Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Sobnot.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.Â
This ransomware can stop you from using your PC or accessing your data. It might ask you to pay money (in the form of Bitcoins)Â to a malicious hacker.
This ransomware is installed by the Magnitude exploit kit, which used to deliver another prominent ransomware family, Cerber.
When run, this threat checks the machine's default system language. If the system language is Korean, it launches its malicious routines. Otherwise, self-deletes after three seconds.
It encrypts files using AES 128-bit and appends the file name extension .ihsdj to encrypted files.
Our ransomware FAQ page has more information on this type of threat.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.
Read our latest report: A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017.
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files. If you've already paid, see our ransomware page for help on what to do now.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Microsoft Defender Antivirus for Windows 10.Â
Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection and make sure that your Cloud-based Protection settings is turned On.
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
This threat may be installed by the Magnitude exploit kit.
When run, it checks the machine's default system language. If the system language is Korean, it launches its malicious routines. Otherwise, self-deletes after three seconds.
If the system language is Korean, this threat drops a copy of itself into the %TEMP% folder and tries to ensure persistance by using task scheduler:
It creates a scheduled task so that it will be re-launched every 15 minutes by issuing the following command:
- schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR "pcalua.exe -a %temp%/ihsdj.exe"
This ransomware generates a pseudo-random 19-character long ID using lowercase letters and digits used to uniquely identify the machine.Â
Payload
Encrypts files
This ransomware encrypts files using AES 128-bit in CBC mode using Windows Crypto API.
It attempts to fetch the encryption key from the following servers:
- http://(uniqueID).bankme.date/new1
- http://(uniqueID).jobsnot.services/new1
- http://(uniqueID).carefit.agency/new1
- http://(uniqueID).hotdisk.world/new1
Any of the above URLs may respond with a 16-bit key to be used for encryption. However, if all domains fail to provide a response, this ransomware uses hardcoded key: S25943n9Gt099y4K.
For initialization vector, this threats always uses the hardcoded key: EP866p5M93wDS513. It also drops a file containing the initialization vectors in the %TEMP% folder:
It then scans all drives and starts the encryption process. It encrypts files with the following file name extensions:
.123 | .1cd | .3dm | .3ds | .3g2 | .3gp |
.4d | .4db | .4mp | .602 | .7z | .a3d |
.abm | .abs | .abw | .accdb | .act | .adn |
.adp | .aes | .af2 | .af3 | .aft | .afx |
.agif | .agp | .ahd | .ai | .aic | .aim |
.albm | .alf | .ans | .apd | .apm | .apng |
.aps | .apt | .apx | .arc | .art | .arw |
.asc | .ase | .asf | .ask | .asm | .asp |
.asw | .asy | .aty | .avi | .awdb | .awp |
.awt | .aww | .azz | .backup | .bad | .bak |
.bay | .bbs | .bdb | .bdp | .bdr | .bean |
.bib | .bm2 | .bmp | .bmx | .bna | .bnd |
.boc | .bok | .brd | .brk | .brn | .brt |
.bss | .btd | .bti | .btr | .bz2 | .c |
.c4 | .c4d | .ca | .cals | .can | .cd |
.cd5 | .cdb | .cdc | .cdg | .cdmm | .cdmt |
.cdmz | .cdr | .cdr3 | .cdt | .cf | .cfu |
.cgm | .cimg | .cin | .cit | .ckp | .class |
.clkw | .cma | .cmx | .cnm | .cnv | .colz |
.cpc | .cpd | .cpg | .cpp | .cps | .cpx |
.cr2 | .crd | .crt | .crw | .cs | .csr |
.csv | .csy | .ct | .cv5 | .cvg | .cvi |
