Ransom.Win32.BLACKCAT.SMYPCC5

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Path of Encrypted File}\checkpoints-{File Name of Encrypted File}.fs39zfd → Deleted after the file's successful encryption
• {File Path of Log File}\{Log File Name} → Created if --log-file parameter is used
• %Desktop%\RECOVER-fs39zfd-FILES.txt.png → Image file used to set the desktop's wallpaper
  

It adds the following processes:

• "%System%\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1" → Enables the evaluation of symbolic links for remote-to-local scenarios in Windows
• "%System%\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1" → Enables the evaluation of symbolic links for remote-to-remote scenarios in Windows
• "%System%\cmd.exe" /c "iisreset.exe /stop" → Stops the Internet Information Services (IIS) on a Windows server
• "%System%\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f" → Set the maximum number of concurrent outstanding network requests to 65535
• "%System%\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet" → Deletes all shadow copies of files on the system
• "%System%\cmd.exe" /c "arp -a" → Displays the Address Resolution Protocol (ARP) cache
• "%System%\cmd.exe" /c "wmic.exe Shadowcopy Delete" → Deletes all shadow copies of files on the system using WMIC
• "%System%\cmd.exe" /c "bcdedit /set {default}" → This process has incomplete parameter
• "%System%\cmd.exe" /c "bcdedit /set {default} recoveryenabled No" → Disables automatic system recovery at boot for the default operating system entry
• "%System%\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"" → Clears all entries from the Windows Event Log

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
RFC1156Agent\CurrentVersion\Parameters
TrapPollTimeMilliSecs = 15000 → The polling interval for SNMP traps

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters
MaxMpxCt = 65535 → The maximum number of concurrent outstanding network requests

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToLocalEvaluation = 1 → Enables the evaluation of symbolic links for remote-to-local scenarios in Windows

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToRemoteEvaluation = 1 → Enables the evaluation of symbolic links for remote-to-remote scenarios in Windows

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\BCD00000000\Objects\
{GUID}\Elements\16000009
Element = 00 → Modifies a specific element in the Boot Configuration Data (BCD) store

(Note: The default value data of the said registry entry is 01.)

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = 0 → Sets the desktop wallpaper style to centered

HKEY_CURRENT_USER\Control Panel\Desktop
WallPaper = %Desktop%\RECOVER-fs39zfd-FILES.txt.png → Sets the desktop wallpaper to a specified image file

Process Termination

This Ransomware terminates the following services if found on the affected system:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss
• msexchange
• sql$
• mysql
• mysql$
• sophos
• MSExchange
• MSExchange$
• WSBExchange
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• GxBlr
• GxVss
• GxClMgrS
• GxCVD
• GxCIMgr
• GXMMM
• GxVssHWProv
• GxFWD
• SAPService
• SAP
• SAP$
• SAPD$
• SAPHostControl
• SAPHostExec
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• AcronisAgent
• VeeamNFSSvc
• VeeamDeploymentService
• VeeamTransportSvc
• MVArmor
• MVarmor64
• VSNAPVSS
• AcrSch2Svc

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• *sql*
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• QBIDPService
• QBDBMgrN
• QBCFMonitorService
• SAP
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• CVMountd
• cvd
• cvfwd
• CVODS
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• DellSystemDetect
• EnterpriseClient
• VeeamNFSSvc
• VeeamTransportSvc
• VeeamDeploymentSvc

Other Details

This Ransomware does the following:

• It terminates ESXi VMs and snapshots.
• It clears event logs.
• It displays a graphical output in CMD to view the ransomware's progression if the parameter --ui is used.
  

It accepts the following parameters:

• --access-token {Access Token} → Access Token (Any String)
• --child → Run as child process
• --drag-and-drop → Invoked with drag and dropped
• --drop-drag-and-drop-target → Drop drag and drop target batch file
• --extra-verbose → Log more to console
• -h | --help → Print help information
• --log-file {Full Path of Log File} → Enable logging to specified file
• --no-net → Do not discover network shares on Windows
• --no-prop → Do not self-propagate (worm) on Windows
• --no-prop-servers {Server/s} → Do not propagate to defined servers
• --no-vm-kill → Do not stop VMs on ESXi
• --no-vm-kill-names {VM Name/s} → Do not stop defined VMs on ESXi
• --no-vm-snapshot-kill → Do not wipe VMs snapshots on ESXi
• --no-wall → Do not update desktop wallpaper on Windows
• -p | --paths {Full Path/s} → Only process files inside defined paths
• --propagated → Run as propagated process
• --ui → Show user interface
• -v | --verbose → Log to console

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• autorun.inf
• ntldr
• bootsect.bak
• thumbs.db
• boot.ini
• ntuser.dat
• iconcache.db
• bootfont.bin
• ntuser.ini
• ntuser.dat.log

It avoids encrypting files found in the following folders:

• system volume information
• intel
• $windows.~ws
• application data
• $recycle.bin
• mozilla
• $windows.~bt
• public
• msocache
• windows
• default
• all users
• tor browser
• programdata
• boot
• config.msi
• google
• perflogs
• appdata
• windows.old

It appends the following extension to the file name of the encrypted files:

• .fs39zfd

It drops the following file(s) as ransom note:

• {File Path of Encrypted Files}\RECOVER-fs39zfd-FILES.txt
• %Desktop%\RECOVER-fs39zfd-FILES.txt
  

It avoids encrypting files with the following file extensions:

• .themepack
• .nls
• .diagpkg
• .msi
• .lnk
• .exe
• .cab
• .bat
• .drv
• .rtp
• .msp
• .prf
• .msc
• .ico
• .key
• .ocx
• .diagcab
• .diagcfg
• .pdb
• .wpx
• .hlp
• .icns
• .rom
• .dll
• .msstyles
• .mod
• .ps1
• .ics
• .hta
• .bin
• .cmd
• .ani
• .386
• .lock
• .cur
• .idx
• .sys
• .com
• .deskthemepack
• .shs
• .ldf
• .theme
• .mpa
• .nomedia
• .spl
• .cpl
• .adv
• .icl
• .msu
• .fs39zfd