Analysis by: Bren Matthew Ebriega
ALIASES:

HEUR:Trojan-Ransom.Win32.Encoder.gen (KASPERSKY); W32/Kryptik.HGEX!tr (FORTINET)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Ransomware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

  TECHNICAL DETAILS

File Size: 190,464 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 18 Sep 2020
Payload: Drops files, Displays message/message boxes, Terminates processes

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

  • %User Temp%\{8 Characters}.bat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • %System%\vssadmin.exe delete shadows /all /Quiet
  • cmd/c %User Temp%\{8 Characters}.bat "" → Hide and Delete files in {Malware Folder}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • {32 Hex Characters generated from Volume Serial ID}

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Classes\
.{Generated ID}\shell\Open\
command
(Default) = explorer.exe RecoveryManual.html

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

  • agntsvc
  • bengine
  • benetns
  • beremote
  • beserver
  • dbeng50
  • dbsnmp
  • dfssvc
  • dfsrs
  • EduLink2SIMS
  • encsvc
  • excel
  • fdhost
  • firefox
  • infopath
  • isqlplussvc
  • msaccess
  • mspub
  • mydesktopservice
  • mydesktopqos
  • mysql
  • ocautoupds
  • ocomm
  • ocssd
  • onenote
  • oracle
  • outlook
  • OWSTIMER
  • postgres
  • powerpnt
  • pvlsvr
  • SAVAdminService
  • SavService
  • sqbcoreservice
  • sophos
  • steam
  • swc_service
  • synctime
  • tbirdconfig
  • thebat
  • thunderbird
  • veeam
  • visio
  • VxLockdownServer
  • winword
  • wordpad
  • wsstracing
  • WSSADMIN
  • xfssvccon

Other Details

This Ransomware does the following:

  • Accepts the following arguments:
    • /log:{C|F}
      • F - Create a log file
      • C - Shows the following console window
    • /scan:{l|L,n|N,s|S}
      • l|L - encrypts only Local Drives
      • n|N - encrypts only Network Drives
      • s|S - encrypts only Network Shares
    • /marker:{Filename}
      • Drops a file in the infected drive that serves as an infection marker
      • Filename cannot have the following characters {., -, _}
    • /nodel
      • Does not drop the bat file and hide and delete the files in {Malware Folder}
  • It modifies the registry so that opening an encrypted file opens the ransom note.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

  • 0000011101
    103108110123
    1281cd1sp1st
    33d3d43dd
    3df3df83dm3dr
    3ds3dxml3fr3g2
    3ga3gp3gp23mm
    3pr3w4w7602
    7z7zip889t
    89y8ba8bc8be
    8bf8bi88bl8bs
    8bx8by8li8svx
    8xt9xt9xydct
    dd3dbspdacdadx
    dagdaldapdarkness
    dasdashdatdatabase
    datxdayzprofiledazipdb
    db-journaldb0db3db_journal
    dbadbbdbcdbf
    dbfvdbkdbrdbs
    dbxdc2dc4dca
    dcddcfdchdco
    dcpdcrdcsdct5
    dcuddcddcxddd
    ddifddocddrwdds
    debdebiandecded
    defaultdeldemder
    desdescdescriptiondesign
    desklinkdetdeudev
    dexdfedfldfm
    dftdftidgcdgm
    dgndgpddgrdgrh
    dgsdhedicdid
    difdiidimdime
    dipdirdirectorydisc
    discodiskditdivx
    dizdjbzdjvdjvu
    dk@pdlcdlgdmbk
    dmgdmpdmtemplatedmv
    dnadngdnldob
    docdoc#docbdoce
    docenxdochtmldocldocm
    docmhtmldocsdocsetdocstates
    doctdocumentrevisions-v100docxdocxl
    docxmldokdotdothtml
    dotmdotmenxdotxdotxenx
    doxdoxydozdp
    dpddpidpkdpl
    dprdrddreamdrf
    drmdrmxdrmzdrw
    dscdsddsdicdsf
    dsgdskdsldsn
    dspdsydtddtm
    dtmldtpdtxdump
    dvbdvddvidvs
    dvxdvzdwddwdoc
    dwfdwfxdwgdwlibrary
    dwpdwtdxbdxd
    dxedxfdxgdxn
    dxrdxstudiodzpa$v
    a2ca5zfnaaaa3
    aaaaacaafaah
    aauiab4ab65abc
    abkabtabwac2
    ac3ac5accaccdb
    accdeaccdraccdtace
    acfachacpacr
    acrobatsecuritysettingsacrodataacropluginacrypt
    actadadaadb
    adcaddadeadi
    adocadosadoxadp
    adpbadradsadt
    aeaaecaepaepx
    aesaetafdesignafm
    afpagd1agdlage3rec
    age3savage3scnage3xrecage3xsav
    age3xscnage3yrecage3ysavage3yscn
    ahfaiaifaiff
    aimaipaisait
    akalal8ala
    alb3alb4alb5alb6
    aldalialletalt3
    alt5amfamlamr
    amtamuamxamxx
    anlannansansr
    anxaoiapapa
    apdapeapfapi
    apjapkapnxapo
    appapprojaprapt
    apwapxlarcarch00
    arffariarjaro
    arrarsarwas
    as$as3asaasc
    ascmascxasdase
    asfashxaskasl
    asmasmxasnasnd
    aspaspxasrasset
    astasvasvxasx
    athatlatomsvcatw
    automaticdestinations-msauxavavi
    avnavsawdawe
    awgawpawsawt
    awwawwpaxaxx
    azfazsazwazw1
    azw3azw4bb2
    b27b2abackbackup
    backupdbbadbakbak~
    bamboopaperbankbarbau
    baxbaybbcdbbl
    bbprojectdbbsbbxtbc5
    bc6bc7bcdbck
    bcpbdbbdb2bdp
    bdrbdt2bdt3bean
    bfabgtbgvbi8
    bibbibtexbicbig
    bikbilbinbina
    bitstakbizdocumentbjlbk
    bk!bk1bk2bk3
    bk4bk5bk6bk7
    bk8bk9bkfbkg
    bkpbksbkupbld
    blendblend2blgblk
    blmblobblpbmc
    bmfbmkbmlbmm
    bmmlbmpbmprbna
    bocbookbopbp1
    bp2bp3bpfbpk
    bplbpmbpmcbps
    bpwbrdbreaking_badbrh
    brlbrsbrxbsa
    bskbsobspbst
    btcbtdbtfbtoa
    btxburnburnthemebvd
    bwdbwfbwpbxx
    bzabwcc2ec6
    cachecadcadoccae
    cagcalcacamcamproj
    capcaptcarcaro
    cascatcatdrawingcatfct
    catpartcatproductcawrcbf
    cborcbrcbzcc
    ccccccrrrpppccdccf
    cchccittcdcd1
    cd2cdccddcddz
    cdfcdicdkcdl
    cdmcdmlcdmmcdmz
    cdpzcdrcdr3cdr4
    cdr5cdr6cdrwcds
    cdtcdtxcdwcdx
    cdxmlce1ce2cef
    cercerbercerber2cerber3
    cerccertcf5cfd
    cfgcfmcfpcfr
    cgfcgfiletypetestcgicgm
    cgpcgrchichk
    chmchmlchmprjchp
    chpscrapchtchtmlcib
    cidacifcipociv4worldbuildersave
    civbeyondswordsavecl2arccl2docclam
    clarifyclassclbclkd
    clktclpclrcls
    clxcmfcmlcmp
    cmscmtcmucnf
    cngcntcnvcod
    colcomicdoccomiclifecompositionmodel
    compositiontemplateconconfconfig
    contactconverterxcovertoncp
    cpccpdcpdtcphd
    cpicpiocppcpr
    cpycr2crashedcraw
    crbcrdcreolecri
    crinfcrjokercrptrgrcrs
    crs3crtcrtrcrw
    crwlcrycryp1crypt
    cryptedcryptolockercryptowallcryptra
    crypzcscs8csa
    csecshcsicsl
    csocspcsrcss
    cstcsvctblctd
    ctectfctlctt
    ctxtctycuecurrent
    cvjcvlcvwcw3
    cwfcwkcwncwr
    cwscwwpcyicys
    czvxcee3se4aeap
    easmxebcebkebs
    ec4eccecredb
    eddedfedledml
    ednedocedrwxedt
    edzefaefaxeff
    eflefmefreftx
    efuefxegregt
    ehpeifeipekm
    el6eldelfelfo
    elnemcemfeml
    emlxpartemmencenciphered
    encryptencryptedenfpackenigma
    entenxenydeob
    eotepepdfepf
    epkeprtxepsepsf
    eptepubeqlerbsql
    erdereerferr
    eses3escesd
    esfesmespess
    esveteteetng
    etntetsetxeuc
    evfevoevyewl
    exexcexdexf
    exifexprwdhtmlexprwdxmlexx
    ezezcezmezs
    ezzf4vf90f96
    facfadeinfaefantom
    faqfaxfb2fbd
    fbp6fbsfcdfcf
    fcstdfdfdbfdf
    fdocfdrfdsfdseq
    fdwfdxfedfeed-ms
    feedsdb-msffffaffd
    ffdataffffflffo
    fftffxfhfhd
    figfinflfla
    flacflagflatflf
    flibflkaflkbflm
    flpflsfltfltr
    flvflvvflyfm
    fm3fmcfmdfmf
    fmlfmpfmp3fnf
    fofodgfodpfods
    fodtfolioforforge
    fosfountainfpfpage
    fpdoclibfpencfphomeopfpk
    fplinkbarfppfptfpx
    frafragfrdatfrdoc
    freeppfrelffrmfs
    fscfsdfsffsh
    fspfssft10ft11
    ft7ft8ft9ftil
    ftrfunfwkfwtemplate
    fxdfxgfxofxr
    fzhfzipga3gam
    gangbrgcsxgct
    gdbgdcgdocged
    gevgevlgfegform
    gfxggbghegho
    ghsgifgilgiw
    glinkglkgloglos
    glygmlgmpgnd
    gnogofingoodgp4
    gpdgpfgpggpn
    gpxgpzgragrade
    graygreygrfgrk
    grlegroupsgrygs
    gsagsfgsheetgslides
    gsmgthrgtpgui
    gulgvgvigxk
    gxlgzgziggzip
    hh1qh1sh1w
    h2oh3mh4rha3
    hamlhbkhblhbx
    hclhcwhdahdd
    hdlhdrhdthdx
    hedhelphelpindexherbst
    hexhfdhfthhs
    hkdbhkxhlfhlp
    hlxhlx2hlzhm2
    hmskinhndhoi4hot
    hp2hpdhpjhplg
    hpohpphpshpt
    hpwhqxhrxhs
    hsmhsxhtahtm
    htmlhtmlshtmlzhtms
    htm~htpasswdhtz5hvpl
    hw3hwphwpmlhwt
    hxehxihxqhxr
    hxshyphypeiab
    iafialibankibcd
    ibdibkibooksibz
    icaleventicaltodoiccicml
    icmticoicsicst
    icxsidapidcidd
    idlidmlidpidx
    ie5ie6ie7ie8
    ie9iffifpign
    igrigsihfihp
    iifiiqiksila
    ildocimgimpimr
    incpincpasindindb
    inddindlindpindt
    infinfoinkinld
    inlkinpinprogressinrs
    inssinstallhelperinsxinternetconnect
    inxiocaiofipa
    ipfiprish1ish2
    ish3isoispxisu
    iszitdbiteitl
    itmitmzitpits
    ivtiw44iwaiwd
    iwiiwprjiwtplix
    ixvjacjarjav
