Ransom.Win32.CRYSIS.APHZ

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is capable of encrypting files in the affected system.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Malware FileName}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• netsh advfirewall set currentprofile state off
• netsh firewall set opmode mode=disable
• %System%\mshta.exe %Desktop%\info.hta
• %System%\mshta.exe %Public%\Desktop\info.hta
• %System%\mshta.exe {Drive}\info.hta

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\<>70EF904200000001
• Global\<>70EF904200000000

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware FileName} = "%AppDataLocal%\{Malware FileName}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware FileName} = "%AppDataLocal%\{Malware FileName}.exe"

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

• %User Startup%\{Malware FileName}.exe
• %Common Startup%\{Malware FileName}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• Sftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• mydesktopqos.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exe
• agntsvc.exe
• agntsvc.exe
• encsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe

Other Details

This Ransomware does the following:

• It avoids encrypting files/directories with the following strings:
  • %Windows%
  • %Program Data%\microsoft\windows\caches
  • %System Root%\users\admin\microsoft\windows\caches
  • info.hta
  • info.txt
  • boot.ini
  • Bootfont.bin
  • ntldr
  • ntdetect.com
  • io.sys
  • {Malware Filename}.exe
• It randomly uses the following extension to encrypt files and avoids encrypting the following extensions:
  • adage
  • actin
  • acton
  • actor
  • acuff
  • acuna
  • acute
  • adage
  • adair
  • adame
  • banhu
  • banjo
  • banks
  • banta
  • barak
  • caleb
  • cales
  • caley
  • calix
  • calle
  • calum
  • calvo
  • deuce
  • dever
  • devil
  • devoe
  • devon
  • devos
  • dewar
  • eight
  • eject
  • eking
  • elbie
  • elbow
  • elder
  • phobos
  • help
  • blend
  • bqux
  • commamba
  • karlos
  • ddos
  • phoenix
  • plut
  • karma
  • bbc
  • capital
  • Wallet
• It encrypts files in all fixed, remote, network and removable drives.
• Info.hta displays the following window:
  

It is capable of encrypting files in the affected system.

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• .id[ID].[{BLOCKED}helpyou@qq.com].{String}
  Strings:
  
  • adage
  • actin
  • acton
  • actor
  • acuff
  • acuna
  • acute
  • adage
  • adair
  • adame
  • banhu
  • banjo
  • banks
  • banta
  • barak
  • caleb
  • cales
  • caley
  • calix
  • calle
  • calum
  • calvo
  • deuce
  • dever
  • devil
  • devoe
  • devon
  • devos
  • dewar
  • eight
  • eject
  • eking
  • elbie
  • elbow
  • elder
  • phobos
  • help
  • blend
  • bqux
  • commamba
  • karlos
  • ddos
  • phoenix
  • plut
  • karma
  • bbc
  • capital
  • Wallet

It drops the following file(s) as ransom note:

• {Encrypted Directory}:\info.hta
• {Encrypted Directory}:\info.txt

It leaves text files that serve as ransom notes containing the following text: