Ransom.Win32.SCARAB.PYOBI

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It encrypts files with specific file extensions. It drops files as ransom note.

File Size: 643,072 bytes

File Type: EXE

Memory Resident: No

Initial Samples Received Date: 07 Mar 2019

Payload: Terminates processes, Displays message/message boxes, Encrypts files

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system and executes them:

%Application Data%\osk.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

It adds the following processes:

"%System%\cmd.exe" /c copy /y "{Malware Path}\{Malware FileName}.exe" "%Application Data%\osk.exe"; -> Copies file into %Application Data% as file name osk.exe
"{Malware path}\{Malware Filename}.exe" runas -> rerun malware having arguments that will also drops a copy of self to %Application Data% then execute dropped copy
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('{Malware File Name].exe');close()}catch(e){}},10);" -> deletes the malware
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\TvkxRopEselPI',i);}catch(e){}},10);" -> Creates Registry entry that will run the copy of the malware file.
mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\Software\RA[OB\AGQW['));close();" -> Reads registry entry
"%System%\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -> deletes all the system state backups
"%System%\cmd.exe" /c wmic SHADOWCOPY DELETE -> Deletes shadow copies
"%System%\cmd.exe" /c vssadmin Delete Shadows /All /Quiet ->delete Shadow Copies
bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disable system's trigger to call the Error Recovery screen on startup
bcdedit /set {default} recoveryenabled No -> disable Windows Recovery option

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

TvkxRopEselPI

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
TvkxRopEselPI = notepad.exe "%User Profile%\HOW TO RECOVER ENCRYPTED FILES.TXT"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
TvkxRopEselPI = %Application Data%\osk.exe

Other System Modifications

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\TvkxRopEselPI

HKEY_CURRENT_USER\Software\{5 random alphanumeric characters}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

agntsvc.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
agntsvc.exeisqlplussvc.exe
anvir.exe
anvir64.exe
ccleaner.exe
ccleaner64.exe
cscript.exe
dbeng50.exe
dbsnmp.exe
excel.exe
far.exe
firefoxconfig.exe
infopath.exe
isqlplussvc.exe
msaccess.exe
msftesql.exe
mspub.exe
mydesktopqos.exe
mydesktopservice.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
ncsvc.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
oracle.exe
outlook.exe
powerpnt.exe
powershell.exe
procexp.ex
regedit.exe
sqbcoreservice.exe
sqlagent.exe
sqlbrowser.exe
sqlserver.exe
sqlservr.exe
sqlwriter.exe
steam.exe
synctime.exe
tasklist.exe
taskmgr.exe
tbirdconfig.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
wscript.exe
xfssvccon.exe

Other Details

This Ransomware does the following:

The malware does not encrypt files located in %Program Files% and %Windows% except the following folders:
- Microsoft\Exchange Server
- Microsoft SQL Server
- Firebird
- MSSQL.1
- Microsoft SQL Server Compact Edition
- Adobe
- Oracle

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Ransomware Routine

This Ransomware encrypts files with the following extensions:

azs
azw
azw1
azw3
azw4
b
b27
b2a
back
backup
backupdb
bad
bak
bak~
bamboopaper
bank
bar
bau
bax
bay
bbcd
bbl
bbprojectd
bbs
bbxt
bc5
bc6
bc7
bcd
bck
bcp
bdb
bdb2
bdp
bdr
bdt2
bdt3
bean
bfa
bgt
bgv
bi8
bib
bibtex
bic
big
bik
bil
bin
bina
bizdocument
bjl
bk
bk!
bk1
bk2
bk3
bk4
bk5
bk6
bk7
bk8
bk9
bkf
bkg
bkp
bks
bkup
bld
blend
blend2
blg
blk
blm
blob
blp
bmc
bmf
bmk
bml
pgs
php
phr
phs
pih
pixexp
pj2
pj4
pj5
pk
pkb
pkey
pkg
pkh
pkpass
potx
pp3
ppam
ppd
ppdf
ppf
ppj
ppp
pps
ppsenx
ppsm
qxl
qxp
qxt
r00
r01
r02
r03
r0f
r0z
r3d
ra
ra2
ram
ramd
rap
rar
rat
raw
razy
rb
rbc
rcb
rd
rd1
rdb
rdf
rdfs
rdi
rdo
rdoc
rdoc_options
rdz
re4
rec
rels
res
resbuild
rest
result
rev
rf
rf1
rft
rgn
rgo
rgss3a
rha
wwt
wxmx
wxp
wyn
wzn
wzs
x11
x16
xgml
xht
xhtml
xif
xig
xis
xjf
xl
xla
xlam
ync
yps
yuv
z02
z04
zap
zip
zipx
zoo
$efs
000
001
1
101
103
108
110
123
128
1cd
1sp
1st
3
3d
3d4
3dd
3df
3df8
3dm
3dr
3ds
3dxml
3fr
3g2
3ga
3gp
3gp2
3mm
3pr
3w
4w7
602
7z
7zip
8
89t
89y
8ba
8bc
8be
8bf
8bi8
8bl
8bs
8bx
8by
8li
8svx
8xt
9xt
9xy
a$v
a2c
aa
aa3
aac
aaf
aah
aaui
ab4
ab65
abc
abk
abt
abw
ac2
ac3
ac5
acc
accdb
accde
accdr
accdt
ace
acf
ach
acp
acr
acrobatsecuritysettings
acrodata
acroplugin
acrypt
act
ad
ada
adb
adc
add
ade
adi
adoc
ados
adox
adp
adpb
adr
ads
adt
aea
aec
aep
aepx
aes
aet
afdesign
afm
afp
agd1
agdl
age3rec
age3sav
age3scn
age3xrec
age3xsav
age3xscn
age3yrec
age3ysav
age3yscn
ahf
ai
aif
aiff
aim
aip
ais
ait
ak
al
al8
ala
alb3
alb4
alb5
alb6
ald
ali
allet
alt3
alt5
amf
aml
amr
amt
amu
amx
amxx
anl
ann
ans
ansr
anx
aoi
ap
apa
apd
ape
apf
api
apj
apk
apnx
apo
app
approj
apr
apt
apw
apxl
arc
arch00
arff
ari
arj
aro
arr
ars
arw
as
as$
as3
asa
asc
ascm
ascx
asd
ase
asf
ashx
ask
asl
asm
asmx
asn
asnd
asp
aspx
asr
asset
ast
asv
asvx
asx
ath
atl
atomsvc
atw
automaticdestinations-ms
aux
av
avi
avn
avs
awd
awe
awg
awp
aws
awt
aww
awwp
ax
azf
bmm
bmml
bmp
bmpr
bna
boc
book
bop
bp1
bp2
bp3
bpf
bpk
bpl
bpm
bpmc
bps
bpw
brd
breaking_bad
brh
brl
brs
brx
bsa
bsk
bso
bsp
bst
btd
btf
btoa
btx
burn
burntheme
bvd
bwd
bwf
bwp
bxx
bzabw
c
c2e
c6
cadoc
cae
cag
calca
cam
camproj
cap
capt
car
caro
cas
cat
catproduct
cawr
cbf
cbor
cbr
cbz
cc
ccc
ccd
ccf
cch
ccitt
cd
cd1
cd2
cdc
cdd
cddz
cdf
cdi
cdk
cdl
cdm
cdml
cdmm
cdmz
cdpz
cdr
cdr3
cdr4
cdr5
cdr6
cdrw
cds
cdt
cdtx
cdx
cdxml
ce1
ce2
cef
cer
cert
cf5
cfd
cfg
cfp
cfr
cgf
cgfiletypetest
cgi
cgm
cgp
chi
chk
chm
chml
chmprj
chp
chpscrap
cht
chtml
cib
cida
cif
cipo
civ4worldbuildersave
civbeyondswordsave
cl2arc
