Ransom.Win32.WASTEDLOCKER.THGBGBO

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Application Data%\{Generated Name} → Random Dll or Exe file from %System%
• %Temp%\lck.log → Log File

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It drops the following copies of itself into the affected system:

• %System%\{Generated Name}.exe
• %Application Data%\{Generated Name}:bin → Alternate Data Stream containing a copy of itself

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %Application Data%\{Generated Name}:bin -r
• %System%\vssadmin.exe Delete Shadows /All /Quiet
• %System%\takeown.exe /F %System%\{Generated Name}.exe
• %System%\icacls.exe %System%\{Generated Name}.exe /reset
• %System%\{Generated Name}.exe -s
• %System%\cmd.exe /c choice /t 10 /d y & attrib -h "%System%\{Generated Name}.exe" & del "%System%\{Generated Name}.exe"
• %System%\cmd.exe /c choice /t 10 /d y & attrib -h "{Malware Filepath}\{Malware Filename}.exe" & del "{Malware Filepath}\{Malware Filename}.exe"

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware deletes the following files:

• After Execution:
  • Copy of itself:
    • %System%\{Generated Name}.exe
  • Others:
    • %Application Data%\{Generated Name}
    • {Malware Filepath}\{Malware Filename}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
UNCAsIntranet = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
AutoDetect = 1

It deletes the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
ProxyBypass = {User Preference}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
IntranetName = {User Preference}

Other Details

This Ransomware does the following:

• It generates the filename {Generated Name} from a list created from registry keys stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
• It accepts the following arguments:
  • -r → Delete shadow copies. Then copy the ransomware binary file to %System% then Take ownership of file and reset Access Control List permissions. Then Create and run a service. It deletes the service after execution
    • Service Name: {Generated Name}
    • Description: {Generated Name}
    • Path: "%System%\{Generated Name}.exe -s"
  • -s → Execute the created service.
  • -p directory_path → Encrypt files in a specific directory along with the rest of the files in the drive.
  • -f directory_path → Encrypt files in a specific directory.
• It encrypts the following type of drives:
  • Removable Drives
  • Fixed Drives
  • Remote(Network) Drives

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• \ntldr
• \bootmgr
• \grldr

It avoids encrypting files with the following strings in their file path:

• C:\ProgramData\
• C:\Windows\
• C:\Users\{Username}\AppData\Local\Temp\
• C:\Users\{Username}\AppData\Roaming\
• C:\Recovery\
• C:\Program Files\
• C:\Program Files (x86)\
• \bin\
• \Boot\
• \boot\
• \dev\
• \etc\
• \lib\
• \initdr\
• \sbin\
• \sys\
• \vmlinuz\
• \run\
• \var\
• \System Volume Information\
• \$RECYCLE.BIN\
• \WebCache\
• \Caches\
• \WindowsApps\
• \AppData\
• \ProgramData\
• \Users\All Users\

It appends the following extension to the file name of the encrypted files:

• .{Target Company Name}wasted

It drops the following file(s) as ransom note:

• {Encrypted Directory}\{Encrypted FileName w/ extension}.{Target Company Name}wasted_info
  

It avoids encrypting files with the following file extensions:

• .{Target Company Name}wasted_info
• .{Target Company Name}wasted
• .386
• .ps1
• .msu
• .ani
• .wpx
• .hlp
• .ocx
• .com
• .cpl
• .adv
• .cmd
• .lnk
• .drv
• .sys
• .icl
• .nls
• .cab
• .bat
• .theme
• .bin
• .key
• .themepack
• .msi
• .icns
• .ics
• .idx
• .hta
• .scr
• .msstyles
• .diagcfg
• .diagcab
• .nomedia
• .msc
• .cur
• .mod
• .shs
• .rtp
• .rom
• .msp
• .ini
• .dat
• .sdi
• .wim
• .dll
• .exe