Ransom.Win32.SODINOKIBI.AUWUJDEK

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{random characters}.bmp → Used as wallpaper

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• powershell -e {base-64 encoded command} → Deletes Shadow Copies

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\B6CC837D-86BE-A32B-F1A9-2E0B99BA279D

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
k8q = {hex values}

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
TiuD = {hex values}

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
TMjCE = {hex values}

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
bfWmiW = {hex values}

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
RFY8wJD = .{appended extension}

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
Ul4OFJ5S = {hex values}

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\desktop
Wallpaper = %User Temp%\{random characters}.bmp

It sets the system's desktop wallpaper to the following image:

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• ARSM
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• memtas
• mepocs
• MSExchange
• MSExchange$
• MSSQL
• MSSQL$
• MVArmor
• MVarmor64
• PDVFSService
• sophos
• sql
• stc_raw_agent
• svc$
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• WSBExchange

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• bedbh
• benetns
• bengien
• beserver
• CagService
• dbeng50
• dbsnmp
• DellSystemDetect
• encsvc
• EnterpriseClient
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• raw_agent_svc
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• VeeamDeploymentSvc
• VeeamNFSSvc
• VeeamTransportSvc
• visio
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Other Details

This Ransomware adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Facebook_Assistant

It does the following:

• It checks for the system’s computer layout and terminates if it is any of the following:
  • Russian
  • Ukrainian
  • Belarusian
  • Tajik
  • Armenian
  • Azeri-Latin
  • Georgian
  • Kazakh
  • Kyrgyz-Cyrillic
  • Slovenian
  • Uzbek-Latin
  • Tatar
  • Romanian-Moldova
  • Russian-Moldova
  • Azeri-Cyrillic
  • Uzbek-Cyrillic
  • Syriac
  • Arabic-Syria
• It searches for files to encrypt in remote drives, fixed drives, removable drives, and network resources.
• It wipes the contents of the following folder(s):
  • back
  • bckp
  • backups
  • backup
  • archive
• It checks if the operating system is Windows Vista or above. If it is or above, it will then check if the current process has administrator privileges. If it doesn't, the malware will then run another instance of itself using the runas command to give the copy administrator privileges. It will then terminate itself.
• It checks if its privilege level is on SYSTEM level. If it is, it will impersonate the user that ran the first explorer.exe it has found.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootfont.bin
• ntldr
• ntuser.ini
• ntuser.dat.log
• bootsect.bak
• autorun.inf
• boot.ini
• desktop.ini
• ntuser.dat
• thumbs.db
• iconcache.db

It avoids encrypting files found in the following folders:

• msocache
• intel
• system volume information
• application data
• tor browser
• program files (x86)
• programdata
• program files
• google
• perflogs
• windows.old
• $windows.~bt
• boot
• mozilla
• $windows.~ws
• $recycle.bin
• appdata

It appends the following extension to the file name of the encrypted files:

• .{random characters}

It drops the following file(s) as ransom note:

• {Encrypted Directory}\{appended extension}-readme.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx