Ransom.Win32.EXX.THFBIBO

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• cipher /w %s
• wbadmin.exe delete catalog -quiet
• bcdedit.exe /set {default} recoveryenabled no
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
• wevtutil.exe cl Application
• wevtutil.exe cl System
• wevtutil.exe cl Setup
• wevtutil.exe cl Security
• wevtutil.exe sl Security /e:false
• fsutil.exe usn deletejournal /D C:

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableConfig = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

Process Termination

This Ransomware terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• javaw
• java
• sage
• ks_action
• ks_email
• ks_copy
• ks_sched
• ks_serv
• ks_web
• ks_report
• ks_im
• ks_db
• pvxiosvr
• pvxwin32
• xfssvccon
• wordpad
• wlmail
• winword
• vmwp
• vmware-vmx
• vmms
• vmconnect
• vmcompute
• visio
• veeam
• tv_x64
• tv_w32
• tomcat
• thunderbird
• thebat64
• thebat
• teamviewer
• tbirdconfig
• tasklist
• taskmgr
• synctime
• sublime_text
• stream
• steam
• sqbcoreservice
• screenconnect
• ruby
• qbw32
• pythonw
• python
• processhacker
• powerpnt
• postgres
• php
• outlook
• oracle
• onenote
• om8start
• om8
• ocssd
• ocomm
• ocautoupds
• notepad
• notepad++
• node
• nginx
• ncsvc
• ncs
• mydesktopservice
• mydesktopqos
• mspub
• msaccess
• mongod
• metiix
• mdccom
• mbarw
• mail
• i_view32
• infopath
• exchange
• excel
• encsvc
• duplicati
• devenv
• dbsnmp
• dbeng50
• database
• backup
• atom
• arw
• agntsvcencsvc
• agntsvcagntsvc
• agntsvc
• ARSM
• AcrSch2Svc
• Acronis VSS Provider
• AcronisAgent
• AcronixAgent
• Antivirus
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDeviceMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• DCAgent
• DbxSvc
• EPSecurityService
• EPUpdateService
• ESHASRV
• EhttpSrv
• Enterprise Client Service
• EraserSvc11710
• EsgShKernel
• FA_Scheduler
• IISAdmin
• IMAP4Svc
• KAVFS
• KAVFSGT
• MBAMService
• MBEndpointAgent
• MSExchangeAB
• MSExchangeADTopology
• MSExchangeAntispamUpdate
• MSExchangeES
• MSExchangeEdgeSync
• MSExchangeFBA
• MSExchangeFDS
• MSExchangeIS
• MSExchangeMGMT
• MSExchangeMTA
• MSExchangeMailSubmission
• MSExchangeMailboxAssistants
• MSExchangeMailboxReplication
• MSExchangeProtectedServiceHost
• MSExchangeRPC
• MSExchangeRepl
• MSExchangeSA
• MSExchangeSRS
• MSExchangeSearch
• MSExchangeServiceHost
• MSExchangeThrottling
• MSExchangeTransport
• MSExchangeTransportLogSearch
• MSOLAP$SQL_2008
• MSOLAP$SYSTEM_BGC
• MSOLAP$TPS
• MSOLAP$TPSAMA
• MSSQL$BKUPEXEC
• MSSQL$ECWDB2
• MSSQL$PRACTICEMGT
• MSSQL$PRACTTICEBGC
• MSSQL$PROD
• MSSQL$PROFXENGAGEMENT
• MSSQL$SBSMONITORING
• MSSQL$SHAREPOINT
• MSSQL$SOPHOS
• MSSQL$SQLEXPRESS
• MSSQL$SQL_2008
• MSSQL$SYSTEM_BGC
• MSSQL$TPS
• MSSQL$TPSAMA
• MSSQL$VEEAMSQL2008R2
• MSSQL$VEEAMSQL2012
• MSSQLFDLauncher
• MSSQLFDLauncher$PROFXENGAGEMENT
• MSSQLFDLauncher$SBSMONITORING
• MSSQLFDLauncher$SHAREPOINT
• MSSQLFDLauncher$SQL_2008
• MSSQLFDLauncher$SYSTEM_BGC
• MSSQLFDLauncher$TPS
• MSSQLFDLauncher$TPSAMA
• MSSQLSERVER
• MSSQLServerADHelper
• MSSQLServerADHelper100
• MSSQLServerOLAPService
• McAfeeEngineService
• McAfeeFramework
• McAfeeFrameworkMcAfeeFramework
• McShield
• McTaskManager
• MongoDB
• MsDtsServer
• MsDtsServer100
• MsDtsServer110
• MySQL57
• MySQL80
• NetMsmqActivator
• OracleClientCache80
• OracleServiceXE
• OracleXETNSListener
• PDVFSService
• POP3Svc
• RESvc
• ReportServer
• ReportServer$SQL_2008
• ReportServer$SYSTEM_BGC
• ReportServer$TPS
• ReportServer$TPSAMA
• SAVAdminService
• SAVService
• SDRSVC
• SMTPSvc
• SNAC
• SQL Backups
• SQLAgent$BKUPEXEC
• SQLAgent$CITRIX_METAFRAME
• SQLAgent$CXDB
• SQLAgent$ECWDB2
• SQLAgent$PRACTTICEBGC
• SQLAgent$PRACTTICEMGT
• SQLAgent$PROD
• SQLAgent$PROFXENGAGEMENT
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• SQLAgent$SOPHOS
• SQLAgent$SQLEXPRESS
• SQLAgent$SQL_2008
• SQLAgent$SYSTEM_BGC
• SQLAgent$TPS
• SQLAgent$TPSAMA
• SQLAgent$VEEAMSQL2008R2
• SQLAgent$VEEAMSQL2012
• SQLBrowser
• SQLSERVERAGENT
• SQLSafeOLRService
• SQLTELEMETRY
• SQLTELEMETRY$ECWDB2
• SQLWriter
• SQLsafe Backup Service
• SQLsafe Filter Service
• SamSs
• SepMasterService
• ShMonitor
• SmcService
• Smcinst
• SntpService
• Sophos Agent
• Sophos AutoUpdate Service
• Sophos Clean Service
• Sophos Device Control Service
• Sophos File Scanner Service
• Sophos Health Service
• Sophos MCS Agent
• Sophos MCS Client
• Sophos Message Router
• Sophos Safestore Service
• Sophos System Protection Service
• Sophos Web Control Service
• SstpSvc
• Symantec System Recovery
• TmCCSF
• TrueKey
• TrueKeyScheduler
• TrueKeyServiceHelper
• UI0Detect
• Veeam Backup Catalog Data Service
• VeeamBackupSvc
• VeeamBrokerSvc
• VeeamCatalogSvc
• VeeamCloudSvc
• VeeamDeploySvc
• VeeamDeploymentService
• VeeamEnterpriseManagerSvc
• VeeamHvIntegrationSvc
• VeeamMountSvc
• VeeamNFSSvc
• VeeamRESTSvc
• VeeamTransportSvc
• W3Svc
• WRSVC
• Zoolz 2 Service
• bedbg
• ekrn
• kavfsslp
• klnagent
• macmnsvc
• masvc
• mfefire
• mfemms
• mfevtp
• mozyprobackup
• msftesql$PROD
• ntrtscan
• sacsvr
• sophossps
• svcGenericHost
• swi_filter
• swi_service
• swi_update
• swi_update_64
• tmlisten
• wbengine

