ransomexx_win | a2df2e18c2e501ae2f88dcc8ee197b6f1147243b55a3288ec6040ec7ea5f8b48

General

Target

5928766551523328.zip
Size

71KB
Sample

210805-mzx7751wvj
MD5

0e90fc2c773dd8fab8b7805d16338d36
SHA1

5625f87631b86f32cbe4ed62ab5dd33771b13b68
SHA256

a2df2e18c2e501ae2f88dcc8ee197b6f1147243b55a3288ec6040ec7ea5f8b48
SHA512

c865b5c64f72bdf578dee43d4aaa0bbf7d2c36df9b2331d4259ad3c7e9e5b0acc97be970a9f948b62b3b94a85bfaf6151a796b2c2fc66abb0fae2dd902116199

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Targets

- Target
  
  4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
- Size
  
  156KB
- MD5
  
  fcd21c6fca3b9378961aa1865bee7ecb
- SHA1
  
  0abaa05da2a05977e0baf68838cff1712f1789e0
- SHA256
  
  4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
- SHA512
  
  e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
Score

10^/10

ransomexx_win evasion ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2