    javajb2jbcjbig
    jbig2jcjddjfif
    jgejgzjhdjiaf
    jiasjifjiffjnt
    joejp1jpcjpe
    jpegjpfjpgjpgx
    jpmjpwjrfjrl
    jrprintjsjsdjson
    jspjspajspxjtd
    jtdcjttjtxjust
    jwjwljwwk25
    kbdkbfkc2kdb
    kdbxkdckdekdf
    kernel_completekernel_pidkernel_timekes
    keykey-tefkeybtc@inbox_comkeynote
    kfkfmkfpkid
    kimcilwarekkkklqklw
    kmlkmzkntkos
    kpdxkprkrakenkratos
    ksdkspkssksw
    kuipkwdkwmkwp
    laccdblastloginlatlatex
    laxlaylay6layout
    lbflbilbllcd
    lcflcnldbldf
    lechiffrelegionlfelgp
    lhdliblitlitemod
    ll3llvlmdlngttarch2
    localstoragelockedlockylog
    logonxploklol!lot
    lplp2lp7lpa
    lpclpdlpdflpx
    lrfls5lstltcx
    ltmltrltxlua
    lvdlvivtlvllvw
    lwdlwolwplyx
    mm13m14m2
    m2tsm3um3u8m4a
    m4pm4um4vm7p
    mamacamagmagic
    makermamlmanmanu
    mapmapimailmarcmarkdn
    marsmassmaxmaxfr
    maxmmbmbbkmbox
    mbxmc9mcdmcdx
    mcfmcgamemcmacmcmeta
    mcrpmcwmdmd0
    md1md2md3md5
    mdamdbmdbackupmdbhtml
    mdcmdccachemddatamdf
    mdgmdimdkmdl
    mdnmdsmecontactmed
    mefmehmellmellel
    menumeometmetadata_never_index
    mfmfamfpmfw
    mgamgmtmgourmetmgourmet3
    mhpmhtmhtenxmhtmlenx
    mimicmicromid
    mifmimmimemindnode
    mipmissionmixmjd
    mjdocmkemkvmla
    mlbmljmlmmls
    mlsxmlmlxmmmm6
    mm7mm8mmapmmc
    mmdmmemmjsmml
    mmommswmmwmny
    momobimodmoneywell
    mosmovmoviemoz
    mp1mp2mp3mp4
    mp4vmpampempeg
    mpfmpgmphmpj
    mppmpqmpqgempr
    mptmpvmpv2mrd
    mrumrwmrwrefms
    ms-tnefmsdmsemsg
    mshcmsimsiemsl
    msomsormspmsq
    mswmswdmtddmtml
    mtomtpmtsmtx
    mugmvdmvdxmvex
    mwdmwiimwpdmwpp
    mwsmxdmxgmxp
    mydmydocsmyimz
    n3narrativenavnavmap
    nbnbaknbfnbk
    nbpncdncfnd
    nddndfndlndr
    ndsne1ne3nef
    nfonfs11savengnjx
    nk2nmbtemplatenmunokogiri
    nopnotenownpd
    npdfnppnptnrbak
    nrgnrinrlnrmlib
    nrwns2ns3ns4
    nsdnsfnsgnsh
    nstntfntlntp
    ntsnumbernumbersnvd
    nvdlnvramnwbnwbak
    nwcabnwcpnx1nx2
    nx^dnx__nxlnyf
    oa2oa3oaboad
    oasobdobjobr
    obtobxobzocdc
    ocsodaodbodc
    odccubefileodcodcodfodg
    odhodiodifodm
    odoodpodsodt
    odt#odttfodzofficeui
    ofnoftogaogc
    oggoilojzokm
    oleole2olfolv
    olyomlogomponb
    oneoosootopd
    opfopjoplxopn
    optopxopxsorf
    ortosdosdxost
    otcotfotgoth
    otiotnotpots
    ottotwoutovd
    owloxpsoxtp10
    p12p2sp3xp5tkjw
    p65p7bp7cp7z
    pabpackpadpadcrypt
    pagespages-tefpakpaq
    paspatpauxpaym
    paymrsspaymspaymstpaymts
    payrmspayspbdpbf
    pbkpbppbrpbs
    pbx5scriptpbxscriptpcdpcf
    pcjpctpcvpcw
    pdpdbpdcpdcr
    pddpdfpdf_pdf_profile
    pdf_tsidpdfapdfepdfenx
    pdflpdfuapdfvtpdfx
    pdfxmlpdfzpdgpdp
    pdzpebpefpem
    pezpfpfcpfd
    pflpfmpfsxpft
    pfxpgpgsphp
    phrphspifpih
    pixexppj2pj4pj5
    pkpkbpkeypkg
    pkhpkpassplplan
    plbplcpldpli
    plnplus_muhdpmpm3
    pm4pm5pm6pm7
    pmdpmtpmvpmx
    pngpnupopoar2w
    podpoolpotpothtml
    potmpotxpp3ppam
