Home / malware Ransom:Win32/Wagcrypt.A
First posted on 30 January 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Wagcrypt.A.
Explanation :
Installation
This ransomware arrives in your PC when you use an unknowingly compromised account where the threat gets copied and run remotely.
When run, the following ransom message is dropped as %desktop%\zXz.html.
It also copies itself as C:\services.exe and also modifies the registry, adding a reg.exe file, so that it runs each time you start your PC:
- reg ADD HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ /f /v Load /t REG_SZ /d "C:\services.exe"
Payload
This threat also creates a thread that enumerate drives C-Z (FIXED, RAMDISK, REMOTE, REMOVABLE, UNKNOWN).
Encrypts your files
It also encrypts files with the following extensions:
.3gp .cmsc .fmb .mpp .sln .7z .cpp .gz .mtb .soap .accdb .cs .img .olb .sql .ace .csv .ipdb .ost .stm .ai .dat .iso .pdf .svc .ashx .db .issue .png .swf .asmx .dbf .jar .pps .tar .asp .doc .java .ppsx .txt .aspx .docx .jpg .ppt .vdw .bad .dwg .kdbx .pptx .vdx .bak .dxf .kmz .psc .vmdk .bat .edb .ldf .psd .vsd .bdp .edx .lic .pst .war .bdr .efp .log .rar .webm .bkf .eml .max .rdp .xls .bmp .epf .mdb .resx .xlsm .c .ese .mdf .rmvb .xlsx .cfg .exe .me .rtf .xlt .cmd .flv .mkv .sdb .zip
Stops processes or services from running
This ransomware also tries to stop the following services, to release and successfully encrypt the associated files:
- Microsoft Exchange Information Store
- MSSQL$CONTOSO1
- MSSQLSERVER
- MSSQL$SQLEXPRESS
- OracleASMService+ASM
- OracleCSService
- OracleOraDb10g_home1TNSListener
- OracleServiceORCL
- Outlook
- SQLServerAgent
- SQLWriter
- Task Manager
- WindowsUserManager
Analysis by Jireh SanicoLast update 30 January 2017
