Threat behavior
Ransom:Win32/Filecoder!MSR follows a structured infection process designed for operational efficiency and detection evasion. Upon launch, it often scans the device’s environment and can avoid certain language settings to focus on specific geographic regions. It deactivates security features, including firewalls and backup services, to prevent interference with its encryption routine. Filecoder uses a hybrid cryptographic approach, employing AES-256 to encrypt file contents and RSA-1024 or RSA-2048 to protect the generated keys. Many variants use a hardcoded RSA public key within the binary file to protect session keys, a design choice that ensures it can function without an active internet connection. To accelerate the infection, files smaller than approximately 1.5 megabytes are fully encrypted, while larger files undergo partial encryption where only specific blocks of data are locked.
The technical architecture of the Filecoder family varies significantly across variants. For example, some versions use the Delphi programming language to achieve efficient system-level interaction, while some variants utilize the NW.js framework to run JavaScript as a standalone Windows application. Filecoder maintains persistence by modifying Windows Registry entries to ensure it launches automatically upon Windows startup. Common persistence markers include the addition of keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run using random or masqueraded file names. To maximize impact, the malware attempts to spread laterally across a network by scanning shared drives and reachable IPv4 hosts. It also employs process watchdog threads to terminate database management systems (DBMS), email clients, and office suites that might hold open "file handles" on targeted data.
Ransom:Win32/Filecoder!MSR drops several files during and after the infection process, including ransom instructions and temporary scripts:
- Ransom Notes: info.hta, info.txt, Readme.README, and How to decrypt your files.txt are frequently placed in encrypted folders and on the user's desktop.
- Malicious binaries: Files such as chrome.exe (a masqueraded browser component), update.bat, and randomly named binaries (for example, %LOCALAPPDATA%\<random>.exe) handle the primary payload delivery.
- Cleanup and Exfiltration Tools: Scripts like %User Temp%\update.bat launch Filecoder and delete the original installer, while tools like WinSCP or Mega[.]io are used to exfiltrate documents before encryption.
- Active Processes: Observed processes include cmd.exe /c for script launching, mmc.exe for privilege escalation, and specialized binaries like 1saas.exe or Phobos.exe for file locking.
Registry Modifications:
- Persistence: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Filecoder name> and HKCU\Software\Microsoft\Windows\CurrentVersion\Run with values pointing to %LOCALAPPDATA% or %APPDATA% paths.
- System Integrity: Modification of HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal to allow running in Safe Mode, and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters with MaxMpxCt set to 65535 to improve network encryption speed.
Filecoder connects to various external IP addresses and domains to upload infected device details, status, retrieve keys, or exfiltrate data:
- C2 IP addresses: 194[.]165.16[.]4, 45[.]9.74[.]14, 147[.]78.47[.]224, 185[.]202.0[.]111, 176[.]103.62[.]217, and 99[.]83.154[.]118.
- Domains and URLs: adstat477d[.]xyz, serverxlogs21[.]xyz, demstat577d[.]xyz, baroquetees[.]com, and rumahsia[.]com.
- Email Contacts: threat actor-controlled emails such as henryk@onionmail[.]org, AlbetPattisson1981@protonmail[.]com, and rrr888_3000@126[.]com appear in ransom notes for negotiations.
Prevention
- Secure Remote Desktop Protocol (RDP) and other remote management tools by enforcing strong, unique passwords and, critically, multi-factor authentication (MFA). Do not expose these services directly to the internet; instead, require access through a virtual private network (VPN) with additional access controls.
- Apply security updates for Windows, applications, network appliances, and firmware. Ransomware groups frequently exploit known, unpatched vulnerabilities to gain initial access to networks.
- Use tools like Group Policy Objects (GPOs) or local security policies to restrict the launch of software from high-risk user directories, such as %AppData%, %LocalAppData%, and %Temp%. This can block a common tactic where ransomware is staged and launched.
- Deactivate macros in Microsoft Office files by default through GPOs or registry settings. If macros are necessary for business functions, configure them to run only from trusted locations or for files that are digitally signed from verified publishers.
- Implement and regularly test a "3-2-1" backup rule: maintain three copies of data, on two different types of storage media, with one copy stored offline or in an immutable, air-gapped state. This ensures a recoverable copy exists even if the primary network is compromised.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
