Accurate as of 11/14/2023 3:53 PM PST
Our threat team stumbled on a newly identified and currently undetected (by others) variant of ransomware. As part of empowering our partners and ensuring they have the most up-to-date information about new threats, we provide this update!
First and foremost, this is blocked by the BLOKWORX security stack. Current partners of MAED and MAED+EDR do not have anything to worry about. Our tools prevent this before it can even write to your machine!
So, what does this ransomware do? It’s pretty straight forward in terms of ransomware. It encrypts your files and demands a payment for you to regain access to the files in question.
Below is a bit more information about what the ransomware does as part of its runtime:
File types they are looking to encrypt
bak, dmp, 7z, cab, gz, gzip, rar, zip, tar-gz, tar, tgz, zipx, asp, accdb, db, b2, dbf, dbx, mdb, mdf, sdf, log, tib, backup, back, ldf, vhd, vhdx, vmdk, vmem, mf, ova, hdd, vbox, ovf, bckp, bkf, bkp, bdb, vbf, vbm, vrb, acad, accdb, db2, db2p, db4, bdx, mdbx, mdb, myd, mwb, ndf, sql, sqlite, sqlite2, sqlite3, ssmssqlproj , ssx, ldif, avhd, vmwarevm, vcd, dsk, vbk, vbm, vlb, vab, vib, lde, bckup, epf, erf, 1cd, lgf, efd
Processes to specifically kill
agntsvc.exe, AutodeskDesktopApp.exe, axlbridge.exe, bedbh.exe, benetns.exe, bengien.exe, beserver.exe, CoreSync.exe, Creative Cloud.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe, EnterpriseClient.exe, fbguard.exe, fbserver.exe, fdhost.exe, fdlauncher.exe, httpd.exe, isqlplussvc.exe, msaccess.exe, MsDtSrvr.exe, msftesql.exe, mspub.exe, mydesktopqos.exe, mydesktopservice.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, oracle.exe, pvlsvr.exe, node.exe, java.exe, python.exe, wpython.exe, QBDBMgr.exe, QBDBMgrN.exe, QBIDPService.exe, qbupdate.exe, QBW32.exe, QBW64.exe, Raccine.exe, Raccine_x86.exe, RaccineElevatedCfg.exe, RaccineSettings.exe, VeeamDeploymentSvc.exe, RAgui.exe, raw_agent_svc.exe, SimplyConnectionManager.exe, sqbcoreservice.exe, sql.exe, sqlagent.exe, sqlbrowser.exe, sqlmangr.exe, sqlservr.exe, sqlwriter.exe, Ssms.exe, Sysmon.exe, Sysmon64.exe, tbirdconfig.exe, TeamViewer.exe, TeamViewer_Service.exe, tv_w32.exe, tv_x64.exe, tomcat6.exe, vsnapvss.exe, vxmon.exe, wdswfsafe.exe, wsa_service.exe, wxServer.exe, wxServerView.exe, xfssvccon.exe
Services to specifically stop
AcronisAgent, ARSM, backup, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, CAARCUpdateSvc, CASAD2DWebSvc, ccEvtMgr, ccSetMgr, Culserver, dbeng8, dbsrv12, DefWatch, FishbowlMySQL, GxBlr, GxCIMgr, GxCVD, GxFWD, GxVss, memtas, mepocs, msexchange, MSExchange$, msftesql-Exchange, msmdsrv, MSSQL, MSSQL$, MSSQL$KAV_CS_ADMIN_KIT , MSSQL$MICROSOFT##SSEE, MSSQL$MICROSOFT##WID, MSSQL$SBSMONITORING, MSSQL$SHAREPOINT, MSSQL$VEEAMSQL2012, MSSQLFDLauncher$SBSMONITORING, MSSQLFDLauncher$SHAREPOINT, MSSQLServerADHelper100, MVArmor, MVarmor64, svc$, sophos, RTVscan, MySQL57, PDVFSService, QBCFMonitorService, QBFCService, QBIDPService, QBVSS,SavRoam, SQL,SQLADHLP, sqlagent, SQLAgent$KAV_CS_ADMIN_KIT, SQLAgent$SBSMONITORING, SQLAgent$SHAREPOINT, SQLAgent$VEEAMSQL2012, sqlbrowser, Sqlservr, SQLWriter, stc_raw_agent, tomcat6, veeam, VeeamDeploymentService, VeeamNFSSvc, VeeamTransportSvc, vmware-converter, vmware-usbarbitator64, VSNAPVSS, vss, wrapper, WSBExchange, YooBackup,YooIT
What Happens Next
With the above defined in their runtime, the next logical move is to kill off Windows Defender via running a simple command string (we are not providing the string for obvious reasons).
They then implement a watcher to keep an eye on all further actions with conHost.exe with -e watch -pid <pid of process> -!
This allows them to see anything they interact with and anything which interacts with their process.
Then, they leverage unlock commands to give full access to conHost.exe (allowing them to send commands without interruption).
Now the fun part – Everything Setup called “Everything.exe”. This is the main payload which runs all their scripted actions, moves all the necessary files to a location, then runs the encryption followed by a deletion subroutine at the end.
It’s not the most elaborate, and it was very easy to sandbox. The sad thing is this does get around many solutions on the market and it’s not detected by anyone on VirusTotal, but as mentioned before…we prevent it cold!