Home / malware Ransom:PowerShell/Abpodul.A
First posted on 11 January 2018.
Source: MicrosoftAliases :
There are no other names known for Ransom:PowerShell/Abpodul.A.
Explanation :
Installation
This ransomware usually arrives as an attachment file from an email spam.
Upon execution, it shows the following message:
Payload
Encrypts files in your PC
This threat encrypts files with the following extensions: 1 bak dch groups mkv ots rat tbk 2 bank dcr gry mlb ott raw tex 3 bat dcs gz mml p12 rb tga 4 bay ddd hbk mmw p7b rdb tgz 5 bdb ddoc hdd mny p7c re4 thm 6 bgt ddrw hpp moneywell pab rm tif 7 bik dds html mos pages rtf tiff 8 bin der hwp mov PAQ RTF tlg 9 bkp des ibank mp3 pas rvt txt 10 blend design ibd mp4 pat rw2 uop 11 bmp dgc ibz mpeg pcd rwl uot 123 bpw dif idx mpg pct rwz upk 602 brd dip iif mrw pdb s3db vb 1cd bsa dit iiq ms11 pdd safe vbox 3dm cdf djv incpas msg pdf sas7bdat vbs 3ds cdr djvu indd myd pef sav vdi 3fr cdr3 dng iwi MYD pem save vhd 3g2 cdr4 doc jar MYI pfx say vhdx 3gp cdr5 DOC java n64 php sch vmdk 3pr cdr6 docb jnt nd pif sd0 vmsd 7z cdrw docm jpe ndd pl sda vmx 7zip cdx docx jpeg ndf plc sdf vmxf aac ce1 dot jpg nef plus_muhd sh vob ab4 ce2 DOT js NEF png sldm wab accdb cer dotm kc2 nk2 pot sldx wad accde cfg dotx kdbx nop potm slk wallet accdr cgm drf kdc nrw potx sql wav accdt cib drw key ns2 ppam sqlite wb2 ach class dtd kpdx ns3 pps sqlite3 wk1 acr cls dwg kwm ns4 ppsm SQLITE3 wks act cmd dxb laccdb nsd ppsx sqlitedb wma adb cmt dxf lay nsf ppt SQLITEDB wmv adp config dxg lay6 nsg PPT sr2 wpd ads contact edb lbf nsh pptm srf wps aes cpi eml ldf nvram pptx srt x11 agdl cpp eps lit nwb prf srw x3f ai cr2 erbsql litemod nx2 ps st4 xis aiff craw erf litesql nxl psafe3 st5 xla ait crt exf log nyf psd st6 xlam al crw fdb ltx oab pspimage st7 xlc aoi cs ffd lua obj pst st8 xlk apj csh fff m2ts odb ptx stc xlm apk csl fh m3u odc pwm std xlr ARC csr fhd m4a odf py sti xls arw css fla m4p odg qba stm XLS asc csv flac m4u odm qbb stw xlsb asf CSV flf m4v odp qbm stx xlsm asm d3dbsp flv mapimail ods qbr svg xlsx asp dac flvv max odt qbw swf xlt aspx das forge mbx ogg qbx sxc xltm asset dat fpx md oil qby sxd xltx asx db frm mdb onetoc2 qcow sxg xlw avi db_journal fxg mdc orf qcow2 sxi xml awg db3 gif mdf ost qed sxm ycbcra back dbf gpg mef otg r3d sxw yuv backup dbx gray mfw oth raf tar zip backupdb dc2 grey mid otp rar tar.bz2
Drops a ransom note
This threat drops the following ransom note file, _README-Encrypted-Files.html:
Connects to a remote host
This threat can connect to the following site as its C2 server:
- hXXp://joelosteel.gdn/pi.php
Deletes files without your consent
This threat also deletes the system's shadow copy that is used for backup files.
Analysis by Francis Tan SengLast update 11 January 2018