Home / malware Ransom:Win32/Sorikrypt.A
First posted on 17 June 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Sorikrypt.A.
Explanation :
Arrival and installation
This ransomware is generated by attackers using a free ransomware construction called Xorcist. The kit allows attackers to build fully customized ransomware in terms of target files, file name extension for encrypted files, ransom note message and file name, and unlock password.
Based on the sample analyzed (SHA1:503fcaa5a63abf3bda11b40a10903d7261133484), when executed, this ransomware creates copies of itself in the %TEMP% folder using a random file name. It then creates the following autostart entry in the registry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Alcmeter"
With data: "%TEMP%\"
It may also creates additional registry keys, for example:
In subkey: HKEY_CLASSES_ROOT\.bs7912
Sets value: "(Default)"
With data: "QVHXQDQKOFLBYBV"
In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV
Sets value: "(Default)"
With data: "CRYPTED!"
In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV\DefaultIcon
Sets value: "(Default)"
With data: ",0"
In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV\shell\open\command
Sets value: "(Default)"
With data: ""
Payload
Encrypts files
This ransomware can encrypts files. Based on the sample analyzed, it encrypts data with certain file name extensions, for example:
- .txt
- .html
- .bmp
- .pif
- .jpg
- .wav
- .wma
- .lnk
It appends the following string to the file name of encrypted files:
- .bs7912
It can also create the following file:
- HOW TO DECRYPT FILES.txt
It can also display a ransom note, which can be an image that is saved in resource and extracted and displayed during execution.
Analysis by Steven ZhouLast update 17 June 2017