Home / malware Ransom:Win32/HydraCrypt.A
First posted on 13 September 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/HydraCrypt.A.
Explanation :
Installation
We have seen this threat distributed by exploit kits (Neutrino, Axpergle, and Exploit:Win32/CVE-2016-0034), and through URLs embedded in spam emails that points to malicious macro downloaders. When installed, this threat drops the following files on folders that contains the files that the ransomware encrypted:See the screenshot of the ransom note text file below: See the screenshot of the ransom note HTML file below:
- help_decrypt_your_files.html
- help_decrypt_your_files.txt
- help_your_files.html
- help_your_files.txt
Payload
Encrypts files
This threat uses RSA-2048 encryption to encrypt files in your PC with the following file extensions:
0 ce1 edb hplg mgcb pi1 save udb 36 ce2 efd hpp mgmf pi2 say ufo 411 cer egc hs mgmt pi3 sb ufr 1cd cf eio htc mgmx pic sbf uga 1pa cfg eip html mgtx pict scad unauth 1st cfp eit hvpl min pip scan unity 2bp cfr email hwp mkv pix scc unrec 3dm cfu emd hz mlx pjpeg sci unx 3ds cgm emf i3d mmat pjpg scm uof 3fr chart eml ib mmw pjt scriv uot 3g2 chord emlx ibd mng pkpass scrivx upd 3gp cimg ep icn mnr pl sct upk 4db cin epf icpr mnt pl scv usertile-ms 4dl cit epk icxs mobi plantuml scw usr 4mp ckp epp idc mos plc sd0 utf8 73i class eps idea mov plt sda utxt 7z clkw epsf idx movie pm sdb v12 8xi cls eql igt mp3 pmg sdf v30 9png cma erf igx mp4 png sdm vault a3d cmt err ihx mpf pni sdoc vbr ab4 cmx esm iif mpg pnm sdw vcf abm cnm etf iil mpo pntg sep vct abs cnt etx iiq mpp pnz set vda abw cnv euc imd mpqge pobj sfc vdb accdb colz exf indd mrg pop sfera vdf accdc cpc exr info mrw pot sfw vec accde cpd fadein ink mrwref potm sgm vff accdr cpg fal int mrxs potx sid vfs0 accdt cpi faq ipf msg pp4 sidd vml accdw cpp fax ipx mso pp5 sidn vnt accft cps fb2 itc2 mt9 ppam sie vob ach cpt fb3 itdb mte ppm sig vpd act cpx fbl itl mud pps sis vpe adb cr2 fbx itm mwb ppsm sk1 vpk adn craw fcd itw mwp ppsx sk2 vpp_pc adp crd fcf iwd mx0 ppt skcard vrml ads crt fdb iwi mxl pptm skm vrp af2 crw fdf j myd pptx sla vsd af3 crwl fdr j2c myl prf slagz vsdm aft cs fds j2k ncf prt sld vsdx afx csh fdt jarvis ncr prw sldasm vsm agif csl fdx jas nct ps slddrt vst agp css fdxt java nd psafe3 sldprt vstm ahd csv fes jb2 ndd psd slm vstx ai csy ff jbig ndf psdx sls vsx ai ct ffd jbig2 nef pse smf vtf aic cv5 fff jbmp nfo psid smil vtx aif cvg fft jbr njx psk sms vue aim cvi fh jfif nk2 psp snagitstamps vw ait cvs fh10 jia nlm pspbrush snagstyles w3x al cvx fh11 jis notes pspimage snp wallet albm cwt fh3 jng now pst snx wav alf cxf fh4 joe nrw psw sob wb1 ani cyi fh5 jp1 ns2 ptg spa wb2 ans d3dbsp fh6 jp2 ns3 pth spe wbc apd dac fh7 jpe ns4 ptx sph wbd apj daconnections fh8 jpeg nsd pu spj wbk apk dacpac fhd jpg nsf pub spp wbm apm dad fic jpg2 nsg puz spq wbmp apng dadiagrams fid jps nsh pvj spr wbz aps daf fif jpx ntl pvm sqb wcf apt das fig jrtf nv2 pvr sql wdb apx daschema fil js nwb pwa sqlite wdp arch00 dat fim jtf nwctxt pwi sqlite3 webdoc art dazip fla jtx nx1 pwr sqlitedb webp artwork db flac jwl nx2 px sr2 wgz arw db0 flc jxr nyf pxr srf wire as db2 fli k2p nzb py srt wll asc db3 flr kdb obj pz3 srw wma ascii dba flv kdbx oc3 pza ssa wmdb ase dbc fm kdc oc4 pzp ssfn wmf asf dbf fm5 kdi oc5 pzs ssk wmo ask dbk fmp kdk oce qba st wmv asm dbr fmp12 kes oci qbbackup st4 wn asp dbs fmpsl