Ransom.Win32.ALOL.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\RarSFX0\btc.exe (encryptor; detected as TROJ_GEN.R002C0GK620)
• %User Temp%\RarSFX0\__tmp_rar_sfx_access_check_{random numbers} -> deleted later

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%User Temp%\RarSFX0\btc.exe"
• "cmd.exe" /c vssadmin.exe delete shadows /all /quiet

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Temp%\RarSFX0

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Default}

Other Details

This Ransomware does the following:

• In the primary drive, it only encrypts %User Profile% path

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .ezp
• .exp
• .xxx
• .epj
• .ews
• .aep
• .x3d
• .tpd
• .tpi
• .doc
• .docx
• .MOV
• .mp4
• .CR2
• .mov
• .MP4
• .jpg
• .JPG
• .jpge
• .tar
• .xml
• .XML
• .m3u
• .m4a
• .mid
• .mp3
• .mpa
• .csv
• .dat
• .DAT
• .wav
• .wma
• .avi
• .AVI
• .m4v
• .mpg
• .srt
• .swf
• .vob
• .wmv
• .flv
• .webm
• .mkv
• .3dm
• .3ds
• .max
• .ogg
• .bin
• .bmp
• .gif
• .png
• .psd
• .tga
• .h264
• .aif
• .dmg
• .eps
• .svg
• .pct
• .pdf
• .xlr
• .xls
• .sxlsx
• .accdb
• .db
• .dbf
• .mdb
• .pdb
• .sql
• .app
• .bat
• .cgi
• .exe
• .rar
• .zip
• .7zip
• .jar
• .ai
• .dem
• .sav
• .dwg
• .cab
• .cpl
• .cur
• .dll
• .drv
• .ico
• .lnk
• .sys
• .gz
• .zipx
• .iso
• .cpp
• .cs
• .class
• .dtd
• .lua
• .sh
• .sln
• .swift
• .vb
• .vcxproj
• .xcodeproj
• .swift
• .vcxproj
• .xcodeproj
• .bak
• .tmp
• .ics
• .msi
• .part
• .torrent
• .pdb
• .sln
• .vbproj
• .resx
• .config
• .frm
• .frx
• .vbp
• .vbw
• .cube
• .xml
• .js
• .php
• .xtml
• .ovpn
• .iml
• .gradle
• .properties
• .json
• .pro
• .py
• .null
• .aaf
• .aepx
• .csv
• .pbl
• .tab
• .edl
• .plb
• .prel
• .proroj
• .psq
• .html
• .css
• .apk
• .reg
• .jpeg
• .raw
• .cdr
• .eps
• .cr2
• .nef
• .orf
• .sr2
• .prproj
• .msi
• .aep
• .jpe
• .aet
• .fcpx
• .FCPX
• .imi

It appends the following extension to the file name of the encrypted files:

• .lola

It drops the following file(s) as ransom note:

• {Encrypted Directory}\Please_Read.txt