ransomexx_win | ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc

General

Target

ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc
Size

156KB
Sample

210820-dgat5wj26a
MD5

b2bc74d95c8bd5b5db9c02df6a6ae2d3
SHA1

e7748b92347f95589fa739cbe5c089046614ce92
SHA256

ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc
SHA512

bda491ab197205d48956f9bc1b45009abba701e6ebb4ee551bfc2b58a0ed7a58a5793624cb2884f9efcbfbf647b1792d619dbb83917cfad9f412593c4cdb498b

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Targets

- Target
  
  ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc
- Size
  
  156KB
- MD5
  
  b2bc74d95c8bd5b5db9c02df6a6ae2d3
- SHA1
  
  e7748b92347f95589fa739cbe5c089046614ce92
- SHA256
  
  ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc
- SHA512
  
  bda491ab197205d48956f9bc1b45009abba701e6ebb4ee551bfc2b58a0ed7a58a5793624cb2884f9efcbfbf647b1792d619dbb83917cfad9f412593c4cdb498b
Score

10^/10

ransomexx_win evasion ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2