Ransom:Java/Lanifynop

Installation 

This threat gets installed by running an MSI file. The MSI file contains two files, which are responsible for infecting the computer:

• UVNC_Install.bat - 5203C0DB580D144FCC889B41057C29209152BC0BD67567C67E2A9731AC3C2FD5
• PonyFinal.jar - 18894DB26EE6EFF366A81D924B7F4C8E510D98793B307638E67721DA15EAEBBA

The UVNC_Install.bat file performs the following tasks without your consent:

• Deletes shadow copies to prevent recovery of encrypted files
• Stops the following processes from running to ensure that files are not locked and can be encrypted:
• EXCEL.EXE
• groove.exe
• javaw.exe
• lync.exe
• MSACCESS.EXE
• msosync.exe
• MSPUB.EXE
• ONENOTE.EXE
• OUTLOOK.EXE
• POWERPNT.EXE
• VISIO.EXE
• WINPROJ.EXE
• WINWORD.EXE
• Creates a scheduled task with name Java updater that runs on user logon with SYSTEM privilege
• Launches the PonyFinal.jar file

Payload file execution

The PonyFinal.jar file drops the following files inside the C:\Users\Public\ folder:

• RunTask.bat - used by scheduled task Java Updater
• tmp.jar - copy of main payload PonyFinal.jar file

The .jar file contains a list of hard-coded host names or computer names. If the malware finds it is running on one of these devices, it exits without making further changes.

If the malware is not running on the listed devices, it checks if the current system date is earlier than a hard-coded value in the program and waits for 300,000 milliseconds in loop. Once the system date is the same as the hard-coded value, the malware starts the infection process. 

As the malware traverses through the file system, it excludes the following directories from encryption:

• AppData
• Program files
• Windows

The hard-coded list of host names or computer names might have been from some earlier reconnaissance and exfiltration activities using other implants already present in the compromised network. It also indicates that the ransomware payload is customized based on reconnaissance results.

File encryption and renaming

As the malware traverses through the file system, it encrypts all the files having any of the following extensions:

.docx, .docm, .dotx, .dotm, .docb, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, xlw, .ppt, .pot, .pps, .900, .TSF, .001, .7z, .arj, .deb, .pkg, .rar, .rpm, .tar.gz, .z, .zip, .csv, .dat, .db, .dbf, .log, .mdb, .sav, .sql, .tar, .xml, .ai, .bmp, .gif, .ico, .jpeg, .jpg, .png, .ps, .psd, .svg, .tif, .tiff, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .v, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas,.svg,  .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .mp3, .mpa, .ogg, .wav, .wma, .wpl, .cda, .ldf

This malware uses symmetric key encryption, such as AES/CBC/PKCS5Paddin, with a randomly generated key. It secures the key using asymmetric key encryption (RSA) and stores it in the computer as keys.enc. This encrypted file cannot be decrypted without a private key from the ransomware operators. 

Ransom note

• a5f742d8ec903e5ff054786e0612c9ec514a9effd73fa91f7eefd98d3827dfb5
• 586e08600b0980cf115ac31c05ecda6dc302f5896771b7c99891082463e17f13