    ppdppdfppfppj
    pppppsppsenxppsm
    ppsxpptppteppthtml
    pptlpptmpptmhtmlpptt
    pptxppwsppxprc
    prdprefprelprf
    prjprnpropro4
    pro4dvdpro5pro5dvdpro5plx
    pro5xproofingtoolpropsproqc
    prprojprrprsprt
    prtcprvpsps2
    ps3psapsafe3psb
    psdpse8dbpsfpsg
    psi2psippskpsmd
    pspimagepstpswpsw6
    pswxpszpszxpt3
    pt6ptcptfpth
    ptkptnptn2pts
    ptxpubpubfpubhtml
    pubmhtmlpubxpurgepuz
    pvdpvepvfpw
    pwdpwepwfpwi
    pwmpwppwrepxd
    pxlpxppypys
    pzcpzdcpzfpzt
    qbaqbbqblqbm
    qbrqbwqbxqby
    qchqcowqcow2qct
    qdfqedqelqfl
    qfxxqhpqhtqhtm
    qicqifqlgeneratorqpx
    qrtqtqtqqtr
    qtwquoxqvwqwd
    qwtqxbqxdqxl
    qxpqxtr00r01
    r02r03r0fr0z
    r3dr5arara2
    raframramdrap
    rarratrawrazy
    rbrbcrcbrd
    rd1rdbrdfrdfs
    rdirdmrdordoc
    rdoc_optionsrdzre4rec
    recourcesrektrelsres
    resbuildrestresultrev
    rfrf1rftrgn
    rgorgss3arharhif
    rimritrlfrll
    rmrm5rmdrmf
    rmhrnarndrng
    rntrnwro3rofl
    roirokkurosrov
    rowroxrpfrpt
    rptrrrdrrkrrpa
    rrtrrxrsrsdf
    rsdocrsmrsprsrc
    rssrstrswrt
    rt_rtdfrtertf
    rtf_rtfdrtkrtpi
    rtsrtslrtsxrtx
    rumrunrvrvf
    rvtrw2rwlrwlibrary
    rwzrxdocrzkrzx
    s3dbs8bnsa5sa7
    sa8saassadsaf
    safesafetextsamsas7bdat
    savsavesaysb
    sbnsbosbpfsbsc
    sbstsbxsc2savescd
    scdocsceschscm
    scmtscnscrscriv
    scrivxscsscspackscssc
    sctscwscxsd
    sd0sd1sdasdb
    sdcsddsddraftsdf
    sdisdlsdmdocumentsdn
    sdosdocsdpsdr
    sdssdtsdvsdw
    search-mssecuresecurecryptedsef
    selsenseqsequ
    serversessetsetup
    sevsfsffsfs
    sfxsgfsgisgl
    sgmsgmlsgzsh
    sh6sharshbshow
    shpshrshsshtml
    shwshxshysic
    sidsiddsidnsie
    siksisskysla
    sldasmsldmsldprtsldx
    slfslkslmsln
    sltslzsmsmd
    smesmfsmhsmlx
    smnsmpsmssmwt
    smxsmzsnbsnf
    sngsnksnpsnt
    snxsosoispb
    spdspdfspkspl
    spmspmlspptspr
    sprtsprzsptsql
    sqlitesqlite3sqlitedbsqllite
    sqxsr2srcsrf
    srflsrssrtsrw
    ssasshssissiw
    ssmssxst4st5
    st6st7st8stc
    stdstepstistl
    stmstpstpzstruct
    sttstwstxstxt
    stysudsufsum
    surfsurprisesvdsvdl
    svgsvisvmsvn
    svpsvrsvsswd
    swdocswebswfswitch
    swpsxcsxdsxe
    sxgsxisxlsxm
    sxmlsxwsynsyncdb
    szftt01t03
    t05t10t12t13
    t14t2t2kt2t
    t4gt80ta1ta2
    ta9tabula-doctabula-docstyletah
    tartaxtax2009tax2013
    tax2014tbtbbtbd
    tbktbkxtbltbz2
    tcdtchtcktcx
    tdgtdltdoctdr
    te1templatetextexi
    texinfotexttextclippingtextile
    tfdtfmtfrtfrd
    tgtgatgzthm
    thmlthmxthrtib
    tiftifftjptk3
    tlbtldtlgtlt
    tlxtlztmtm3
    tmbtmdtmltmlanguage
    tmvtmztnstnsp
    toasttoctopxtor
    torrenttotalslayouttptpl
    tpotpsdbtputpx
    trashinfotriftrpts
    tsctt11tt2ttax
    tttttxttutur
    tvdtwditwdxtww
    txtxdtxetxf
    txmtxntxttxtrpt
    u3duaxubzucd
    udbudfudluea
    uhtmlukrulfuli
    ulysumpumxunity3d
    unrunxuofuop
    uosuotupdfupk
    upoiuppurd-journalurf
    urlurpusausx
    ut2ut3utcutd
    uteutf8utiutm
    utsutxuuuud
    uueuvxuxxv
    v2iv2tvalvault
    vbvbadocvbdvbk
    vboxvbsvcvcal
    vcdvcevcfvcproj
    vcxprojvdfvdivdo
    vdocvdtvenusfver
    vfvfs0vhdvhdx
    viewvizvlcvlt
    vmbxvmdkvmfvmg
    vmmvmsdvmtvmx
    vmxfvobvoprefsvor
    vpvpkvplvpp_pc
    vsvsdvsdxvsf
    vsivspolicyvstvstx
    vtfvthoughtvtvvtx
    vvvvwvw3w
    w2pw3gw3xw51
    w52w60w61w6bn
    w6ww8bnw8tnwab
    wadwaffwalletwallet001
    warwavwavewaw
    wbwb2wb3wbk
    wbtwbxmlwbzwcf
    wclwcnwcpwcst
    wd0wd1wd2wdbn
    wdgtwdlwdnwdoc
    wdx9webwebdocwebpart
    wepwflxwhtwindows10
    wizwk!wk1wk3
    wk4wkbwkiwkl
    wkswlbwldwll
    wlswlxmlwmwm2d
    wmawmdwmdbwmf
    wmgawmkwmlwmlc
    wmmpwmowmswmv
    wmxwnwolfword
    wordlistwotreplaywowwp
    wp42wp5wp50wp6
    wp7wpawpc2wpd
    wpd0wpd1wpd2wpd3
    wpewpfwpkwpl
    wpostwpswptwpw
    wr1wrfwriwrlk
    wsws1ws2ws3
    ws4ws5ws6ws7
    wscwsdwshwsp
    wtbnwtdwtfwtmp
    wtpwtswttwtx
    wvwwvxwwcxwwi
    wwlwwswwtwxmx
    wxpwynwznwzs
    x11x16x3fx3g
    xamlxxarxavxbd
    xbrlxcixcodeprojxda
    xdcxdfxdoxdoc
    xdwxfxfdxfdf
    xfixflxfnxfo
    xfpxfxxgmlxht
    xhtmxhtmlxifxig
    xisxjfxlxla
    xlamxlbxlcxle
    xlfxlinexlistxlk
    xllxlmxlnkxlr
    xlsxlsbxlsexlshtml
    xlslxlsmxlstxlsx
    xlsx3gpxlsxlxltxlthtml
    xltmxltxxlvxlw
    xlwxxmaxmdfxml
    xmmapxmnxmpxms
    xmt_binxmtaxmvlxpd
    xpixpmxpsxpse
    xptxpwexqmxqr
    xqxxrdmlxscxsd
    xsigxslxsltxtbl
    xtdxtgxtmlxtps
    xtrlxv0xv2xv3
    xvgxvidxvlxwd
    xweb3htmxweb3htmlxweb4stmxweb4xml
    xwfxwpxxexxx
    xyxy3xy4vxyd
    xyzyabycbcrayenc
    ymlyncypsyuv
    z02z04zapzcrypt
    zeptozipzip73i87azipx
    zoozpsztmpztmp$efs
    zyklonzzz

It avoids encrypting files with the following strings in their file name:

  • RecoveryManual.html
  • ReadManual.{Generated ID}

It avoids encrypting files found in the following folders:

  • System Volume Information
  • $RECYCLE.BIN
  • Windows
  • $WINDOWS.~BT
  • Windows.old
  • Program Files
  • Program Files (x86)
  • WINNT
  • NVIDIA
  • SYSTEM.SAV
  • PerfLog
  • Intel
  • Games
  • Temp
  • tmp
  • microsoft

It appends the following extension to the file name of the encrypted files:

  • .ReadManual.{Generated ID}

It drops the following file(s) as ransom note:

  • {Encrypted Folder}\RecoveryManual.html

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 16.272.02
FIRST VSAPI PATTERN DATE: 07 Oct 2020
VSAPI OPR PATTERN File: 16.273.00
VSAPI OPR PATTERN Date: 08 Oct 2020

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Classes\.{Generated ID}\shell\Open\command
    • (Default) = explorer.exe RecoveryManual.html

Step 5

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • {Encrypted Folder}\RecoveryManual.html

Step 6

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom.Win32.MOUNTLOCKER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 7

Restore encrypted files from backup.


Did this description help? Tell us how we did.