key ocr qbi st5 wotreplay asset db-shm fmv kf odb qbo st6 wp asw dbt fodt kic odc qbp st7 wp4 asx dbv fol klg odf qbr st8 wp5 asy db-wal forge knt odg qbsdk stc wp6 aty dbx fos kon odm qbt std wp7 avatar dc2 fountain kpg odp qbw ste wpa awdb dca fp3 kwd ods qbwin sti wpb awp dcb fp4 laccdb odt qby stm wpd awt dcr fp5 latex ofl qdf stn wpe aww dcs fp7 layout oft qdl stp wpg azz dct fpk lbf oil qmg str wpl back dcx fpos lbm omf qpd strings wps backup ddd fpt lbt one qpx stw wpt bad ddl fpx lgb openbsd qry stx wpw bak ddoc frt lgc oplc qsm sty wri bank dds fsh lis oqy qss sub wsc bar ded ft10 lit ora qst sum wsd bay der ft11 litemod orf qvd sumo wsh bbs des ft7 ljp orto qwc sva wtx bc6 desc ft8 lmk orx r3d svf wvl bc7 design ft9 lnt ota rad svg x bd df1 ftn log otg raf svgz x11 bdb dgc fwdn lp2 oth rar swf x3d bdp dgn fx0 lrc oti ras sxc x3f bdr dgs fx1 lrf otp rat sxd xar bean dgt fxc lst ots raw sxg xbdoc bgt dhs fxg ltr ovp raw sxi xbplate bib dib fxr ltx ovr rb sxm xdb big diz fzb lua owc rctd sxw xdl bik djv fzv lue owg rcu syncdb xf bkf djvu g3 luf oyx rdb syncmanagerlogger xhtm bkp dm3 gcdp lvl ozb rdl t12 xla blend dmi gdb lwo ozj re4 t13 xlam blkrt dmo gdoc lwp ozt readme t2b xlb blob dmp gdraw lws p12 rft tab xlc bm2 dnc gem lxfml p7b rgb tar xld bmp dne geo lyt p7c rgf tax xlf bmx dng gfb lyx p7s rgss3a tb0 xlgc bmz do gfie m p96 rib tbn xll bna doc ggr m2 p97 ric tcx xlm bnd docm ghoc m3d pages riff tdf xlr boc docx gif m3u pak rim tdt xls bok docxml gih m4a pal ris te xlsb bpw docz gim m4v pan rix teacher xlsm brk dot gio ma pano rle temp1234 xlsx brn dotm glox mac pap rli tex xlt brt dotx gmbck maf pas rm text xltm bsa dp1 gmspr mam pat rng tfc xltx bss dpp gpd man pbm rofl tg4 xlw btd dpx gpn map pbo rpd tga xmind bti dqy gray maq pc1 rpf thm xml btr drf grey mar pc2 rpt thp xmlx byu drw gro mat pc3 rri thumb xmmap bzabw drz grob maw pcd rs tif xpm c dsk grs max pcd rsb tiff xpp c4 dsn grw mb pcs rsd tjp xps c4d dsv gry mbm pct rsr tlb xsn cal dt gsd mbox pcx rst tlc xwp cals dt2 gthr mcl pdb rt tm xxx can dta gtp mcmeta pdd rtd tm2 xy3 cd5 dtd gv md5txt pdf rtf tmd xyp cdb dtsx gwi mdb pdm rtp tmp xyw cdc dtw gz mdbackup pdn rtx tmv y cdf dvi h mdbhtml pe4 run tmx yal cdg dvl hbk mdc pef rw2 tn ybk cdmm dwg hdb mddata pem rwl tne yml cdmt dx hdp mde pfd rwz tor ysp cdmtz dxb hdr mdf pff rzk tpc yuv cdmz dxf hht mdn pfi rzn tpi z3d cdr dxg his mdt pfs s2mv trelby zabw cdr3 dxl hkdb me pfv s3m trm zdb cdr4 ebd hkx mef pfx saf tt zdc cdr6 ecml hpg mell pgf safetext tvj zif cdrw eco hpgl menu pgm sai txt zip cdt ecw hpi mft phm sam u3d ztmp cdx ecx hpl mfw php sas7bdat u3i zw When encrypted, the file names are changed in this format:Sample file names:
.id _email_
- 128.png.id_b8574f95c6f26321_email_vexa@usa.com.scl
- 16.png.id_b8574f95c6f26321_email_vexa@usa.com.scl
- 48.png.id_b8574f95c6f26321_email_vexa@usa.com.sclc
- 48.png.id_b8574f95c6f26321_email_vexa@usa.com.scl
Connects to a remote host
We have seen this threat connect to a remote host, including the following Command & Control (C & C) servers:This ransomware connects to the C & C server to upload the data taken from your PC as it does an HTTP POST request on the above URLs with the following information Host: 62.75.195.136
- 62.75.195.136/forse/point.php
- 109.236.87.204 /yyy/fers.php
POST: /forse/point.php
Parameters:
idn=& &key= &FN=
Analysis by Patrick EstavilloLast update 13 September 2016
