Home / malware

PDF

Ransom:Win32/Rokku.A

First posted on 29 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Rokku.A.

Explanation :

Installation

This ransomware can be downloaded by other malware like JS/Nemucod as its payload.

Payload

Encrypts files

After it executes, this ransomware encrypts the following file types using Salsa20 algorithm and appends the .rokku file extension:

a3s cgm eps java ncf qic tar acbl cha erf jp2 nef r3d tax acb chr esm jpeg nrw raa tex accdb cld fbx jpe ntl raf tga act clx fff jpf obm rar tiff ai3 cpp fh10 jpg ocdc raw tif ai4 cr2 fh11 jpx odb re4 tor ai5 crt fh7 k25 odc rgss3a txt ai6 crw fh8 kdb odm rim unity3d ai7 css fh9 kys odp rofl uof ai8 csv fig layout ods rtf uos aia cxx flt lbf odt rtg upk aiff d3dbsp flv lex omeg rvt vda aif das fmod litemod orf rw2 vdf aip dat forge lrf ott rwl vfl ait dazip fos ltx pak rwz vfs0 anim db0 fpk lvl pct sav vpk apk dbfv fsh m2ts pcx sbx vpp_pc arch00 dbf ft8 m2t pdd sc2save vst ari dcr fxg m3u pdf sdf vtf art dcs gdb m4a pef shp w3x arw der ge2 m4v pem sidd wallet asc desc geo map pfx sidn wav asef dib gho mat php4 sid wb2 ase dlc h!) max php5 sie wdx aspx dle hipnc mcfi php sis wma asp dlv3 hip mcfp picnc skl wmo asset dlv4 hkdb mcgame pic skp wmv avi dlv hkx mcmeta pkpass sldasm wotreplay bak dmp hplg mdbackup png sldprt wpd bar dng hpp mdb ppd slm wps bay docm hvpl mdc pptm slxp x3f bc6 docx hxx mddata pptx slx xlk bc7 doc iam mdf ppt snx xlsb bgeo drf ibank mdlp prj soft xlsm big dvi icb mdl prtl sqlite3 xlsx bik dvr icxs mef prt sqlite xls bkf dwf idea mel psb sr2 xvc bkp dwg iff menu psd srf xvz blob dxf iiq mkv psf srw xxx bmp dxg indd mll psid step ycbcra bsa eip ipt mlx psk stl yuv c4d emf iros model psq stp zdct cap emz irs mos pst sum zip cas epf itdb mp4 ptl svgz ztmp catpart epk itl mpqge ptx svg cdr eps2 itm mrwref pwl swatch cef eps3 iwd mrw pxn syncdb cer epsf iwi mts pxr t12 cfr epsp j2k mxf qdf t13



However, this ransomware avoids encrypting specific files with substrings in these paths or file names:

• $recycle.bin
• $windows
• bootsect.bak
• iconcache.db
• local
• program files
• program files (x86)
• programdata
• roaming
• thumbs.db
• windows
• windows.old

It also drops the ransom notes in each folder where the files are encrypted:

Figure 1: Ransom note text file gives the victim some preliminary instructions on unlocking their files.



Figure 2: Screenshot of the Rokku ransomware lockscreen.



If the user visits the .onion site to pay for file decryption, the following page will be displayed to get an order id when they submit an encrypted file through Tor browser:

Figure 3: Screenshot of the Rokku ransomware decryption page.




Terminates services

It can terminate services related to shadow copies or backup:

• Microsoft Software Shadow Copy Provider service
• Volume Shadow Copy service
• System Restore service

Deletes shadow files

It also deletes shadow files using vssadmin.exe and wmic.exe.





Analysis by: Marianne Mallen

Last update 29 April 2016

 

TOP