Ransom:Win32/Kitoles.A

Installation

This threat can use any of the following file names:

• ADMIN.exe
• locker.exe
• locker_no_amd.exe
• net_local.exe
• sevnz.exe
• svchoste.exe
• systemp.exe

When run, this threat prompts to be given elevated access. Whether or not it is given elevated access, however, this threat continues with its malicious activity.

It drops a copy of itself in the %APPDATA% folder. It then uses the legitimate program mshta.exe to run this new malware copy and delete itself. It also uses mshta.exe to create a registry entry that automatically runs the new malware copy every time the system starts.

Payload

Encrypts files

This threat has an embedded configuration file through which its features can be controlled. 

It can connect to a configured URL to report statistics about the infected machine. We have seen this threat connect to the following URL:

• hxxps://iplogger[.]com/1bmym6[.]gif

It can encrypt files on all drives and network shares. Based on the configuration, it can also encrypt file names and file name extensions and append a configurable file name extension. We have this seen threat use the following file name extensions for encrypted files:

For the encryption routine, the configuration requires a modulus N and a public exponent E to be specified in order to generate the public RSA key to be used for encryption. 

Although it has the option to encrypt all file types, we've seen samples with a large set of file name extensions configured:

It doesn't encrypt fles in the following folders:

• %SystemRoot%
• %APPDATA%
• %LOCALAPPDATA%
• %ProgramData%
• %ProgramFiles%

Deletes backups and shadow copies

This threat deletes backups and shadow copies by issuing several commands.

Drops ransom note

This threat drops a ransom note in every folder where it encrypts files. The file name and the content of the ransom note are configurable. For example, we have seent this threat use the following file names for its ransom note:

• FILE RECOVERY INSTRUCTION.txt
• IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

It also opens the ransom note in Notepad.

Analysis by Danut Antoche-Albisor