Home / malware Ransom:Win32/Tibbar.A
First posted on 25 October 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Tibbar.A.
Explanation :
Installation
This threat can arrive when visiting compromised websites or if you click a fake Adobe Flash Update:
When clicked, this file (we have seen SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0) drops the file infpub.dat (SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907) into the %SystemRoot% folder and runs it as "rundll32.exe %SystemRoot%\infpub.dat,#1 15".
It then drops the file cscc.dat in %windows%. This file is a driver for an open-source encryption solution, DiskCryptor. It then writes "cscc" into the registry:
- Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters
- Write "cscc" to KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters
- Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFilters
It also drops a malicious version of the DiskCryptor program (dispci.exe, we have seen SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add) into %SystemRoot%.
The infpub.dat file starts the encryption with the following commands by using cmd.exe:
- cmd.exe schtasks /Delete /F /TN rhaegal
- cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1082924949 && exit"
- cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:14:00
- cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
- cmd.exe /c schtasks /Delete /F /TN drogon
As part of the process, it creates a number of scheduled tasks to run the encryption program at every Windows start, reboot the computer, delete or modify the history of file changes, and then delete the scheduled tasks.
Payload
Encrypts files
This ransomware overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).
It searches each drive and encrypts files with the following extensions:
.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip
Demands payment
After a forced reboot, you are locked out of your PC and coerced into purchasing a key to regain access. This message appears on your PC and you can't log in to Windows:
The message says:
Oops! Your files have been encrypted.
If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.
We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.
Visit our web service at
Your personal installation key#:
If you have already got the password, please enter it below.
Password#
Going to the provided .onion address provides a screen similar to the following:
Attempts to spread through the network
The ransomware tries to connect to the network, so it can infect files on other computers. It uses a hardcoded set of usernames and passwords to try to brute force into the network:
Usernames:
- Admin
- Administrator
- alex
- asus
- backup
- boss
- buh
- ftp
- ftpadmin
- ftpuser
- Guest
- manager
- nas
- nasadmin
- nasuser
- netguest
- operator
- other user
- rdp
- rdpadmin
- rdpuser
- root
- superuser
- support
- Test
- User
- User1
- user-1
- work
Passwords:
- 111111
- 123
- 123321
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 321
- 55555
- 777
- 77777
- Admin
- Admin123
- admin123Test123
- Administrator
- administrator
- Administrator123
- administrator123
- adminTest
- god
- Guest
- guest
- Guest123
- guest123
- love
- password
- qwe
- qwe123
- qwe321
- qwer
- qwert
- qwerty
- qwerty123
- root
- secret
- sex
- test
- test123
- uiop
- User
- user
- User123
- user123
- zxc
- zxc123
- zxc321
- zxcv
Additional information
We used the following samples in our analysis:
- 79116fe99f2b421c52ef64097f0f39b815b20907
- afeee8b4acff87bc469a6f0364a81ae5d60a2add
- De5c8d858e6e41da715dca1c019df0bfb92d32c0
Last update 25 October 2017