cl2doc
clam
clarify
class
clb
clkd
clkt
clp
clr
cls
clx
cmf
cml
cmp
cms
cmt
cmu
cnf
cng
cnt
cnv
cod
col
comicdoc
comiclife
compositionmodel
compositiontemplate
con
conf
config
contact
converterx
cp
cpc
cpd
cpdt
cphd
cpi
cpio
cpp
cpy
cr2
crashed
craw
crb
crd
creole
cri
crjoker
crs
crs3
crt
crtr
crw
crwl
crypt
crypted
cryptowall
cryptra
cs
cs8
csa
cse
csh
csi
csl
cso
csp
csr
css
cst
csv
ctbl
ctd
cte
ctf
ctl
ctt
ctxt
cty
cue
current
cvj
cvl
cvw
cw3
cwf
cwk
cwn
cwr
cws
cwwp
cyi
cys
d
d3dbsp
dac
dadx
dag
dal
dap
das
dash
dat
database
datx
dayzprofile
dazip
db
db_journal
db0
db3
dba
dbb
dbc
dbf
dbfv
db-journal
dbk
dbr
dbs
dbx
dc2
dc4
dca
dcd
dcf
dch
dco
dcp
dcr
dcs
dct5
dcu
ddc
ddcx
ddd
ddif
ddoc
ddrw
dds
deb
debian
dec
ded
default
del
dem
der
des
desc
description
design
desklink
det
deu
dev
dex
dfe
dfl
dfm
dft
dfti
dgc
dgm
dgpd
dgr
dgrh
dgs
dhe
dic
did
dif
dii
dim
dime
dip
dir
directory
disc
disco
disk
dit
divx
diz
djbz
djv
djvu
dk@p
dlc
dlg
dmbk
dmg
dmp
dmtemplate
dmv
dna
dng
dnl
dob
doc
doc#
docb
doce
docenx
dochtml
docl
docm
docmhtml
docs
docset
docstates
doct
documentrevisions-v100
docx
docxl
docxml
dok
dot
dothtml
dotm
dotmenx
dotx
dotxenx
dox
doxy
doz
dp
dpd
dpi
dpk
dpl
dpr
drd
dream
drf
drm
drmx
drmz
drw
dsc
dsd
dsdic
dsf
dsg
dsk
dsl
dsn
dsp
dsy
dtd
dtm
dtml
dtp
dtx
dump
dvb
dvd
dvi
dvs
dvx
dvz
dwd
dwdoc
dwf
dwfx
dwg
dwlibrary
dwp
dwt
dxb
dxd
dxe
dxf
dxg
dxn
dxr
dxstudio
dzp
e3s
e4a
easmx
ebk
ebs
ec4
ecc
ecr
edb
edd
edf
edl
edml
edn
edoc
edrwx
edt
edz
efa
efax
eff
efl
efm
efr
eftx
efu
efx
egr
egt
ehp
eif
eip
ekm
el6
eld
elf
elfo
eln
emc
emf
eml
emlxpart
emm
enc
enciphered
encrypted
enfpack
ent
enx
enyd
eob
eot
ep
epdf
epf
epk
eprtx
eps
epsf
ept
epub
eql
erbsql
erd
ere
erf
err
es
es3
esc
esd
esf
esm
esp
ess
esv
et
ete
etng
etnt
ets
etx
euc
evo
evy
ewl
ex
exc
exd
exf
exif
exprwdhtml
exprwdxml
exx
ez
ezc
ezm
ezs
ezz
f4v
f90
f96
fac
fadein
fae
faq
fax
fbd
fbp6
fbs
fcd
fcf
fcstd
fd
fdb
fdf
fdoc
fdr
fds
fdseq
fdw
fdx
fed
feed-ms
feedsdb-ms
ff
ffa
ffd
ffdata
fff
ffl
ffo
fft
ffx
fh
fhd
fig
fin
fl
fla
flac
flag
flat
flf
flib
flka
flkb
flm
flp
fls
flt
fltr
flv
flvv
fly
fm
fm3
fmc
fmd
fmf
fml
fmp
fmp3
fnf
fo
fodg
fodp
fods
fodt
folio
for
forge
fos
fountain
fp
fpage
fpdoclib
fpenc
fphomeop
fpk
fplinkbar
fpp
fpt
fpx
fra
frag
frdat
frdoc
freepp
frelf
frm
fs
fsc
fsd
fsf
fsh
fsp
fss
ft10
ft11
ft7
ft8
ft9
ftil
ftr
fwk
fwtemplate
fxd
fxg
fxo
fxr
fzh
fzip
ga3
gam
gan
gcsx
gct
gdb
gdc
gdoc
ged
gev
gevl
gfe
gform
gfx
ggb
ghe
gho
gif
gil
