .tmp