Home / malware Ransom:Win32/Rackcrypt.A
First posted on 18 April 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Rackcrypt.A.
Explanation :
Installation
This ransomware gets into the system as a downloaded file from malicious sites. It might also be bundled with other programs.
We have seen it arrive in the system the following file names:
When this ransomware runs, it drops a copy of itself on the following location:
- firefox.exe
- loader.exe
- smss.exe
- %TEMP%
It adds the following registry keys to keep the infection information:
In subkey: HKU\Administrator\mvpdata
Sets value: "launches"
With data: "(REG_DWORD)"
In subkey: HKU\Administrator\mvpdata
Sets value: "day"
With data: "(REG_DWORD)"
In subkey: HKU\Administrator\mvpdata
Sets value: "done"
With data: "(REG_DWORD)"
In subkey: HKU\Administrator\mvpdata
Sets value: "done"
With data: "(REG_DWORD)"
It can also change your desktop wallpaper by modifying the following registry entries:
In subkey: HKCU\Control Panel\Desktop
Sets value: "Wallpaper"
With data: "%Windows%\Web\Wallpaper\rack.jpg"
Payload
Encrypts your file
This ransomware can search for files in all of the folders with the following extensions and then encrypt them:
.3fr .eps .mlx .rwl .7z .erf .mov .sav .accdb .esm .mp3 .sb .ai .et .mp4 .sid .ank .ff .mpqge .sidd .apk .flv .mrwref .sidn .arch00 .forge .ncf .sie .arw .fos .nrw .sis .asset .fpk .ntl .slm .avi .fsh .odb .snx .bar .gdb .odc .sql .bay .gho .odm .sr2 .bc6 .hkdb .odp .srf .bc7 .hkx .ods .srw .big .hplg .odt .sum .bik .hpp .orf .svg .bkf .hvpl .p12 .syncdb .bkp .ib .p7b .t12 .blob .icxs .p7c .t13 .bmp .indd .pak .tax .bsa .itdb .pas .tor .cas .itl .pdd .txt .cdr .itm .pdf .upk .cer .iwd .pef .vcf .cfr .iwi .pem .vdf .cpp .jpe .pfx .vfs0 .cr2 .jpeg .pkpass .vpk .crt .jpg .png .vpp_pc .crw .js .ppt .vtf .css .kdb .pptm .w3x .csv .kdc .pptx .wall .d3dbsp .kf .psd .wb2 .das .layout .psk .wma .dat .lbf .pst .wmo .dazip .litemod .ptx .wmv .db0 .lrf .py .wotreplay .dba .ltx .qdf .wpd .dbf .lvl .qic .wps .dcr .m2 .r3d .x3f .der .m3u .raf .xf .desc .m4a .rar .xlk .dmp .map .raw .xls .dng .mcmeta .rb .xlsb .doc .mdb .re4 .xlsm .docm .mdbackup .rgss3a .xlsx .docx .mddata .rim .xxx .dwg .mdf .rofl .zip .dxg .mef .rtf .ztmp .epk .menu .rw2
After the files are encrypted, the ransomware renames the files by appending ".rack" to the affected file extension. For example, file.png is renamed to file.png.rack.
It then displays the following ransom message:
When you click the files
button, it displays the list of files it encrypted on the following location:
- %TEMP% \rackfiles.txt
When you click the info
button, it displays the message on the following location:
- %TEMP% \rackinfo.txt
When you click the copy
button, it puts the wallet address specified on the message into the clipboard.
When you click the decrypt button, it displays the following message:
Analysis by Elda Tan SengLast update 18 April 2016
