Destructive Fake Ransomware Wiping Out System Drives
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families. Recently, CRIL spotted an adult website, distributing a fake ransomware executable. The Fake Ransomware does not encrypt files instead it changes file names and their extensions, drops ransom notes, and threatens victims to pay ransom like usual ransomware families.
The link of this website may be available on dating websites that redirect the user to download the fake ransomware after opening it. The downloaded executable file has a double extension i.e. SexyPhotos.JPG.exe and masquerading as an image file as shown below.
Technical Details
The sample hash (SHA256), fbb21d552b04494bf40cf5aded24601449dfa8d597325e8d4169d345fe185f15 was taken for this analysis. The static analysis indicates that the file is a GUI-based x32 architecture installer executable binary written in C/C++ compiler, as shown in the image below.
Upon execution, the malware file drops four executable files (del.exe, open.exe, windll.exe and windows.exe) and one batch file (avtstart.bat) in %temp% directory and executes them. The below figure shows the files dropped by the malware in the victim’s machine.
Persistence:
Initially, “avtstart.bat” runs and it copies all the executable files to Startup folder for persistence as shown below.
While copying the files, the windows throw an error that it could not find a file “dell.exe”, indicating that the malware has dropped the file and wrongly named it as “del.exe”.
File Rename operation:
After that, the malware executes “windowss.exe” which drops three different files named “windowss.VBS”, “windowss.bat” and “Readme.txt” in the same directory and executes windowss.VBS file. The .VBS file further executes windowss.bat which initiates the Fake ransomware activity and finally opens the “Readme.txt” which contains the payment instructions. The below figure shows the process tree of the fake ransomware.
The “windows.bat” file searches for specific folders, file extensions, and renames file names with “Locked_<number>.Locked_fille” as shown below. The fake ransomware drops a file “exception.lst” which contains the extensions to be excluded from the rename operation.
The below table shows the folders and file extensions used by the malware for performing rename operations.
| File extensions | *.jpg *.bat *.lnk *.vbs *.css *.js *.apk *.GIF *.ico *.log *.py *.sys *.jar *.inf *.bin *.pdf *.JPEG *.png *.dll *.PSD *.BMP *.aac *.amr *.wav *.wave *.ogg *.wma *.3gp *.flv *.mkv *.mp4 *.mpeg *.mkw *.wmv *.7z *.bin *.gzip *.gz *.jar *.xar *.msi *.zip *.doc *.rar *.docm *.docx *.dotx *.epub *.pdf *.avi *.mht *.htm *.iso *.key *.pak *.svg *.csv *.tgz *.torrent *.xlsx *.xls *.php *.html *.HTML *.xml *aac *.mpeg *.flv *.mp3 *.mp4 *.exe |
| Folder paths | C:\Users\Windows\Desktop\ C:\Users\Windows\Downloads\ C:\Users\Windows\Music\ C:\Users\Windows\Pictures\ C:\Users\Public\Documents\ C:\Users\Windows\Videos\ C:\users\%username%\downloads\ C:\Users\%username%\Documents\ C:\Users\%username%\Desktop\ C:\Users\%username%\Music\ C:\Users\%username%\Videos\ C:\Users\%username%\Pictures\ C:\DRIVERS C:\Games C:\NVIDIA |
The below figure shows the dropped files by “windows.exe” and the code snippet of VBS/BAT file used for the file rename operation.
The below figure shows the comparison of original and renamed file, showing that the malware does not encrypt file and changes only file names.
Dropping Ransom Notes:
In the next process, the malware executes “windll.exe” file and further drops three files in the same folder named “windll.VBS”, “windll.bat” and “Readme.txt” and executes “windll.VBS”. Similarly, the windll.VBS executes “windll.bat” which further copies “Readme.txt” into specific folders and opens ransomware note file “Readme.txt”. The below figure shows the dropped files by “windll.exe” and code snippet of VBS/BAT file used for copying the ransom notes into different locations.
Deleting System Drives:
The malware now tries to execute a file “dell.exe” file but the file is not available in the victim’s machine as the malware has wrongly named it as “del.exe” while dropping the file initially. The “del.exe” has code to drop three files named “dell.VBS”, “dell.bat” , “Readme.txt and executes “dell.VBS”. The “dell.VBS” executes “dell.bat” which further deletes all system drives [A:\ – Z:\] except C:\ drive. The below figure shows the files present inside “del.exe” and code snippet of VBS/BAT file.
Network communication:
Finally, the malware executes “open.exe” which drops three files named “open.VBS”, “open.bat” and “Readme.txt” in the same directory and executes “open.VBS” file. The “open.VBS” file executes “open.bat” which further connects to the URL mentioned below and opens “readme.txt”
- hxxps[:]//lllllllllll.loseyourip[.]com/downloads
The below figure shows the dropped files by “open.exe” and code snippet of VBS/BAT file.
In the dropped “Readme.txt” ransom note, victims are given instructions (multiple languages) on how they can contact the TAs for file recovery along with the ransom amount.
Conclusion
Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware show false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere in during the infection.
Cyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1064 | User Execution Command and Scripting Interpreter Scripting |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 T1045 T1036 | Obfuscated Files or Information Software Packing Masquerading |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discover |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 9d8c4e31390d8c425577eb8c485dad30 5894425efcd316df81e771caf84f0bf8b96a0251 fbb21d552b04494bf40cf5aded24601449dfa8d597325e8d4169d345fe185f15 | MD5 SHA1 Sha256 | Main Exe |
| 79d233b0784662d36e9d00709ce07cee 15dc593f9ab6eae478375701a2136cb7bcda5281 a7cc8279079b0607b26e96f015f80fdc2d859c718580cefdcd71f68d3f2343ae | MD5 SHA1 Sha256 | avtstart.bat |
| 792e7f12a74f494924b911af0ac6b53d 1f1da277f3f756663928bce3b1000a6c9afb27b9 ebdd62038e493a6ea99ce4dfbb77802ef262bfb3926f3ab50d13df466ae9f254 | MD5 SHA1 Sha256 | windowss.exe |
| 3b237feb1de10cdbd9080acadbf9d0d1 ecada6346700c5a4037cf84a812cbb22a64fdcc7 8db5124c8f806d68e5c1450d31e4f549fb348970d30e53584664fd38ebaf7a85 | MD5 SHA1 Sha256 | windowss.VBS |
| 8047af7083f55057c39240ee8a3c59a0 3b33087ca9562314d2eeb16668e8d6880d271ebc 8d7ccc382aac3c819754979a38f8dfe1c5774fb055f0e098fa056f01b681289b | MD5 SHA1 Sha256 | windowss.bat |
| fd40fee3640520ab245ed4e24cfcae18 5dd95715a5db5d994c660c4861d7f96bec2049ef caf3910f98aa039b2a61cdc77cc56b9c3521d0b932087e57dc4b2f8bbe1c61ec | MD5 SHA1 Sha256 | windll.exe |
| 14adc56e6cdc9eea2da31cd37e80ff40 c9ca7e941c56f617ac912b3ca933d240fb5d72ef ec5fb2a9908a2a6ea9e83cf530bcaf3ffaa8a709d730fb5bb9e6ca1b40b67f0c | MD5 SHA1 Sha256 | Windll.VBS |
| 4fbbad020707058b240686f8a403e281 dd10ec5c703a607dafa25840ff9e8b3b48ab7c06 e0d0c643c747815e168a886f1f609397e95ba3fc89847d50f624746a287815c6 | MD5 SHA1 Sha256 | Windll.bat |
| 8796357b6900783ab224a75a6cbf46c3 3b7144e8c71be40e22d40a6ee50d74f1eb965b38 c7b26217ecb945a302be47c50f101a18229110563b0aa1ecb1d1d393ed93b71e | MD5 SHA1 Sha256 | open.exe |
| dde2870ea6242ddfb4d992ce9cd6be66 a77c0c5b742b78ff7ac2ead64bce2a551c8014da d8f3400a4c5ac2301b01a099c078a315bf12431a82207607864400d9fdb803c6 | MD5 SHA1 Sha256 | Open.VBS |
| 06da87c602a37145a81f3a9bf86abfd5 2e3029d669e73da1fc1ab4ffb2680aac259eded5 5bf85ad97158158378d76ece4a7da510d9a1c918f38ee7bfc62d90deb71f1957 | MD5 SHA1 Sha256 | Open.bat |
| fcd71b274250cfee5479c9e81cdc3320 c80407f332d8480e5274aabb6ad86c022cccbd78 5e742ede76bded5a5dc6d7a8f5594d013c50e6a0d6b703a21ffebb5f541b5304 | MD5 SHA1 Sha256 | del.exe |
| 2b15f0f4ce39439e3ec3583a4826b2fa 2f3231259be584810eebf7b3625dda18ed9c18c9 7355fc8d1bd95d26fe04801f79b84b4e2a1aa56bbb89fa6553e5ad6d1311e84b | MD5 SHA1 Sha256 | del.VBS |
| 55851108c7cffec56fb17205a6ba9f0f 06ba09725a56f149d04fa8d86f353f8fae0a187c f6b98b28fd26f29c33894be4a705e274778a462a472a8c171e07a3345935d243 | MD5 SHA1 Sha256 | del.bat |
| 007c699ccbb642be83ef3e3a19b0006f 5e311d75a42298613be4e42e8d0ee45aa4e3651c 9e030b3b69466b16751a7ee5cbe1c3f54fe4816b5664ed53ad892a4ade9e7482 | MD5 SHA1 Sha256 | Readme.txt |