giw
glink
glk
glo
glos
gly
gml
gmp
gnd
gno
gofin
gp4
gpd
gpf
gpg
gpn
gpx
gpz
gra
grade
gray
grey
grf
grk
grle
groups
gry
gs
gsa
gsf
gsheet
gslides
gsm
gthr
gui
gul
gvi
gxk
gxl
gz
gzig
gzip
h
h1q
h1s
h1w
h2o
h3m
h4r
haml
hbk
hbl
hbx
hcl
hcw
hda
hdd
hdl
hdt
hdx
hed
help
helpindex
hex
hfd
hft
hhs
hkdb
hkx
hlf
hlp
hlx
hlx2
hlz
hm2
hmskin
hnd
hoi4
hot
hp2
hpd
hpj
hplg
hpo
hpp
hps
hpt
hpw
hqx
hrx
hs
hsm
hsx
hta
htm
htm~
html
htmls
htmlz
htms
htpasswd
htz5
hvpl
hw3
hwp
hwpml
hwt
hxe
hxi
hxq
hxr
hxs
hyp
hype
iab
iaf
ial
ibank
ibcd
ibd
ibk
ibz
icalevent
icaltodo
icc
icml
icmt
ico
ics
icst
icxs
idap
idc
idd
idl
idml
idp
idx
ie5
ie6
ie7
ie8
ie9
iff
ifp
ign
igr
ihf
ihp
iif
iiq
iks
ila
ildoc
img
imp
imr
incp
incpas
ind
indb
indd
indl
indp
indt
inf
info
ink
inld
inlk
inp
inprogress
inrs
inss
installhelper
insx
internetconnect
inx
ioca
iof
ipa
ipf
ipr
ish1
ish2
ish3
iso
ispx
isu
isz
itdb
ite
itl
itm
itmz
itp
its
ivt
iw44
iwa
iwd
iwi
iwprj
iwtpl
ix
ixv
jac
jar
jav
java
jb2
jbc
jbig
jbig2
jc
jdd
jfif
jge
jgz
jhd
jiaf
jias
jif
jiff
jnt
joe
jp1
jpc
jpe
jpeg
jpf
jpg
jpgx
jpm
jpw
jrf
jrl
jrprint
js
jsd
json
jsp
jspa
jspx
jtd
jtdc
jtt
jtx
just
jw
jwl
jww
k25
kbd
kbf
kc2
kdb
kdbx
kdc
kde
kdf
kes
key
keynote
key-tef
kf
kfm
kfp
kid
klq
klw
kmz
knt
kos
kpdx
kpr
ksd
ksp
kss
ksw
kuip
kwd
kwm
kwp
laccdb
lastlogin
lat
latex
lax
lay
lay6
layout
lbf
lbi
lbl
lcd
lcf
lcn
ldb
ldf
lfe
lgp
lhd
lib
lit
litemod
ll3
llv
lmd
lngttarch2
lnk
localstorage
log
logonxp
lok
lot
lp
lp2
lp7
lpa
lpc
lpd
lpdf
lpx
lrf
ls5
lst
ltcx
ltm
ltr
ltx
lua
lvd
lvivt
lvl
lvw
lwd
lwo
lwp
lyx
m
m13
m14
m2
m2ts
m3u
m3u8
m4a
m4p
m4u
m4v
m7p
maca
mag
maker
maml
man
manu
map
mapimail
marc
markdn
mars
mass
max
maxfr
maxm
mbbk
mbox
mbx
mc9
mcd
mcdx
mcf
mcgame
mcmac
mcmeta
mcrp
mcw
md
md0
md1
md2
md3
md5
mdb
mdbackup
mdbhtml
mdc
mdccache
mddata
mdf
mdg
mdi
mdk
mdl
mdn
mds
mecontact
med
mef
meh
mell
mellel
menu
meo
met
metadata_never_index
mf
mfa
mfp
mfw
mga
mgmt
mgourmet
mgourmet3
mhp
mht
mhtenx
mhtmlenx
mi
mic
mid
mif
mim
mime
mindnode
mip
mission
mix
mjd
mjdoc
mke
mkv
mla
mlb
mlj
mlm
mls
mlsxml
mlx
mm
mm6
mm7
mm8
mmap
mmc
mmd
mme
mmjs
mml
mmo
mmsw
mmw
mny
mo
mobi
mod
moneywell
mos
mov
movie
moz
mp1
mp2
mp3
mp4
mp4v
mpa
mpe
mpeg
mpf
mpg
mph
mpj
mpq
mpqge
mpr
mpt
mpv
mpv2
mrd
mru
mrw
mrwref
ms
msd
mse
msg
mshc
msi
msie
msl
mso
msor
msp
msq
ms-ef
msw
mswd
mtdd
mtml
mto
mtp
mts
mtx
mug
mui
mvd
mvdx
mvex
mwd
mwii
mwpd
mwpp
mws
mxd
mxg
mxp
myd
mydocs
myi
mz
n3
narrative
nav
navmap
nb
nbak
