Ransom.Win32.BLACKMATTER.SMYXBHMT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• used as wallpaper:
  • %ProgramData%\{appended ransomware extension}.bmp

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Generated hash based on GUID}

Other System Modifications

This Ransomware sets the system's desktop wallpaper to the following image:

Process Termination

This Ransomware terminates the following services if found on the affected system:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss

It terminates the following processes if found running in the affected system's memory:

• encsvc
• thebat
• mydesktopqos
• xfssvccon
• firefox
• infopath
• winword
• steam
• synctime
• notepad
• ocomm
• onenote
• mspub
• thunderbird
• agntsvc
• sql
• excel
• powerpnt
• outlook
• wordpad
• dbeng50
• isqlplussvc
• sqbcoreservice
• oracle
• ocautoupds
• dbsnmp
• msaccess
• tbirdconfig
• ocssd
• mydesktopservice
• visio

Information Theft

This Ransomware gathers the following data:

• Machine GUID
• Computer name
• Hostname
• Username
• Domain
• OS Architecture
• Language
• Disk information (free size, disk size)
• Total number of files
• Total number of encrypted files

Stolen Information

This Ransomware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}zip.org/?{encrypted string}

Other Details

This Ransomware does the following:

• Optionally encrypts Microsoft Exchange files in %ExchangeInstallPath%\Mailbox directory.
• If not executed with admin rights, it will relaunch itself as admin.
• It encrypts fixed, removable and network drives.
• It deletes files in recycle bin folder for removable and fixed drives.
• It uses WQL to delete shadow copies.
• Optionally prints out a ransom note using the default printer.

Ransomware Routine

This Ransomware drops the following file(s) as ransom note:

• {appended ransomware extension}.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• shs
• spl
• sys
• theme
• themepack
• wpx