Home / malware Ransom:Win32/Wadhrama
First posted on 13 February 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Wadhrama.
Explanation :
Installation
This ransomware gets installed in your computer after having been socially-engineered to download it. It has been detected on machines at around the same time as HackTool:Win32/AutoKMS.
This threat copies self to %system% folder and Start Menu Startup folder with the same file name as it originally had.
It then deletes shadow copy backups.
It also modifies the following registry entries to create a Run key for itself:
- In subkey: HKLM\Software\Microsoft\CurrentVersion\Run
Sets value: "" (for example, test6.exe)
With data: "%system%\", (for example C:\Windows\System32\test6.exe)
Payload
Encrypts your files
This ransomware attempts to encrypt most files (excluding those in directories with names containing Windows or Microsoft) on the C:\ drive and other attached disks. It may also attempt to encrypt files on network shares.
It appends an extension of [makedonskiy@india.com].wallet to the file name of any file that it encrypts.
Asks for ransom
This threat also drops the following ransom note - a text file containing payment instructions to the Desktop at:
- %Desktop%\Good morningg.txt
It also drops a Help file to %system%\Info.hta file path containing payment instructions, and displays the file. It also copies this to the Start Menu Startup folder.
Modifies registry entries to persist during start-up
This ransomware also modifies the following registry keys so that it runs whenever you start or restart your PC:
- In subkey: HKLM\Software\Microsoft\CurrentVersion\Run
Sets value: "C:\Windows\System32\Info.hta"
With data: mshta.exe “%system%\Info.hta”
Analysis by David WoodLast update 13 February 2017
