Ransom.MSIL.THANOS.THABGBA

 Analysis by: Abby Roana Javelosa

 ALIASES:

Trojan-Ransom.Thanos (Ikarus), HEUR:Trojan-Ransom.MSIL.Encoder.gen (Kaspersky)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Ransomware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It creates certain registry entries to disable applications related to security.

It encrypts files with specific file extensions. It drops files as ransom note.

  TECHNICAL DETAILS

File Size:

106,496 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

27 Jan 2021

Payload:

Displays message/message boxes, Encrypts files, Compromises system security

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

Installation

This Ransomware adds the following mutexes to ensure that only one of its copies runs at any one time:

  • e660f428-738e-469e-93fc-20803ca8aa37

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

  • %User Startup%\mystartup.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Other System Modifications

This Ransomware creates the following registry entries to disable applications related to security:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableOnAccessProtection = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableScanOnRealtimeEnable = 1

It uses the following commands to turn off data recovery services:

  • "sc.exe" config SQLTELEMETRY start= disabled
  • "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  • "sc.exe" config SQLWriter start= disabled
  • "sc.exe" config SstpSvc start= disabled
  • "net.exe" stop avpsus /y
  • "net.exe" stop bedbg /y
  • "net.exe" stop MSSQL$SQL_2008 /y
  • "net.exe" stop McAfeeDLPAgentService /y
  • "net.exe" stop MMS /y
  • "net.exe" stop MSSQL$SQLEXPRESS /y
  • "net.exe" stop ccEvtMgr /y
  • "net.exe" stop EhttpSrv /y
  • "net.exe" stop mfewc /y
  • "net.exe" stop ccSetMgr /y
  • "net.exe" stop mozyprobackup /y
  • "net.exe" stop BMR Boot Service /y
  • "net.exe" stop SavRoam /y
  • "net.exe" stop MSSQL$SYSTEM_BGC /y
  • "net.exe" stop NetBackup BMR MTFTP Service /y
  • "net.exe" stop DefWatch /y
  • "net.exe" stop RTVscan /y
  • "net.exe" stop EPSecurityService /y
  • "net.exe" stop QBFCService /y
  • "net.exe" stop QBIDPService /y
  • "net.exe" stop VeeamTransportSvc /y
  • "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  • "net.exe" stop BackupExecDiveciMediaService /y
  • "net.exe" stop Intuit.QuickBooks.FCS /y
  • "net.exe" stop MSSQL$TPS /y
  • "net.exe" stop VeeamDeploymentService /y
  • "net.exe" stop ekrn /y
  • "net.exe" stop QBCFMonitorService /y
  • "net.exe" stop SDRSVC /y
  • "net.exe" stop VeeamNFSSvc /y
  • "net.exe" stop YooBackup /y
  • "net.exe" stop veeam /y
  • "net.exe" stop EPUpdateService /y
  • "net.exe" stop YooIT /y
  • "net.exe" stop PDVFSService /y
  • "net.exe" stop zhudongfangyu /y
  • "net.exe" stop BackupExecVSSProvider /y
  • "net.exe" stop ntrtscan /y
  • "net.exe" stop stc_raw_agent /y
  • "net.exe" stop BackupExecAgentAccelerator /y
  • "net.exe" stop VSNAPVSS /y
  • "net.exe" stop BackupExecAgentBrowser /y
  • "net.exe" stop MSSQL$TPSAMA /y
  • "net.exe" stop BackupExecManagementService /y
  • "net.exe" stop NetMsmqActivator /y
  • "net.exe" stop EsgShKernel /y
  • "net.exe" stop BackupExecRPCService /y
  • "net.exe" stop MSExchangeIS /y
  • "net.exe" stop PDVFSService /y
  • "net.exe" stop AcrSch2Svc /y
  • "net.exe" stop “Sophos AutoUpdate Service” /y
  • "net.exe" stop AcronisAgent /y
  • "net.exe" stop SamSs /y
  • "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  • "net.exe" stop CASAD2DWebSvc /y
  • "net.exe" stop ReportServer /y
  • "net.exe" stop ESHASRV /y
  • "net.exe" stop “SQLsafe Backup Service” /y
  • "net.exe" stop BackupExecJobEngine /y
  • "net.exe" stop CAARCUpdateSvc /y
  • "net.exe" stop “Sophos Device Control Service” /y
  • "net.exe" stop MSSQL$VEEAMSQL2012 /y
  • "net.exe" stop MsDtsServer110 /y
  • "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • "net.exe" stop FA_Scheduler /y
  • "net.exe" stop POP3Svc /y
  • "net.exe" stop sophos /y
  • "net.exe" stop MSExchangeMGMT /y
  • "net.exe" stop KAVFS /y
  • "net.exe" stop “Acronis VSS Provider” /y
  • "net.exe" stop SQLWriter /y
  • "net.exe" stop “Sophos Clean Service” /y
  • "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  • "net.exe" stop SMTPSvc /y
  • "net.exe" stop MsDtsServer /y
  • "net.exe" stop masvc /y
  • "net.exe" stop ReportServer$SQL_2008 /y
  • "net.exe" stop ReportServer$SYSTEM_BGC /y
  • "net.exe" stop VeeamDeploymentService /y
  • "net.exe" stop “SQLsafe Filter Service” /y
  • "net.exe" stop IISAdmin /y
  • "net.exe" stop MSSQLServerADHelper /y
  • "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  • "net.exe" stop msftesql$PROD /y
  • "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  • "net.exe" stop McAfeeEngineService /y
  • "net.exe" stop SstpSvc /y
  • "net.exe" stop MSExchangeES /y
  • "net.exe" stop KAVFSGT /y
  • "net.exe" stop MSExchangeMTA /y
  • "net.exe" stop VeeamBackupSvc /y
  • "net.exe" stop “Sophos Agent” /y
  • "net.exe" stop UI0Detect /y
  • "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  • "net.exe" stop EraserSvc11710 /y
  • "net.exe" stop MSExchangeSA /y
  • "net.exe" stop MSOLAP$TPSAMA /y
  • "net.exe" stop VeeamHvIntegrationSvc /y
  • "net.exe" stop “Enterprise Client Service” /y
  • "net.exe" stop “Sophos File Scanner Service” /y
  • "net.exe" stop kavfsslp /y
  • "net.exe" stop “SQL Backups /y
  • "net.exe" stop ReportServer$TPS /y
  • "net.exe" stop MsDtsServer100 /y
  • "net.exe" stop “Veeam Backup Catalog Data Service” /y
  • "net.exe" stop VeeamBrokerSvc /y
  • "net.exe" stop “Sophos MCS Client” /y
  • "net.exe" stop MSOLAP$SYSTEM_BGC /y
  • "net.exe" stop ARSM /y
  • "net.exe" stop W3Svc /y
  • "net.exe" stop MSSQLServerADHelper100 /y
  • "net.exe" stop “intel(r) proset monitoring service” /y
  • "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  • "net.exe" stop “Symantec System Recovery” /y
  • "net.exe" stop MBAMService /y
  • "net.exe" stop McAfeeFramework /y
  • "net.exe" stop msexchangeimap4 /y
  • "net.exe" stop VeeamNFSSvc /y
  • "net.exe" stop VeeamDeploySvc /y
  • "net.exe" stop MSOLAP$SQL_2008 /y
  • "net.exe" stop MSSQL$PROD /y
  • "net.exe" stop MSSQLSERVER /y
  • "net.exe" stop Antivirus /y
  • "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  • "net.exe" stop MySQL57 /y
  • "net.exe" stop MSExchangeSRS /y
  • "net.exe" stop MBEndpointAgent /y
  • "net.exe" stop MSSQL$BKUPEXEC /y
  • "net.exe" stop McShield /y
  • "net.exe" stop klnagent /y
  • "net.exe" stop “Sophos Health Service” /y
  • "net.exe" stop VeeamCatalogSvc /y
  • "net.exe" stop unistoresvc_1af40a /y
  • "net.exe" stop “Sophos Message Router” /y
  • "net.exe" stop ReportServer$TPSAMA /y
  • "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  • "net.exe" stop BackupExecAgentAccelerator /y
  • "net.exe" stop “Zoolz 2 Service” /y
  • "net.exe" stop VeeamTransportSvc /y
  • "net.exe" stop MSSQL$ECWDB2 /y
  • "net.exe" stop MSOLAP$TPS /y
  • "net.exe" stop OracleClientCache80 /y
  • "net.exe" stop macmnsvc /y
  • "net.exe" stop “aphidmonitorservice” /y
  • "net.exe" stop VeeamEnterpriseManagerSvc /y
  • "net.exe" stop VeeamCloudSvc /y
  • "net.exe" stop audioendpointbuilder /y
  • "net.exe" stop wbengine /y
  • "net.exe" stop MSSQLFDLauncher$TPS /y
  • "net.exe" stop msexchangeadtopology /y
  • "net.exe" stop “Sophos Safestore Service” /y
  • "net.exe" stop SQLAgent$PRACTTICEMGT /y
  • "net.exe" stop ReportServer$SQL_2008 /y
  • "net.exe" stop ShMonitor /y
  • "net.exe" stop swi_service /y
  • "net.exe" stop “Sophos MCS Agent” /y
  • "net.exe" stop BackupExecAgentBrowser /y
  • "net.exe" stop SQLAgent$PROD /y
  • "net.exe" stop MSSQL$PRACTICEMGT /y
  • "net.exe" stop AcrSch2Svc /y
  • "net.exe" stop Smcinst /y
  • "net.exe" stop “Sophos System Protection Service” /y
  • "net.exe" stop swi_update /y
  • "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  • "net.exe" stop mfemms /y
  • "net.exe" stop BackupExecDeviceMediaService /y
  • "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  • "net.exe" stop vapiendpoint /y
  • "net.exe" stop MSSQL$PRACTTICEBGC /y
  • "net.exe" stop swi_update_64 /y
  • "net.exe" stop SmcService /y
  • "net.exe" stop “Sophos Web Control Service” /y
  • "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  • "net.exe" stop BackupExecJobEngine /y
  • "net.exe" stop TmCCSF /y
  • "net.exe" stop SQLAgent$SBSMONITORING /y
  • "net.exe" stop SQLBrowser /y
  • "net.exe" stop SntpService /y
  • "net.exe" stop wbengine /y
  • "net.exe" stop tmlisten /y
  • "net.exe" stop SQLAgent$SHAREPOINT /y
  • "net.exe" stop SQLSafeOLRService /y
  • "net.exe" stop sophossps /y
  • "net.exe" stop RESvc /y
  • "net.exe" stop TrueKey /y
  • "net.exe" stop SQLAgent$SQL_2008 /y
  • "net.exe" stop SQLSERVERAGENT /y
  • "net.exe" stop SQLAgent$SOPHOS /y
  • "net.exe" stop SQLAgent$SQLEXPRESS /y
  • "net.exe" stop TrueKeyScheduler /y
  • "net.exe" stop svcGenericHost /y
  • "net.exe" stop mfevtp /y
  • "net.exe" stop SQLTELEMETRY /y
  • "net.exe" stop SQLAgent$SYSTEM_BGC /y
  • "net.exe" stop sms_site_sql_backup /y
  • "net.exe" stop TrueKeyServiceHelper /y
  • "net.exe" stop swi_filter /y
  • "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  • "net.exe" stop SQLAgent$TPS /y
  • "net.exe" stop SQLAgent$BKUPEXEC /y
  • "net.exe" stop WRSVC /y
  • "net.exe" stop BackupExecRPCService /y
  • "net.exe" stop MSSQL$SOPHOS /y
  • "net.exe" stop mssql$vim_sqlexp /y
  • "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  • "net.exe" stop MSSQL$SBSMONITORING /
  • "net.exe" stop sacsvr /y
  • "net.exe" stop MSSQL$SBSMONITORING /y
  • "net.exe" stop VeeamRESTSvc /y
  • "net.exe" stop SQLAgent$CXDB /y
  • "net.exe" stop AVP /y
  • "net.exe" stop MySQL80 /y
  • "net.exe" stop SAVAdminService /y
  • "net.exe" stop BackupExecVSSProvider /y
  • "net.exe" stop McTaskManager /y
  • "net.exe" stop SQLAgent$ECWDB2 /y
  • "net.exe" stop MSSQL$SHAREPOINT /y
  • "net.exe" stop SAVService /y
  • "net.exe" stop DCAgent /y
  • "net.exe" stop SQLAgent$PRACTTICEBGC /y
  • "net.exe" stop AcronisAgent /y
  • "net.exe" stop VeeamMountSvc /y
  • "net.exe" stop BackupExecManagementService /y
  • "net.exe" stop MSSQLServerOLAPService /y
  • "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  • "net.exe" stop mfefire /y
  • "net.exe" stop SepMasterService /y
  • "net.exe" stop SQLAgent$TPSAMA /y

It uses the following commands to delete built-in operating system data to prevent data recovery:

  • "powershell" Get-MpPreference -verbose
  • "taskkill" /F /IM RaccineSettings.exe
  • "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  • "reg" delete HKCU\Software\Raccine /F
  • "schtasks" /DELETE /TN \"Raccine Rules Updater\" /F
  • "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  • "cmd.exe" /c rd /s /q D:\$Recycle.bin

Other Details

This Ransomware does the following:

  • It terminates the following processes if found using the following commands:
    • "taskkill.exe" /IM mspub.exe /F
    • "taskkill.exe" /IM onenote.exe /F
    • "taskkill.exe" /IM agntsvc.exe /F
    • "taskkill.exe" /IM PccNTMon.exe /F
    • "taskkill.exe" /IM synctime.exe /F
    • "taskkill.exe" /IM thebat.exe /F
    • "taskkill.exe" /IM excel.exe /F
    • "taskkill.exe" /IM msaccess.exe /F
    • "taskkill.exe" /IM steam.exe /F
    • "taskkill.exe" /IM firefoxconfig.exe /F
    • "taskkill.exe" /IM CNTAoSMgr.exe /F
    • "taskkill.exe" /IM dbeng50.exe /F
    • "taskkill.exe" /IM sqlwriter.exe /F
    • "taskkill.exe" /IM infopath.exe /F
    • "taskkill.exe" /IM mspub.exe /F
    • "taskkill.exe" /IM Ntrtscan.exe /F
    • "taskkill.exe" /IM outlook.exe /F
    • "taskkill.exe" /IM mydesktopservice.exe /F
    • "taskkill.exe" /IM encsvc.exe /F
    • "taskkill.exe" /IM tbirdconfig.exe /F
    • "taskkill.exe" /IM mbamtray.exe /F
    • "taskkill.exe" /IM mydesktopqos.exe /F
    • "taskkill.exe" /IM thebat64.exe /F
    • "taskkill.exe" /IM zoolz.exe /F
    • "taskkill.exe" /IM tmlisten.exe /F
    • "taskkill.exe" /IM sqlservr.exe /F
    • "taskkill.exe" /IM winword.exe /F
    • "taskkill.exe" /IM visio.exe /F
    • "taskkill.exe" /IM mydesktopqos.exe /F
    • "taskkill.exe" /IM mydesktopservice.exe /F
    • "taskkill.exe" /IM mysqld.exe /F
    • "taskkill.exe" /IM isqlplussvc.exe /F
    • "taskkill.exe" /IM msftesql.exe /F
    • "taskkill.exe" /IM sqbcoreservice.exe /F
    • "taskkill.exe" /IM ocomm.exe /F
    • "taskkill.exe" IM thunderbird.exe /F
    • "taskkill.exe" /IM mysqld-nt.exe /F
    • "taskkill.exe" /IM dbsnmp.exe /F
    • "taskkill.exe" /IM powerpnt.exe /F
    • "taskkill.exe" /IM xfssvccon.exe /F
    • "taskkill.exe" /IM wordpad.exe /F
    • "taskkill.exe" /IM mysqld-opt.exe /F
    • "taskkill.exe" /IM ocautoupds.exe /F
  • It terminates all running processes unless the following strings are found in the process name:
    • chrome
    • opera
    • msedge
    • iexplore
    • firefox
    • explorer
    • wininit
    • winlogon
    • SearchApp
    • SearchIndexer
    • SearchUI
  • It checks if the following programs are running. If they are, the said programs are terminated, and the main ransomware program will terminate as well:
    • http analyzer stand-alone
    • fiddler
    • effetech http sniffer
    • firesheep
    • IEWatch Professional
    • wireshark portable
    • sysinternals tcpview
    • dumpcap
    • wireshark
    • ollydbg
    • x64dbg
    • x32dbg
    • dnspy
    • dnspy-x86
    • de4dot
    • ilspy
    • dotpeek
    • dotpeek64
    • ida64
    • RDG Packer Detector
    • CFF Explorer
    • PEiD
    • protection_id
    • LordPE
    • pe-sieve
    • MegaDumper
    • UnConfuserEx
    • Universal_Fixer
    • NoFuserEx
    • NetworkMiner
    • NetworkTrafficView
    • HTTPNetworkSniffer
    • tcpdump
    • intercepter
    • intercepter-NG
  • It deletes the following registry subkeys to delete shadow copies:
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • vssadmin.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • wmic.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • wbadmin.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • bcdedit.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • powershell.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • diskshadow.exe
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        • net.exe
  • The malware disables the following using powershell console:
    • "DisableRealtimeMonitoring"
    • "DisableBehaviorMonitoring"
    • "DisableBlockAtFirstSeen"
    • "DisableIOAVProtection"
    • "DisablePrivacyMode"
    • "SignatureDisableUpdateOnStartupWithoutEngine"
    • "DisableArchiveScanning"
    • "DisableIntrusionPreventionSystem"
    • "DisableScriptScanning"
    • "SubmitSamplesConsent"
    • "MAPSReporting"
    • "HighThreatDefaultAction"
    • "ModerateThreatDefaultAction"
    • "LowThreatDefaultAction"
    • "SevereThreatDefaultAction"

It executes the following commands to gain access to the network configuration settings of the system:

  • "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  • "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  • "cmd.exe" /c net view
  • "arp" -a
  • "icacls" "D:*" /grant Everyone:F /T /C /Q
  • "icacls" "Z:*" /grant Everyone:F /T /C /Q
  • "icacls" "C:*" /grant Everyone:F /T /C /Q
  • "sc.exe" config Dnscache start= auto
  • "sc.exe" config FDResPub start= auto
  • "sc.exe" config SSDPSRV start= auto
  • "sc.exe" config upnphost start= auto
  • "net.exe" start Dnscache /y
  • "net.exe" start FDResPub /y
  • "net.exe" start SSDPSRV /y
  • "net.exe" start upnphost /y
  • "net.exe use" \{Machine Name shared in Network}\Users
  • "net.exe use" \{Subnet Mask}
  • "net.exe use" \{IPv4 Address}
  • "net.exe use" \{Default Gateway}
  • "netsh" advfirewall set rule group=\"Network Discovery\" new enable=Yes

Ransomware Routine

This Ransomware encrypts files with the following extensions:

  • dat
  • txt
  • jpeg
  • gif
  • jpg
  • png
  • php
  • cs
  • cpp
  • rar
  • zip
  • html
  • htm
  • xls
  • avi
  • mp4
  • ppt
  • doc
  • sxi
  • sxw
  • odt
  • hwp
  • tar
  • bz2
  • mkv
  • eml
  • msg
  • ost
  • pst
  • edb
  • sql
  • accdb
  • mdb
  • dbf
  • odb
  • myd
  • java
  • pas
  • asm
  • key
  • pfx
  • pem
  • p12
  • csr
  • gpg
  • aes
  • vsd
  • odg
  • raw
  • nef
  • svg
  • psd
  • vmx
  • vmdk
  • vdi
  • lay6
  • sqlite3
  • sqlitedb
  • class
  • mpeg
  • djvu
  • tiff
  • backup
  • cert
  • docm
  • xlsm
  • dwg
  • bak
  • qbw
  • nd
  • tlg
  • lgb
  • pptx
  • mov
  • xdw
  • ods
  • wav
  • mp3
  • aiff
  • flac
  • m4a
  • ora
  • mdf
  • ldf
  • ndf
  • dtsx
  • rdl
  • dim
  • mrimg
  • qbb
  • rtf
  • 7z

It avoids encrypting files with the following strings in their file name:

  • autoexec.bat
  • desktop.ini
  • autorun.inf
  • ntuser.dat
  • NTUSER.DAT
  • iconcache.db
  • bootsect.bak
  • boot.ini
  • ntuser.dat.log
  • thumbs.db
  • bootmgr
  • pagefile.sys
  • config.sys
  • ntuser.ini
  • Builder_Log
  • RSAKeys
  • RESTORE_FILES_INFO (ransom note)
  • Recycle.bin
  • mystartup.lnk
  • Debug_Log.txt
  • UserName={User Name shared in Network}_MachineName={Machine Name shared in Network}_{hash}.txt
  • .0l0lqq (encrypted file ext)
  • exe
  • dll
  • EXE
  • DLL

It avoids encrypting files found in the following folders:

  • program files
  • :\windows
  • perflogs
  • internet explorer
  • :\programdata
  • msocache
  • system volume information
  • boot
  • tor browser
  • mozilla
  • appdata
  • google chrome
  • application data

It appends the following extension to the file name of the encrypted files:

  • .0l0lqq

It drops the following file(s) as ransom note:

  • %User Temp%\RESTORE_FILES_INFO.txt

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

16.568.03

FIRST VSAPI PATTERN DATE:

01 Mar 2021

VSAPI OPR PATTERN File:

16.569.00

VSAPI OPR PATTERN Date:

02 Mar 2021

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     
    • Troj.Win32.TRX.XXPE50FFF040

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    • DisableAntiSpyware=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
    • DisableBehaviorMonitoring=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
    • DisableOnAccessProtection=1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
    • DisableScanOnRealtimeEnable=1

Step 6

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\RESTORE_FILES_INFO.txt
  • %User Startup%\mystartup.lnk

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom.MSIL.THANOS.THABGBA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Scan your computer with your Trend Micro product to delete files detected as Ransom.MSIL.THANOS.THABGBA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Step 9

Restore encrypted files from backup.


Did this description help? Tell us how we did.