.cvs | .cvx | .cwt | .cxf | .cyi | .dad |
.daf | .db | .db2 | .db3 | .dbc | .dbf |
.dbk | .dbs | .dbt | .dbv | .dbx | .dc2 |
.dca | .dcb | .dch | .dcr | .dcs | .dct |
.dcx | .dd | .dds | .ded | .der | .df1 |
.dgn | .dgs | .dgt | .dhs | .dib | .dif |
.dip | .diz | .djv | .djvu | .dm3 | .dmi |
.dmo | .dnc | .dne | .doc | .docb | .docm |
.docx | .docz | .dot | .dotm | .dotx | .dp1 |
.dpp | .dpx | .dqy | .drw | .drz | .dsk |
.dsn | .dsv | .dt | .dt2 | .dta | .dtsx |
.dtw | .dv | .dvi | .dwg | .dx | .dx |
.dxb | .dxf | .eco | .ecw | .ecx | .edb |
.efd | .egc | .eio | .eip | .eit | .em |
.emd | .emf | .emlx | .ep | .epf | .epp |
.eps | .epsf | .eq | .erf | .err | .etf |
.etx | .euc | .exr | .fa | .faq | .fax |
.fb | .fb2 | .fbx | .fcd | .fcf | .fdf |
.fdr | .fds | .fdt | .fdx | .fdxt | .fes |
.fft | .fh10 | .fh11 | .fh3 | .fh4 | .fh5 |
.fh6 | .fh7 | .fh8 | .fi | .fic | .fid |
.fif | .fig | .fla | .flr | .flv | .fm5 |
.fmv | .fo | .fodt | .fp3 | .fp4 | .fp5 |
.fp7 | .fpos | .fpt | .fpx | .frm | .frt |
.frx | .ft10 | .ft11 | .ft7 | .ft8 | .ft9 |
.ftn | .fwdn | .fxc | .fxg | .fzb | .fzv |
.g3 | .gcdp | .gdb | .gdoc | .gem | .geo |
.gfb | .gfie | .ggr | .gif | .gih | .gim |
.gio | .glox | .gpd | .gpg | .gpn | .gro |
.grob | .grs | .gsd | .gthr | .gtp | .gv |
.gwi | .gz | .h | .hbk | .hdb | .hdp |
.hdr | .hht | .his | .hp | .hpg | .hpg |
.hpi | .hs | .htc | .hwp | .hz | .i3d |
.ib | .ibd | .icn | .icon | .icpr | .idc |
.idea | .idx | .igt | .igx | .ihx | .ii |
.iiq | .imd | .info | .ink | .ipf | .ipx |
.iso | .itc2 | .itdb | .itw | .iwi | .j |
.j2c | .j2k | .jar | .jas | .java | .jb2 |
.jbig | .jbmp | .jbr | .jfif | .jia | .jis |
.jng | .joe | .jp1 | .jp2 | .jpe | .jpeg |
.jpg | .jpg2 | .jps | .jpx | .jrtf | .js |
.jsp | .jtf | .jtx | .jw | .jxr | .kdb |
.kdbx | .kdc | .kdi | .kdk | .kes | .key |
.kic | .klg | .knt | .kon | .kpg | .kwd |
.lay | .lay6 | .lbm | .lbt | .ldf | .lgc |
.lis | .lit | .ljp | .lmk | .lnt | .lp2 |
.lrc | .lst | .ltr | .ltx | .lue | .luf |
.lwo | .lwp | .lws | .lyt | .lyx | .m3d |
.m3u | .m4u | .ma | .mac | .man | .map |
.maq | .mat | .max | .mb | .mbm | .mbox |
.mdb | .mdf | .mdn | .mdt | .me | .mef |
.mel | .mft | .mgcb | .mgmf | .mgmt | .mgmx |
.mgtx | .mid | .min | .mkv | .mm | .mmat |
.mnr | .mnt | .mos | .mov | .mp3 | .mp4 |
.mpeg | .mpf | .mpg | .mpo | .mrg | .mrxs |
.msg | .mt9 | .mud | .mwb | .mwp | .mx |
.my | .myd | .myi | .ncr | .nct | .ndf |
.nef | .nfo | .njx | .nlm | .now | .nrw |
.ns2 | .ns3 | .ns4 | .nsf | .nv2 | .nyf |
.nzb | .obj | .oc3 | .oc4 | .oc5 | .oce |
.oci | .ocr | .odb | .odg | .odm | .odo |
.odp | .ods | .odt | .of | .oft | .omf |
.onetoc2 | .oplc | .oqy | .ora | .orf | .ort |
.orx | .ost | .ota | .otg | .oti | .otp |
.ots | .ott | .ovp | .ovr | .owc | .owg |
.oyx | .ozb | .ozj | .ozt | .p | .p12 |
.p7s | .p96 | .p97 | .pa | .pan | .pano |
.pap | .paq | .pas | .pbm | .pc1 | .pc2 |
.pc3 | .pcd | .pcs | .pdb | .pdd | |
.pdm | .pds | .pdt | .pe4 | .pef | .pem |
.pff | .pfi | .pfs | .pfv | .pfx | .pgf |
.pgm | .phm | .php | .pi1 | .pi2 | .pi3 |
.pic | .pict | .pix | .pjpg | .pjt | .plt |
.pm | .pmg | .png | .pni | .pnm | .pntg |
.pnz | .pobj | .pop | .pot | .potm | .potx |
.pp4 | .pp5 | .ppam | .ppm | .pps | .ppsm |
.ppsx | .ppt | .pptm | .pptx | .prt | .prw |
.ps1 | .psd | .psdx | .pse | .psid | .psp |
.pst | .psw | .ptg | .pth | .ptx | .pu |
.pvj | .pvm | .pvr | .pwa | .pwi | .pwr |
.px | .pxr | .pz3 | .pza | .pzp | .pzs |
.qd | .qmg | .qpx | .qry | .qvd | .rad |
.rar | .ras | .raw | .rb | .rctd | .rcu |
.rd | .rdb | .rft | .rgb | .rgf | .rib |
.ric | .riff | .ris | .rix | .rle | .rli |
.rng | .rpd | .rpf | .rpt | .rri | .rs |
.rsb | .rsd | .rsr | .rst | .rt | .rtd |
.rtf | .rtx | .run | .rw | .rw2 | .rzk |
.rzn | .s2mv | .s3m | .saf | .sam | .sbf |
