Home / malware Ransom:Win32/Laksbades
First posted on 22 June 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Laksbades.
Explanation :
Installation
It drops a copy in the sub-folders under %ProgramData% or %APPDATA% depending on the operating system.
It modifies the following registry key:
In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\run
Sets value:
With data:
Payload
Encrypts files
This ransomware can search for files in all of the folders with the following extensions and then encrypt them:
0.323 .distz .lzo .pko .sst .xpm 0.509 .djv .lzx .pl .stc .xps .3d .djvu .m13 .pls .std .xsd .3ds .dl .m14 .pmd .sti .xul .7z .dll .m3u .png .stl .xwd .7z .dmg .m3u .png .stw .z .a .dng .m4a .pnm .sv4cpio .zip .aab .doc .maf .pnq .sv4crc .zip .aac .doc .mam .pntg .svg .zoo .aac .docm .man .pot .svg .aam .docx .mar .pot .svgz .aas .dot .max .potx .svi .abr .dot .mdb .ppm .swf .abw .dotm .mdb .pps .swf .accda .dotx .mdf .pps .swf1 .accdb .drw .mdi .ppsx .sxc .accdc .dv .me .ppt .sxc .accde .dvi .mht .ppt .sxg .accdp .dwg .mht .pptm .sxi .accdt .dxf .mid .pptx .sxm .accdu .dxr .midi .ppz .sxw .ace .ebk .mjf .prproj .sxw .ade .eml .mng .ps .t .ai .emz .mny .psb .tar .ai .eps .mocha .psd .targa .aif .evy .moov .psd .tax .aifc .exe .mov .pst .tbz .aiff .exe .mov .ptb .tbz2 .air .fdb .movie .pts .tcl .alz .fdf .mp2 .pub .tex .ani .fif .mp2 .pub .texi .apk .fla .mp3 .pwi .texinfo .arj .flc .mp3 .qbm .tgz .art .fli .mp3 .qbo .tif .asf .flm .mp4 .qbw .tif .asf .flv .mp4 .qcp .tlg .ashx .fml .mpa .qdf .tlz .asm .gdb .mpd .qif .torrent .asp .gdoc .mpe .qpw .tpl .aspx .gif .mpeg .qt .tr .asx .gif .mpeg .qtc .trm .asx .gl .mpega .qtif .troff .au .gnumeric .mpg .qtl .tsp .avi .gsm .mpg .qtx .ttz .avi .gtar .mpga .ra .txt .bak .gz .mpkg .ram .txt .bat .gzip .mpp .rar .txz .bcpio .h .mpp .rar .u3d .big .h++ .mpt .ras .udeb .bik .hdf .ms .rdf .uin .bkf .hh .msg .rf .uls .bkp .hi .msi .rgb .urls .bmp .hlp .mvb .rjs .ustar .bmp .hpf .mxu .rm .vbs .boz .hpp .nba .rm .vcd .bz .hqx .nbf .rmf .vcf .bz2 .hta .nco .rmp .vcf .c .htc .nix .rms .vor .c++ .htm .nml .rmx .vsd .c4d .htm .nrg .rnx .vsl .ca .html .o .rp .wav .cab .html .oda .rpm .wav .cab .htt .odb .rsml .wax .cat .hxx .odc .rss .wb1 .cc .ico .odf .rt .wb2 .ccn .idb .odf .rtf .wb3 .cco .idx .odg .rtsp .wbmp .cdf .ief .odg .rtx .wcm .cdr .iii .odi .rv .wdb .cdr .ims .odm .sav .wdb .cdt .ind .odp .save .webm .cdt .ins .ods .scd .webm .cer .iso .ods .scm .webp .cer .iso .odt .sd2 .wks .cert .ivf .odt .sda .wm .chm .jar .ofx .sda .wma .chm .jar .ogg .sdc .wma .chrt .java .ogv .sdc .wmd .cil .jng .old .sdd .wmf .class .jpe .one .sdd .wml .class .jpeg .opml .sdf .wmlc .clp .jpeg .otg .sdp .wmls .com .jpg .oth .sdw .wmlsc .cpio .jpg .otp .ser .wmp .cpp .js .ots .setpay .wms .cpt .js .ott .setreg .wmv .cpt .json .ott .sgi .wmv .cqk .jsp .p .sgm .wmx .crd .kar .p10 .sgml .wmz .crl .karbon .p12 .sh .wp5 .crt .kfo .p7b .shar .wpd .cs .kon .p7b .shtml .wpd .csh .kpr .p7m .shw .wpl .csh .kpt .p7r .sid .wps .csr .kwd .p7s .sit .wri .css .kwt .package .sitx .wsc .css .laccdb .pak .skd .wvx .csv .latex .pas .skm .xbm .cxx .lcc .pat .skp .xbm .dar .ldif .pbm .skp .xfdf .dat .lha .pcx .skt .xht .db .log .pdf .smf .xhtml .dbf .lrm .pdf .smi .xlb .dbf .ls .pem .smil .xls .dbx .lsf .pfr .snd .xls .dcr .lst .pgm .snp .xlsm .dds .lsx .php .spl .xlsx .deb .lz .pic .sql .xml .dir .lzh .pict .sqlite .xml .dist .lzma .pkg .ssm .xpi
The malware doesn't encrypt files under the following folder:
- Windows
The malware doesn't encrypt the following files:
- chrome.exe
- iexplorer.exe
It drops the following ransom notes:
Connects to a remote host
This malware does not require internet connection to encrypt files.
Analysis by Carmen LiangLast update 22 June 2016