Home / malwarePDF  

Ransom:MSIL/SamSam.D!dr


First posted on 26 January 2018.
Source: Microsoft

Aliases :

There are no other names known for Ransom:MSIL/SamSam.D!dr.

Explanation :

Installation

This ransomware manually deploys after the attackers have gained access to your compromised PC.

The threat has two components, an encrypted payload and a runner. The runner can load the main payload, decrypt it in memory using the password provided as argument, and launch it. When launched, the runner will look for the payload to load. Some versions take the location of the payload as argument. Other versions look for a file with extension .stubbin to be present in current working directory. Upon lanching the main payload, it also forwards the second parameter to the main payload. The parameter is used by the main payload to load the RSA used for encryption process. Both the payload and the key are deleted at the end of the encryption. Before encrypting anything it creates a file under "%ProgramData%\greenwin\startinfo.bat" and runs it. The script checks every 5 seconds if the process is still running. If it isn't running, it deletes the executable file.

Payload


Encrypts and renames files



It encrypts files with these extensions:

.3dm .dtd .otp .tlg .3ds .dwg .ots .txt .3fr .dxb .ott .vb .3g2 .dxf .p12 .vob .3gp .dxg .p7b .wallet .3pr .eml .p7c .war .7z .eps .pab .wav .ab4 .erbsql .pages .wb2 .accdb .erf .pas .wmv .accde .exf .pat .wpd .accdr .fdb .pbl .wps .accdt .ffd .pbl .x11 .ach .fff .pcd .x3f .acr .fh .pct .xis .act .fhd .pdb .xla .adb .fla .pdd .xlam .ads .flac .pdf .xlk .agdl .flv .pef .xlm .ai .fmb .pem .xlr .ait .fpx .pfx .xls .al .fxg .php .xlsb .apj .gray .php5 .xlsm .arw .grey .phtml .xlsx .asf .gry .pl .xlt .asm .h .plc .xltm .asmx .hbk .png .xltx .asp .hpp .pot .xlw .aspx .htm .potm .xml .asx .html .potx .ycbcra .avi .ibank .ppam .yuv .awg .ibd .pps .zip .back .ibz .ppsm .backup .idx .ppsx .backupdb .iif .ppt .bak .iiq .pptm .bank .incpas .pptx .bay .indd .prf .bdb .jar .ps .bgt .java .psafe3 .bik .jpe .psd .bkf .jpeg .pspimage .bkp .jpg .pst .blend .jsp .ptx .bpw .kbx .py .c .kc2 .qba .cdf .kdbx .qbb .cdr .kdc .qbm .cdr3 .key .qbr .cdr4 .kpdx .qbw .cdr5 .lua .qbx .cdr6 .m .qby .cdrw .m4v .r3d .cdx .max .raf .ce1 .mdb .rar .ce2 .mdc .rat .cer .mdf .raw .cfp .mef .rdb .cgm .mfw .rm .cib .mmw .rtf .class .moneywell .rw2 .cls .mos .rwl .cmt .mov .rwz .config .mp3 .s3db .cpi .mp4 .sas7bdat .cpp .mpg .say .cr2 .mrw .sd0 .craw .msg .sda .crt .myd .sdf .crw .nd .sldm .cs .ndd .sldx .csh .nef .sql .csl .nk2 .sqlite .csv .nop .sqlite3 .dac .nrw .sqlitedb .db .ns2 .sr2 .db-journal .ns3 .srf .db3 .ns4 .srt .dbf .nsd .srw .dbx .nsf .st4 .dc2 .nsg .st5 .dcr .nsh .st6 .dcs .nwb .st7 .ddd .nx2 .st8 .ddoc .nxl .std .ddrw .nyf .sti .dds .oab .stw .der .obj .stx .des .odb .svg .design .odc .swf .dgc .odf .sxc .djvu .odg .sxd .dng .odm .sxg .doc .odp .sxi .docm .ods .sxm .docx .odt .sxw .dot .oil .tex .dotm .orf .tga .dotx .ost .thm .drf .otg .tib .drw .oth .tif

The encrypted files are renamed with:

  • .mention9823
  • .disposed2017
  • .suppose666
  • .breeding123
This threat also stops all SQL processes running to ensure the databases are also encrypted. The files are also indexed first, and then encrypted based on file size and not directory path.

It also avoids encrypting the following system-critical files on system root drive:
  • /windows
  • /winnt
  • /reference assemblies\microsoft
  • /recycle.bin
  • /users\all users
  • /documents and settings\all users
  • /boot
  • /users\default
Drops ransom note
This threat drops a ransom note as an HTML file in all of the affected directories and on the your desktop, with file names such as:
  • READ-FOR-DECCCC-FILESSS.html
  • PLEASE-README-HOWTO-RECOVERY.html
Sample ransom note: The ransom note instructs you to acquire bitcoin and how to navigate to a .onion website where you recover your files.
We have seen the following .onion addresses in this context:
  • http://sqnhh67wiujb3q6x.onion/{uniqueid}
  • http://fxn5ao5mmaktpsug.onion/{uniqueid}
The launcher has been seen with different names:
  • endeavor2.exe
  • followed2.exe
  • jiarons2.exe
  • msvcsexec.exe
  • norland2.exe
  • r2.exe
  • reprotin2.exe
  • rn2.exe
  • rn2l.exe
  • rony2.exe


Related information
  • Ransom:MSIL/Samas
  • No mas, Samas: What's in this ransomware's modus operandi?
  • A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

Last update 26 January 2018

 

TOP