Installation
This threat runs on Linux system and drops the following files for instruction to decrypt the files. Files are dropped in the same directory.
_DECRYPT_FILE.txt
_DECRYPT_FILE.html
Payload
Encrypts files and asks for ransom
This threat searches for and encrypts files (encryption is in RSA) with the following file name extensions:
| aac |
cdx |
dwg |
kdc |
nsd |
pmm |
save |
vdi |
| ab4 |
ce1 |
dxb |
key |
nsf |
pmo |
say |
vhd |
| abd |
ce2 |
dxf |
kpdx |
nsg |
pmr |
sd0 |
vhdx |
| accdb |
cer |
dxg |
kwm |
nsh |
pnc |
sda |
vmdk |
| accde |
cfg |
edb |
laccdb |
nvram |
pnd |
sdb |
vmsd |
| accdr |
cfn |
eml |
lck |
nwb |
png |
sdf |
vmx |
| accdt |
cgm |
eps |
ldf |
nx2 |
pnx |
sh |
vmxf |
| ach |
cib |
erbsql |
lit |
nxl |
pot |
sldm |
vob |
| acr |
class |
erf |
lock |
nyf |
potm |
sldx |
wab |
| act |
cls |
exf |
log |
oab |
potx |
sql |
wad |
| adb |
cmt |
fdb |
lua |
obj |
ppam |
sqlite |
wallet |
| adp |
config |
ffd |
lz |
odb |
pps |
sqlite3 |
war |
| ads |
contact |
fff |
lz4 |
odc |
ppsm |
sqlitedb |
wav |
| agdl |
cpi |
fh |
lzma |
odf |
ppsm |
sqlite-shm |
wb2 |
| ai |
cpp |
fhd |
m |
odg |
ppsx |
sqlite-wal |
wma |
| aiff |
cr2 |
fla |
m2ts |
odm |
ppt |
sr2 |
wmf |
| ait |
craw |
flac |
m3u |
odp |
pptm |
srb |
wmv |
| al |
crt |
flb |
m4p |
ods |
pptm |
srf |
wpd |
| aoi |
crw |
flf |
m4v |
odt |
pptx |
srs |
wps |
| apj |
cs |
flv |
mab |
ogg |
prf |
srt |
x11 |
| arw |
csh |
flvv |
mapimail |
oil |
ps |
srw |
x3f |
| ascx |
csl |
fpx |
max |
omg |
psafe3 |
st4 |
xis |
| asf |
css |
fxg |
mbx |
orf |
psd |
st5 |
xla |
| asm |
csv |
gif |
md |
ost |
pspimage |
st6 |
xlam |
| asp |
dac |
gray |
mdb |
otg |
pst |
st7 |
xlk |
| aspx |
dat |
grey |
mdc |
oth |
ptx |
st8 |
xlm |
| asx |
db |
groups |
mdf |
otp |
pwm |
stc |
xlr |
| atb |
db_journal |
gry |
mef |
ots |
py |
std |
xls |
| avi |
db3 |
gz |
mfw |
ott |
qba |
sti |
xlsb |
| awg |
dbf |
h |
mid |
p12 |
qbb |
stm |
xlsm |
| back |
dbx |
hbk |
mkv |
p7b |
qbm |
stw |
xlsx |
| backup |
dc2 |
hdd |
mlb |
p7c |
qbr |
stx |
xlt |
| backupdb |
dcr |
hpp |
mmw |
pab |
qbw |
svg |
xltm |
| bak |
dcs |
html |
mny |
pages |
qbx |
swf |
xltx |
| bank |
ddd |
ibank |
moneywell |
pas |
qby |
sxc |
xlw |
| bay |
ddoc |
ibd |
mos |
pat |
qcow |
sxd |
xml |
| bdb |
ddrw |
ibz |
mov |
pbf |
qcow2 |
sxg |
ycbcra |
| bgt |
dds |
idx |
mp3 |
pcd |
qed |
sxi |
yuv |
| bik |
def |
iif |
mp4 |
pct |
qtb |
sxm |
zip |
| bin |
der |
iiq |
mpeg |
pdb |
r3d |
sxw |
|
| bkp |
des |
incpas |
mpg |
pdd |
raf |
tar |
|
| blend |
design |
indd |
mrw |
pdf |
rar |
taz |
|
| bmp |
dgc |
info |
msf |
pef |
rat |
tbb |
|
| bpw |
dit |
info_ |
msg |
pem |
raw |
tbn |
|
| bz |
djvu |
ini |
myd |
pfx |
rdb |
tbz |
|
| bz2 |
dng |
jar |
nd |
php |
rm |
tex |
|
Then, the ransomware adds the extension .ecrypt to the encrypted files.
Here is a sample message on the ransom note:
Warning!! Your documents, photos, databases, important files have been encrypted!
If you modify any file, it may cause make you cannot decrypt!!!
To decrypt your files please visit the following website: <payment sites>
If the above address will be unable to open or very slow, follow these steps:
1. Download and install the tor browser.
2. After successful installation, run the browser, waiting to initialize.
3. In the address bar enter:
Machine ID:
Offline ID:
Connects to a remote host
We have seen this ransomware connect to a remote for more instructions from malicious perpetrators:
- 216.126.224.128
- Tor payment sites:
- 7fv4vg4n26cxleel.gbe0.top
- 7fv4vg4n26cxleel.hiddenservice.net
- 7fv4vg4n26cxleel.onion
- 7fv4vg4n26cxleel.onion.nu
- fv4vg4n26cxleel.onion.to
- qzjordhlw5mqhcn7.gbe0.top
- qzjordhlw5mqhcn7.hiddenservice.net
- qzjordhlw5mqhcn7.onion
- qzjordhlw5mqhcn7.onion.to
- qzjordhlw5mqhcn7.onion.nu
Analysis by:
Francis Tan Seng
