Home / malwarePDF  

Ransom:Win32/Tibbar.A


First posted on 25 October 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Tibbar.A.

Explanation :

Installation

This threat can arrive when visiting compromised websites or if you click a fake Adobe Flash Update:



When clicked, this file (we have seen SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0) drops the file infpub.dat (SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907) into the %SystemRoot% folder and runs it as "rundll32.exe %SystemRoot%\infpub.dat,#1 15".

It then drops the file cscc.dat in %windows%. This file is a driver for an open-source encryption solution, DiskCryptor. It then writes "cscc" into the registry:

  • Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters
  • Write "cscc" to KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters
  • Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFilters


It also drops a malicious version of the DiskCryptor program (dispci.exe, we have seen SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add) into %SystemRoot%.

The infpub.dat file starts the encryption with the following commands by using cmd.exe:
  • cmd.exe schtasks /Delete /F /TN rhaegal
  • cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1082924949 && exit"
  • cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:14:00
  • cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
  • cmd.exe /c schtasks /Delete /F /TN drogon


As part of the process, it creates a number of scheduled tasks to run the encryption program at every Windows start, reboot the computer, delete or modify the history of file changes, and then delete the scheduled tasks.

Payload

Encrypts files

This ransomware overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).

It searches each drive and encrypts files with the following extensions:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

Demands payment


After a forced reboot, you are locked out of your PC and coerced into purchasing a key to regain access. This message appears on your PC and you can't log in to Windows:

The message says:

Oops! Your files have been encrypted.



If you see this text, your files are no longer accessible.

You might have been looking for a way to recover your files.

Don't waste your time. No one will be able to recover them without our

decryption service.



We guarantee that you can recover all your files safely. All you

need to do is submit the payment and get the decryption password.



Visit our web service at



Your personal installation key#:





If you have already got the password, please enter it below.

Password#





Going to the provided .onion address provides a screen similar to the following:



Attempts to spread through the network

The ransomware tries to connect to the network, so it can infect files on other computers. It uses a hardcoded set of usernames and passwords to try to brute force into the network:

Usernames:
  • Admin
  • Administrator
  • alex
  • asus
  • backup
  • boss
  • buh
  • ftp
  • ftpadmin
  • ftpuser
  • Guest
  • manager
  • nas
  • nasadmin
  • nasuser
  • netguest
  • operator
  • other user
  • rdp
  • rdpadmin
  • rdpuser
  • root
  • superuser
  • support
  • Test
  • User
  • User1
  • user-1
  • work


Passwords:
  • 111111
  • 123
  • 123321
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 321
  • 55555
  • 777
  • 77777
  • Admin
  • Admin123
  • admin123Test123
  • Administrator
  • administrator
  • Administrator123
  • administrator123
  • adminTest
  • god
  • Guest
  • guest
  • Guest123
  • guest123
  • love
  • password
  • qwe
  • qwe123
  • qwe321
  • qwer
  • qwert
  • qwerty
  • qwerty123
  • root
  • secret
  • sex
  • test
  • test123
  • uiop
  • User
  • user
  • User123
  • user123
  • zxc
  • zxc123
  • zxc321
  • zxcv


Additional information

We used the following samples in our analysis:
  • 79116fe99f2b421c52ef64097f0f39b815b20907
  • afeee8b4acff87bc469a6f0364a81ae5d60a2add
  • De5c8d858e6e41da715dca1c019df0bfb92d32c0

Last update 25 October 2017

 

TOP

Malware :

Family: