Ransom.Win32.FLYINGSHIP.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Program Files%\Common Files\log.txt -> list of encrypted files
• %Program Files%\Common Files\{Random} -> Contains ransom to be paid
• %Program Files%\Common Files\{Random}
• %Program Files%\Common Files\testers.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• {Malware Path}\testers.exe

It adds the following processes:

• {Malware Path}\testers.exe
• cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "{Malware Path}\{Malware Name}"
• ping 1.1.1.1 -n 3 -w 3000
• schtasks /create /sc onlogon /tn 2326257383 /rl highest /tr C:\PROGRA~1\COMMON~1\testers.exe
• vssadmin.exe Delete Shadows /All /Quiet
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} recoveryenabled No

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• FlyingShip

Other Details

This Ransomware does the following:

• After encrypting files, the ransomware will show the following window as a ransom note:
  

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• 3fr
• 7z
• abw
• accdb
• afsnit
• ai
• aif
• arc
• arw
• as
• asc
• asd
• asf
• ashdisc
• asm
• asp
• aspx
• asx
• aup
• avi
• bay
• bbb
• bdb
• bibtex
• bkf
• bmp
• bpn
• btd
• bz2
• c
• cdi
• cdr
• cer
• cert
• cfm
• cgicpio
• cpp
• cr2
• crt
• crw
• csr
• cue
• dbf
• dcr
• dds
• dem
• der
• dmg
• dng
• doc
• docm
• docx
• dsb
• dwg
• dxfdxg
• eddx
• edoc
• eml
• emlx
• eps
• epub
• erf
• fdf
• ffu
• flv
• gam
• gcode
• gho
• gpx
• gz
• h
• hbk
• hdd
• hds
• himmel
• hpp
• ics
• idml
• iff
• img
• indd
• ipd
• iso
• isz
• iwaj2k
• j2k
• jp2
• jpeg
• jpf
• jpg
• jpm
• jpx
• jsp
• jspa
• jspx
• jst
• kdc
• key
• keynote
• kml
• kmz
• lic
• lwp
• lzma
• M3U
• M4A
• m4v
• max
• mbox
• md2
• mdb
• mdbackup
• mddata
• mdf
• mdinfo
• mds
• mef
• mid
• mov
• mp3
• mp4
• mpa
• mpb
• mpeg
• mpg
• mpgmpj
• mpj
• mpp
• mrw
• msg
• mso
• nba
• nbf
• nbi
• nbu
• nbz
• nco
• nef
• nes
• note
• nrg
• nri
• nrw
• odb
• odc
• odm
• odp
• ods
• odt
• ogg
• one
• orf
• ova
• ovf
• oxps
• p12
• p2i
• p65
• p7
• p7b
• p7c
• pages
• pct
• pdd
• pdf
• pef
• pem
• pfx
• php
• php3
• php4
• php5
• phps
• phpx
• phpxx
• phtm
• phtml
• pl
• plist
• plistpmd
• pmd
• pmx
• png
• ppdf
• pps
• ppsm
• ppsx
• ppt
• pptm
• pptx
• ps
• psd
• pspimage
• pst
• ptx
• pub
• pvm
• qcn
• qcow
• qcow2
• qt
• r3d
• ra
• raf
• rar
• raw
• rm
• rtf
• rw2
• rwl
• s
• sbf
• set
• skb
• slf
• sme
• smm
• snp
• spb
• sql
• sr2
• srf
• srt
• srw
• ssc
• ssi
• stg
• stl
• svg
• swf
• sxw
• syncdb
• tager
• tc
• tex
• textga
• thm
• tif
• tiff
• til
• toast
• torrent
• txt
• vbk
• vcard
• vcd
• vcf
• vdi
• vfs4
• vhd
• vhdx
• vmdk
• vob
• vsdx
• wav
• wb2
• wbk
• wbverify
• webm
• wmb
• wpb
• wpd
• wps
• x3f
• xdw
• xlk
• xlr
• xls
• xlsb
• xlsm
• xlsx
• xz
• yuv
• zip
• zipx

It appends the following extension to the file name of the encrypted files:

• .flyingship.{original extension}