Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.
Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the Startup Programs, as well as copying files.
Additionally, it decodes database-related service and process names to be terminated on the memory and looks up currently running services and processes and terminates them.
| Terminated services | FirebirdGuardianDefaultInstance FirebirdServerDefaultInstance sqlwriter mssqlserver sqlserveradhelper |
| Terminated processes | 1c8.exe 1cv77.exe outlook.exe postgres.exe mysqld-nt.exe mysqld.exe sqlservr.exe |
Afterwards, it creates a cmd.exe process and executes a pipe command that configures the code page into Cyrillic script, as well as a command to delete volume shadow copies to prevent recovery after infection. Also, in the case where admin privilege is needed to delete the volume shadow copies and the ransomware has not been executed with admin privileges by the user, the ransomware displays a UAC window to attempt a successful removal of volume shadow copies.
- mode con cp select=1251
- vssadmin delete shadows /all /quiet
During the file encryption, the ransomware goes through the process of verifying folders and files excluded from infection to prevent users from not realizing the infection due to system errors.
| Folders excluded from infection | Windows |
| Files excluded from infection | boot.ini, bootfont.bin, io.sys, ntdetec.com |
When the verification of the infection exception targets is complete, infection is carried out on files with the following file extensions.
| .1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt; .accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp; .bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der; .dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp; .erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc; .jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht; .mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt; .oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm; .potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl; .safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt; .u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip; |
Upon infection, a file extension with the format of “[Original filename].id-Unique ID.[[email protected]].wiki” is added, and info.hta is executed to let the user know that their system has been infected by the ransomware.
Crysis types of ransomware are usually distributed through RDP, so elaborate screening for RDP connection environments is advised. Moreover, as this Wiki ransomware is distributed in disguise as a normal program, users must be cautious when executing files downloaded from websites or emails of unknown sources, scan suspicious files with antivirus software, and keep the software updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
- Ransomware/Win.Crysis.C5274546 (2022.11.11.02)
- Trojan/Win32.Crysis.R213980 (2022.11.11.02)
[Behavior Detection]
- Persistence/MDP.AutoRun.M224 (2022.11.11.02)
[IOC Info]
- f09a781eeb97acf68c8c1783e76c29e6
- 3a81e8f22e239c4ced0ddfa50eacdfa4
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>Wiki Ransomware Being Distributed in Korea</strong> appeared first on ASEC BLOG.
Article Link: Wiki Ransomware Being Distributed in Korea - ASEC BLOG