ransomexx_win | 43fba9b9b5d580914e6a0ecb62ed0a8ab1f5d5bb5a5a8ffd8efac748837f9bb5

General

Target

5521250278604800.zip
Size

71KB
Sample

211020-lqr1taghb5
MD5

9e41a6912cb0b2ce755538602481038c
SHA1

3d75f9a82c5c889280a43dc6409058b66aa20c13
SHA256

43fba9b9b5d580914e6a0ecb62ed0a8ab1f5d5bb5a5a8ffd8efac748837f9bb5
SHA512

4122e0952bf1b84348477f96d33904d15c65c2d98aa1cdbfd7aaf5664f0fdbb0d92834324f14cdb09b37bb054bce593fdc38e944dc7f417ac22ed03c69b62a20

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Targets

- Target
  
  480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
- Size
  
  156KB
- MD5
  
  9832040cb9c0aa58cd12d656f82420ba
- SHA1
  
  74a62abd145e9571e029db76c06c3100bfb3f4a9
- SHA256
  
  480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
- SHA512
  
  f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49
Score

10^/10

ransomexx_win evasion ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2