Other Details

This Ransomware does the following:

• It opens a console that displays the process ID of the malware, number of workers and computer name:
  
• After its routine, it will then display the number of files encypted and the time it finish its routine:
  

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootsect.bak
• iconcache.db
• thumbs.db
• debug.txt
• boot.ini
• desktop.ini
• autorun.inf
• ntuser.dat
• ntldr
• ntdetect.com
• bootfont.bin
• !{Targeted Company Acronym}_READ_ME!.txt
• ransom
• ransomware

It avoids encrypting files with the following strings in their file path:

• \windows\system32\
• \windows\syswow64\
• \windows\system\
• \windows\winsxs\
• \appdata\roaming\
• \appdata\local\
• \appdata\locallow\
• \all users\microsoft\
• \inetpub\logs\
• :\boot\
• :\perflogs\
• :\programdata\
• :\drivers\
• :\wsus\
• :\efstmpwp\
• :\$recycle.bin\
• crypt_detect
• cryptolocker
• ransomware
• ProgramW6432
• %ProgramFiles%

It appends the following extension to the file name of the encrypted files:

• {Original Filename}.{Original extension}.{Targeted Company Acronym}

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\!{Targeted Company Acronym}_READ_ME!.txt
  

It avoids encrypting files with the following file extensions:

• .ani
• .cab
• .cpl
• .cur
• .diagcab
• .diagpkg
• .dll
• .drv
• .hlp
• .icl
• .icns
• .ico
• .iso
• .ics
• .lnk
• .idx
• .mod
• .mpa
• .msc
• .msp
• .msstyles
• .msu
• .nomedia
• .ocx
• .prf
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .exe
• .bat
• .cmd
• .url
• .mui
• .{Targeted Company Acronym}