Ransom.PS1.NETWALKER.M

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{Random Characters}.tmp
• %User Temp%\{Random Characters}.0.cs
• %User Temp%\{Random Characters}.dll
• %User Temp%\{Random Characters}.cmdline
• %User Temp%\{Random Characters}.out
• %User Temp%\{Random Characters}.err
• %User Temp%\{Random Characters}.pdb
• %User Temp%\CSC{random}.tmp
• %User Temp%\RES{random}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects codes into the following process(es):

• explorer.exe

Process Termination

This Ransomware terminates the following services if found on the affected system:

• *backup*
• *sql*
• AcronisAgent
• AcrSch2Svc
• acrsch2svc*
• apach*
• ARSM
• backup*
• cbvscserv*
• dc*32
• firebird*
• hMailServer
• IASJet
• IBM Domino*
• ibmiasrw
• IISADMIN
• Lotus*
• MMS
• mr2kserv
• MSExchange*
• omsad
• QB*
• QuickBooksDB*
• server Administrator
• ShadowProtectSvc
• Simply Accounting Database Connection Manager
• SP*4
• SPXService
• sql*
• stc_endpt_svc
• StorageCraft ImageManager
• teamviewer
• veeam*
• vsnapvss
• wbengine
• wrsvc

It terminates the following processes if found running in the affected system's memory:

• *sql*
• agent*
• agntsvc.exe
• apach*
• b1*
• ba*
• bd2*
• be*
• bes10*
• black*
• cbservi*
• cbvscserv*
• cfdot*
• coldfus*
• db*
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• fdlaunch*
• firefoxconfig.exe
• hMailServer*
• IBM*
• infopath.exe
• jetty.exe
• msaccess.exe
• msdtssr*
• msmdsrv*
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• nservice.exe
• nslsvice.exe
• ntrtscan.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle*
• oracle.exe
• outlook.exe
• pg*
• postg*
• powerpnt.exe
• QB*
• report*
• sage*
• sap*
• sqbcoreservice.exe
• sql*
• store.exe
• swag*
• swstrtr*
• synctime.exe
• tbirdconfig.exe
• team*
• thebat.exe
• thebat64.exe
• thunderbird.exe
• vee*
• visio.exe
• wbengine*
• winword.exe
• wordpad.exe
• wrsa.exe
• xfssvccon.exe

Other Details

This Ransomware deletes the following files to remove its traces in the system:

• %User Temp%\{Random Characters}.tmp
• %User Temp%\{Random Characters}.0.cs
• %User Temp%\{Random Characters}.dll
• %User Temp%\{Random Characters}.cmdline
• %User Temp%\{Random Characters}.out
• %User Temp%\{Random Characters}.err
• %User Temp%\{Random Characters}.pdb
• %User Temp%\CSC{random}.tmp
• %User Temp%\RES{random}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootmgr
• bootnxt
• bootsect.bak
• desktop.ini
• gdipfont*.dat
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat*
• ntuser.ini
• thumbs.db
• usrclass.dat
• usrclass.dat*

It avoids encrypting files with the following strings in their file path:

• *$windows.~ws
• *:\program file*\vmware.e
• *:\users\*\*temp.mp
• *:\users\*\appdata\*\microsoft.soft
• *:\windows
• *:\winnt
• *\Program File*\Cisco.o
• *\program file*\common files\reference ass*.s*
• *\program file*\common files\system.em
• *\program file*\cuass*.*
• *\program file*\microsoft games.s
• *\program file*\vmware.e
• *\program file*\windows media*.*
• *\program file*\windows nt.t
• *\program file*\windows photo*.*
• *\program file*\windows portable*.*
• *\program file*\windowspowershell.l
• *\programfile*\common files\*shared.ed
• *\programfile*\windows side*.*
• *\windows\cache*.*
• *appdata*microsoft
• *appdata*packages
• *boot
• *dvd maker
• *Internet Explorer
• *media player
• *microsoft\provisioning
• *Mozilla
• *Mozilla*
• *msocache
• *Old Firefoxdata
• *perflogs
• *system volume information
• *temporary internet*
• *windows defender
• *windows.old
• \*\users\*\*temp.temp
• \*\users\*\appdata\*\microsoft.rosoft
• \*\windows.ws
• \*\winnt.nt

It appends the following extension to the file name of the encrypted files:

• .{6 random characters}

It drops the following file(s) as ransom note:

• %Desktop%\{Appended Extension}-Readme.txt
• {Encrypted Directory}\{Appended Extension}-Readme.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .cab
• .clb
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .extfree
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .mui
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .regtrans-ms
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx