Ransom.Win32.LOCKBIT.SMYXCJN

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It gathers certain information on the affected computer.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Generated hash}

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.fxkJts2wg
(Default) = fxkJts2wg

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
fxkJts2wg\DefaultIcon
(Default) = %ProgramData%\fxkJts2wg.ico

Propagation

This Ransomware does not have any propagation routine.

Backdoor Routine

This Ransomware does not have any backdoor routine.

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuauclt
• xfssvccon

Dropping Routine

This Ransomware drops the following files:

• %ProgramData%\fxkJts2wg.ico
  

Information Theft

This Ransomware gathers the following information on the affected computer:

• Hostname
• Username
• OS version
• Domain
• Architecture
• Language
• Disk information (Disk name, Disk size, Disk free size)

Other Details

This Ransomware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
.fxkJts2wg =

It does the following:

• If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC.
• It encrypts fixed, removable and network drives
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It terminates if the machine has the following system language:
  • Arabic (Syria)
  • Armenian
  • Azerbaijani (Cyrillic)
  • Azerbaijani (Latin)
  • Belarusian
  • Georgian
  • Kazakh
  • Kyrgyz (Cyrillic)
  • Romanian (Moldova)
  • Russian
  • Russian (Moldova)
  • Tajik
  • Tatar
  • Turkmen
  • Ukrainian
  • Uzbek (Cyrillic)
  • Uzbek (Latin)
• It duplicates the token of the following:
  • explorer.exe - to gain privileged domain access
  • lsass.exe
  • TrustedInstaller - service is started if not yet running
• It deletes the following services:
  • WdBoot
  • WdFilter
  • WdNisDrv
  • WdNisSvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService
• It contains a list of username:password that it will use to log into domain controllers.
• It deletes services with the following strings:
  • backup
  • GxBlr
  • GxCIMgr
  • GxCVD
  • GxFWD
  • GxVss
  • memtas
  • mepocs
  • msexchange
  • sophos
  • sql
  • svc$
  • veeam
  • vss

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It renames encrypted files using the following names:

• {Random Characters}.fxkJts2wg

It drops the following file(s) as ransom note:

• {Encrypted Directory}\fxkJts2wg.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• search-ms
• shs
• spl
• sys
• theme
• themepack
• wpx