Ransom.Win32.TRIGONA.YMDGU

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %system%\cmd.exe /c\"bcdedit /set{default} recoveryenabled No\"
• %system%\cmd.exe /c\"bcdedit /set {default} bootstatuspolicy ignoreallfailures\"
• %system%\cmd.exe /c\"wbadmin DELETE BACKUP -keepVersions:0\"
• %system%\cmd.exe /c\"wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\"
• %system%\cmd.exe /c\"wmic SHADOWCOPY DELETE\"
• %system%\cmd.exe /c\"vssadmin delete shadows /all /quiet\"
• %system%\mshta.exe %User Temp%\how_to_decrypt.hta

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• BC92B03B9486BB5F7A0672

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Generated ID 1} = {malware file path}\{malware name}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Generated ID 2} = %User Temp%\how_to_decrypt.hta

Information Theft

This Ransomware gathers the following data:

• Computer Name
• Username
• OS Version
• System Time
• Keyboard Locale
• Disk Data

Other Details

This Ransomware does the following:

• By default, It encrypt local drives and network drives
• It displays its ransom note after encryption
• It spreads through vulnerable MS-SQL servers via brute-force attack.

It accepts the following parameters:

• /r → encrypt files in random order
• /sleep → sleep for n seconds before execution
• /full → encrypt the whole contents of a file (by default, only the first 0x80000 bytes/512kb are encrypted)
• /debug → execute in debug mode, need to be executed with /p
• /log_f → for logging, specify the log file
• /fast →
• /erase → delete contents of a file
• /!autorun → Do not create autorun registry entry
• /is_testing → for testing purposes, used with /test_cid and /test_vid
• /test_cid → Use the specified value instead of generating a computer ID
• /test_vid → Use the specified value instead of the hardcoded victim ID (VID) from the configuration
• /p → specify path to encrypt
• /path → specify path to encrypt
• /!local → Do not encrypt local files
• /!lan → Do not encrypt network shares
• /shdwn → Turn off the machine after encryption using the parameter -f -s -t 00
• /allow_system → Allows encrypting files in system directory
• /!clear_shadow → Do not delete shadow copies
• /wipe →
• /autorun_only → Create Autorun registry entry(this does not trigger the encryption)
• /block →
• /step →
• /band_start →
• /!prerename → Do not rename files before encryption

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• how_to_decrypt.hta
• how_to_decrypt.txt

It avoids encrypting files with the following strings in their file path:

• windows
• system32

It renames encrypted files using the following names:

• available_for_trial.{random}._locked
• {random}._locked

It drops the following file(s) as ransom note:

• %User Temp%\how_to_decrypt.hta
• {Encrypted Directory}\how_to_decrypt.hta