.scad | .scc | .sch | .sci | .scm | .sct |
.scv | .scw | .sdb | .sdf | .sdm | .sdoc |
.sdw | .sep | .sfc | .sfw | .sgm | .sh |
.sig | .sk1 | .sk2 | .skm | .sla | .sld |
.sldm | .sldx | .slk | .sln | .sls | .smf |
.sms | .snt | .sob | .spa | .spe | .sph |
.spj | .spp | .spq | .spr | .sq | .sqb |
.sqlite3 | .sqlitedb | .sr2 | .srw | .ssa | .ssk |
.st | .stc | .std | .sti | .stm | .stn |
.stp | .str | .stw | .sty | .sub | .suo |
.svf | .svg | .svgz | .swf | .sxc | .sxd |
.sxg | .sxi | .sxm | .sxw | .tab | .tar |
.tbk | .tcx | .tdf | .tdt | .te | .tex |
.text | .tgz | .thp | .tif | .tiff | .tlb |
.tlc | .tm | .tmd | .tmv | .tmx | .tne |
.tpc | .trm | .tvj | .u3d | .u3i | .udb |
.ufr | .unx | .uof | .uop | .uot | .upd |
.usr | .utf8 | .utxt | .v12 | .vb | .vbr |
.vbs | .vcd | .vct | .vdb | .vdi | .vec |
.vm | .vmdk | .vmx | .vnt | .vob | .vpd |
.vrm | .vrp | .vsd | .vsdm | .vsdx | .vsm |
.vstm | .vstx | .vue | .vw | .wallet | .wav |
.wb2 | .wbk | .wcf | .wdb | .wgz | .wire |
.wk1 | .wks | .wma | .wmdb | .wmv | .wn |
.wp | .wp | .wp4 | .wp5 | .wp6 | .wp7 |
.wpa | .wpd | .wpg | .wps | .wpt | .wpw |
.wri | .wsc | .wsd | .wsh | .wtx | .x |
.x3d | .xar | .xd | .xdb | .xlc | .xld |
.xlf | .xlgc | .xlm | .xls | .xlsb | .xlsm |
.xlsx | .xlt | .xltm | .xltx | .xlw | .xps |
.xwp | .xy3 | .xyp | .xyw | .ya | .ybk |
.ym | .z3d | .zabw | .zdb | .zdc | .zip |
.zw | Â | Â | Â | Â | Â |
Each encrypted file will have the initialization vector written in the first 16 bytes.
This ransomware uses the file name extension .ihsdj to encrypted files.
It does not encrypt files in the following folders:
- :\documents and settings\all users\
- :\documents and settings\default user\
- :\documents and settings\localservice\
- :\documents and settings\networkservice\
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\
- \local settings\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\
- \$recycle.bin
- \$windows.~bt
- \$windows.~ws
- \boot
- \intel
- \msocache
- \perflogs
- \program files (x86)
- \program files
- \programdata
- \recovery
- \recycled
- \recycler
- \system volume information
- \windows.old
- \windows10upgrade
- \windows
- \winnt
Displays ransom note
This ransomware drops a ransom note in every folder where it encrypted at least one file. The ransomware note has the file name READ_ME_FOR_DECRYPT_<Unique ID>_.txt.
After completing the encryption process, this ransomware attempts to call the server to signal the completion by accessing the following URLs:
- http://<Unique ID>.bankme.date/end1
- http://<Unique ID>.jobsnot.services/end1
- http://<Unique ID>.carefit.agency/end1
- http://<Unique ID>.hotdisk.world/end1
It then displays the ransom note by opening Notepad. It also schedules a task to display the ransom note every 15 minutes.
The ransom note contains instructions to follow one of several links to get further instructions about recovering files. The same domains used in the encryption routine (to fetch encryption key and to report completion of encryption) are used:
- http://(uniqueID).bankme.date/EP866p5M93wDS513
- http://(uniqueID).jobsnot.services/EP866p5M93wDS513
- http://(uniqueID).carefit.agency/EP866p5M93wDS51
- http://(uniqueID).hotdisk.world/EP866p5M93wDS513
Note that EP866p5M93wDS513 is the hardcoded initialization vector used in the AES encryption process.
Additionally, an .onion address is provided along with instructions for the user to install Tor browser:
Â
Â
Analysis by: Danut Antoche-Albisor
Â
Prevention
The following can indicate that you have this threat on your PC:
- Your files have the following file name extensions, and you can't open them:
- .ihsdj
- You have the following files:
- READ_ME_FOR_DECRYPT_(uniqueID)_.txt
- You see the following text file opened every 15 minutes:Â