Destructive Fake Ransomware Wiping Out System Drives
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families. Recently, CRIL spotted an adult website, distributing a fake ransomware executable. The Fake Ransomware does not encrypt files instead it changes file names and their extensions, drops ransom notes, and threatens victims to pay ransom like usual ransomware families.
The link of this website may be available on dating websites that redirect the user to download the fake ransomware after opening it. The downloaded executable file has a double extension i.e. SexyPhotos.JPG.exe and masquerading as an image file as shown below.
The sample hash (SHA256), fbb21d552b04494bf40cf5aded24601449dfa8d597325e8d4169d345fe185f15 was taken for this analysis. The static analysis indicates that the file is a GUI-based x32 architecture installer executable binary written in C/C++ compiler, as shown in the image below.
Upon execution, the malware file drops four executable files (del.exe, open.exe, windll.exe and windows.exe) and one batch file (avtstart.bat) in %temp% directory and executes them. The below figure shows the files dropped by the malware in the victim’s machine.
Initially, “avtstart.bat” runs and it copies all the executable files to Startup folder for persistence as shown below.
While copying the files, the windows throw an error that it could not find a file “dell.exe”, indicating that the malware has dropped the file and wrongly named it as “del.exe”.
File Rename operation:
After that, the malware executes “windowss.exe” which drops three different files named “windowss.VBS”, “windowss.bat” and “Readme.txt” in the same directory and executes windowss.VBS file. The .VBS file further executes windowss.bat which initiates the Fake ransomware activity and finally opens the “Readme.txt” which contains the payment instructions. The below figure shows the process tree of the fake ransomware.
The “windows.bat” file searches for specific folders, file extensions, and renames file names with “Locked_<number>.Locked_fille” as shown below. The fake ransomware drops a file “exception.lst” which contains the extensions to be excluded from the rename operation.
The below table shows the folders and file extensions used by the malware for performing rename operations.
|File extensions||*.jpg *.bat *.lnk *.vbs *.css *.js *.apk *.GIF *.ico *.log *.py *.sys *.jar *.inf *.bin *.pdf *.JPEG *.png *.dll *.PSD *.BMP *.aac *.amr *.wav *.wave *.ogg *.wma *.3gp *.flv *.mkv *.mp4 *.mpeg *.mkw *.wmv *.7z *.bin *.gzip *.gz *.jar *.xar *.msi *.zip *.doc *.rar *.docm *.docx *.dotx *.epub *.pdf *.avi *.mht *.htm *.iso *.key *.pak *.svg *.csv *.tgz *.torrent *.xlsx *.xls *.php *.html *.HTML *.xml *aac *.mpeg *.flv *.mp3 *.mp4 *.exe|
|Folder paths||C:\Users\Windows\Desktop\ C:\Users\Windows\Downloads\ C:\Users\Windows\Music\ C:\Users\Windows\Pictures\ C:\Users\Public\Documents\ C:\Users\Windows\Videos\ C:\users\%username%\downloads\ C:\Users\%username%\Documents\ C:\Users\%username%\Desktop\ C:\Users\%username%\Music\ C:\Users\%username%\Videos\ C:\Users\%username%\Pictures\ C:\DRIVERS C:\Games C:\NVIDIA|
The below figure shows the dropped files by “windows.exe” and the code snippet of VBS/BAT file used for the file rename operation.
The below figure shows the comparison of original and renamed file, showing that the malware does not encrypt file and changes only file names.
Dropping Ransom Notes:
In the next process, the malware executes “windll.exe” file and further drops three files in the same folder named “windll.VBS”, “windll.bat” and “Readme.txt” and executes “windll.VBS”. Similarly, the windll.VBS executes “windll.bat” which further copies “Readme.txt” into specific folders and opens ransomware note file “Readme.txt”. The below figure shows the dropped files by “windll.exe” and code snippet of VBS/BAT file used for copying the ransom notes into different locations.
Deleting System Drives:
The malware now tries to execute a file “dell.exe” file but the file is not available in the victim’s machine as the malware has wrongly named it as “del.exe” while dropping the file initially. The “del.exe” has code to drop three files named “dell.VBS”, “dell.bat” , “Readme.txt and executes “dell.VBS”. The “dell.VBS” executes “dell.bat” which further deletes all system drives [A:\ – Z:\] except C:\ drive. The below figure shows the files present inside “del.exe” and code snippet of VBS/BAT file.
Finally, the malware executes “open.exe” which drops three files named “open.VBS”, “open.bat” and “Readme.txt” in the same directory and executes “open.VBS” file. The “open.VBS” file executes “open.bat” which further connects to the URL mentioned below and opens “readme.txt”
The below figure shows the dropped files by “open.exe” and code snippet of VBS/BAT file.
In the dropped “Readme.txt” ransom note, victims are given instructions (multiple languages) on how they can contact the TAs for file recovery along with the ransom amount.
Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware show false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere in during the infection.
Cyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Command and Scripting Interpreter
|Persistence||T1547||Registry Run Keys / Startup Folder|
|Defense Evasion||T1027 |
|Obfuscated Files or Information |
|System Information Discovery |
File and Directory Discover
|Impact||T1486||Data Encrypted for Impact|
Indicators of Compromise (IOCs)