nbf
nbp
ncd
ncf
nd
ndd
ndf
ndl
ndr
nds
ne1
ne3
nef
nfo
nfs11save
ng
njx
nk2
nmbtemplate
nmu
nokogiri
nop
note
now
npd
npdf
npp
npt
nrbak
nrg
nri
nrl
nrmlib
nrw
ns2
ns3
ns4
nsd
nsf
nsg
nsh
nst
ntf
ntl
ntp
nts
number
numbers
nvd
nvdl
nvram
nwb
nwbak
nwcab
nwcp
nx^d
nx__
nx1
nx2
nxl
nyf
oa2
oa3
oab
oad
oas
obd
obj
obr
obt
obx
obz
ocdc
ocs
oda
odb
odc
odccubefile
odf
odg
odh
odi
odif
odm
odo
odp
ods
odt
odt#
odttf
odz
officeui
ofn
oft
oga
ogc
ogg
oil
ojz
okm
ole
ole2
olf
olv
oly
omlog
omp
onb
one
oos
oot
opd
opf
opj
oplx
opn
opt
opx
opxs
orf
ort
osd
osdx
ost
otc
otf
otg
oth
oti
otn
otp
ots
ott
otw
out
ovd
owl
oxps
oxt
p10
p12
p2s
p3x
p65
p7b
p7c
p7z
pab
pack
pad
pages
pages-tef
pak
paq
pas
pat
paux
pbd
pbf
pbk
pbp
pbr
pbs
pbx5script
pbxscript
pcd
pcf
pcj
pct
pcv
pcw
pd
pdb
pdc
pdcr
pdd
pdf
pdf_
pdf_profile
pdf_tsid
pdfa
pdfe
pdfenx
pdfl
pdfua
pdfvt
pdfx
pdfxml
pdfz
pdg
pdp
pdz
peb
pef
pem
pez
pf
pfc
pfd
pfl
pfm
pfsx
pft
pfx
pg
pl
plan
plb
plc
pld
pli
pln
plus_muhd
pm
pm3
pm4
pm5
pm6
pm7
pmd
pmt
pmv
pmx
png
pnu
po
pod
pool
pot
pothtml
potm
ppsx
ppt
ppte
ppthtml
pptl
pptm
pptmhtml
pptt
pptx
ppws
ppx
prc
prd
pref
prel
prf
prj
prn
pro
pro4
pro4dvd
pro5
pro5dvd
pro5plx
pro5x
proofingtool
props
proqc
prproj
prr
prs
prt
prtc
prv
ps
ps2
ps3
psa
psafe3
psb
psd
pse8db
psf
psg
psi2
psip
psk
psm
psmd
pspimage
pst
psw
psw6
pswx
psz
pt3
pt6
ptc
ptf
pth
ptk
ptn
ptn2
pts
ptx
pub
pubf
pubhtml
pubmhtml
pubx
puz
pvd
pve
pvf
pw
pwd
pwe
pwf
pwi
pwm
pwp
pwre
pxd
pxl
pxp
py
pys
pzc
pzf
pzt
qba
qbb
qbl
qbm
qbr
qbw
qbx
qby
qch
qcow
qcow2
qct
qdf
qed
qel
qfl
qfxx
qhp
qht
qhtm
qic
qif
qlgenerator
qpx
qrt
qt
qtq
qtr
qtw
quox
qvw
qwd
qwt
qxb
qxd
raf
rhif
rim
rit
rlf
rll
rm
rm5
rmd
rmf
rmh
rna
rng
rnt
rnw
ro3
rofl
roi
ros
rov
row
rox
rpf
rpt
rptr
rrd
rrpa
rrt
rrx
rs
rsdf
rsdoc
rsm
rsp
rsrc
rst
rsw
rt
rt_
rtdf
rte
rtf
rtf_
rtfd
rtk
rtpi
rts
rtsl
rtsx
rtx
rum
run
rv
rvf
rvt
rw2
rwl
rwlibrary
rwz
rxdoc
rzk
rzx
s3db
s8bn
sa5
sa7
sa8
saas
sad
saf
safe
safetext
sam
sas7bdat
sav
save
say
sb
sbn
sbo
sbpf
sbsc
sbst
sc2save
scd
scdoc
sce
sch
scm
scmt
scn
scr
scriv
scrivx
scs
scspack
scssc
sct
scw
scx
sd
sd0
sd1
sda
sdb
sdc
sdd
sddraft
sdf
sdi
sdl
sdmdocument
sdn
sdo
sdoc
sdp
sdr
sds
sdt
sdv
sdw
search-ms
secure
sef
sel
sen
seq
sequ
server
ses
set
setup
sev
sff
sfs
sfx
sgf
sgi
sgl
sgm
sgml
sgz
sh
sh6
shar
shb
show
shr
shs
shtml
shw
shy
sic
sid
sidd
sidn
sie
sik
sis
sky
sla
sldm
sldx
slf
slk
slm
slt
slz
sm
smd
sme
smf
smh
smlx
smn
smp
sms
smwt
smx
smz
snb
snf
sng
snk
snp
snt
snx
so
soi
spb
spd
spdf
spk
spl
spm
spml
sppt
spr
sprt
sprz
sql
sqlite
sqlite3
sqlitedb
sqllite
sqx
sr2
src
srf
srfl
srs
srt
srw
ssa
ssh
ssi
ssiw
ssm
ssx
st4
st5
st6
st7
st8
stc
std
sti
stm
stp
stpz
struct
stt
stw
stx
stxt
sty
sud
suf
sum
surf
svd
svdl
svg
svi
svm
svn
svp
svr
svs
swd
swdoc
sweb
swf
switch
swp
sxc
sxd
sxe
sxg
sxi
sxl
sxm
sxml
sxw
syn
syncdb
t
t01
t03
t05
t10
t12
t13
t14
t2
t2k
t2t
t4g
t80
ta1
ta2
ta9
tabula-doc
tabula-docstyle
tah
tar
tax
tax2009
tax2013
tax2014
tb
tbb
tbd
tbk
tbkx
tbz2
tcd
tch
tck
tcx
tdg
tdl
tdoc
tdr
te1
template
tex
texi
texinfo
text
textclipping
textile
tfd
tfm
tfr
tfrd
tg
tga
tgz
thm
thml
thmx
thr
tib
tif
tiff
tjp
tk3
tlb
tld
tlg
tlt
tlx
tlz
tm
tm3
tmb
tmd
tml
tmlanguage
tmv
tmz
tns
tnsp
toast
toc
topx
tor
torrent
totalslayout
tp
tpl
tpo
tpsdb
tpu
tpx
trashinfo
trif
trp
ts
tsc
tt11
tt2
ttax
ttxt
tu
tur
tvd
twdi
twdx
tww
tx
txd
txe
txf
txm
txn
txt
txtrpt
u3d
uax
ubz
ucd
udb
udf
udl
uea
uhtml
ukr
ulf
uli
ulys
ump
umx
unity3d
unr
unx
uof
uop
uos
uot
updf
upk
upoi
upp
urd-journal
urf
url
urp
usa
usx
ut2
ut3
utc
utd
ute
utf8
uti
utm
uts
utx
uu
uud
uue
uvx
uxx
v
v2t
val
vault
vbadoc
vbd
vbk
vbox
vbs
vc
vcal
vcd
vce
vcf
vdf
vdi
vdo
vdoc
vdt
ver
vf
vfs0
vhd
vhdx
view
viz
vlc
vlt
vmbx
vmdk
vmf
vmg
vmm
vmsd
vmt
vmx
vmxf
vob
voprefs
vor
vp
vpk
vpl
vpp_pc
vs
vsd
vsdx
vsf
vsi
vspolicy
vst
vstx
vtf
vthought
vtv
vtx
vw
vw3
w
w2p
w3g
w3x
w51
w52
w60
w61
w6bn
w6w
w8bn
w8tn
wab
wad
waff
wallet
war
wav
wave
waw
wb
wb2
wb3
wbk
wbt
wbxml
wbz
wcf
wcl
wcn
wcp
wcst
wd0
wd1
wd2
wdbn
wdgt
wdl
wdn
wdoc
wdx9
web
webdoc
webpart
wep
wflx
wht
wiz
wk!
wk1
wk3
wk4
wkb
wki
wkl
wks
wlb
wld
wll
wls
wlxml
wm
wma
wmd
wmdb
wmf
wmga
wmk
wml
wmlc
wmmp
wmo
wms
wmv
wmx
wn
wolf
word
wordlist
wotreplay
wow
wp
wp42
wp5
wp50
wp6
wp7
wpa
wpc2
wpd
wpd0
wpd1
wpd2
wpd3
wpe
wpf
wpk
wpl
wpost
wps
wpt
wpw
wr1
wrf
wri
wrlk
ws
ws1
ws2
ws3
ws4
ws5
ws6
ws7
wsd
wsf
wsh
wsp
wtbn
wtd
wtf
wtmp
wtp
wts
wtt
wtx
wvw
wvx
wwcx
wwi
wwl
wws
x3f
x3g
xamlx
xar
xav
xbd
xbrl
xci
xda
xdc
xdf
xdo
xdoc
xdw
xf
xfd
xfdf
xfi
xfl
xfn
xfo
xfp
xfx
xhtm
xlb
xlc
xle
xlf
xline
xlist
xlk
xll
xlm
xlnk
xlr
xls
xlsb
xlse
xlshtml
xlsl
xlsm
xlst
xlsx
xlsxl
xlt
xlthtml
xltm
xltx
xlv
xlw
xlwx
xma
xmdf
xml
xmmap
xmn
xmp
xms
xmt_bin
xmta
xpd
xpi
xpm
xps
xpse
xpt
xpwe
xqm
xqr
xqx
xrdml
xsc
xsd
xsig
xsl
xslt
xtbl
xtd
xtg
xtml
xtps
xtrl
xv0
xv2
xv3
xvg
xvid
xvl
xwd
xweb3htm
xweb3html
xweb4stm
xweb4xml
xwf
xwp
xxe
xxx
xy
xy3
xy4v
xyd
yab
ycbcra
yenc
yml
zps
ztmp

It appends the following extension to the file name of the encrypted files:

{Renames file name into random characters}.dy8wud

It drops the following file(s) as ransom note:

{Encrypted Directory}\HOW TO RECOVER ENCRYPTED FILES.TXT

Minimum Scan Engine: 9.850

FIRST VSAPI PATTERN FILE: 14.856.04

FIRST VSAPI PATTERN DATE: 07 Mar 2019

VSAPI OPR PATTERN File: 14.857.00

VSAPI OPR PATTERN Date: 08 Mar 2019

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and terminate files detected as Ransom.Win32.SCARAB.PYOBI

[ Learn More ]

Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

HKEY_CURRENT_USER\Software\TvkxRopEselPI
HKEY_CURRENT_USER\Software\{5 random alphanumeric characters}

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- TvkxRopEselPI = "%Application Data%\osk.exe"

Step 6

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%Application Data%\osk.exe
{Encrypted Directory}\HOW TO RECOVER ENCRYPTED FILES.TXT

Step 7

Scan your computer with your Trend Micro product to delete files detected as Ransom.Win32.SCARAB.PYOBI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Step 8

Restore encrypted files from backup.

NOTES:

Follow this as the Step 8: Enable Windows Recovery Option

Run cmd.exe as administrator
Type bcdedit /set {default} recoveryenabled Yes then press Enter.
Type bcdedit /set {default} bootstatuspolicy displayallfailures, then press Enter.

Additional notes:

Depending on your operating system's (OS) setup, files needed in order to boot your OS may also be encrypted, making your OS unbootable. In such situations, kindly do the following additional solution step:

Restore the system from backup or reinstall the operating system (OS). The system may be made bootable by doing a system repair using a Windows installer disk.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION