Wiki ransomware, identified by ASEC, is a disguised variant of Crysis that spreads as a normal program and encrypts files. It uses persistence, process termination, and shadow-copy deletion to hinder recovery, with distribution commonly linked to RDP environments. #WikiRansomware #Crysis #AhnLab #[email protected]
Keypoints
- Wiki ransomware is a variant of Crysis that masquerades as a legitimate program.
- It achieves persistence by copying itself to %AppData% or %windir%system32 and adding a Run entry in HKLMSoftwareMicrosoftWindowsCurrentVersionRun.
- The malware terminates certain database-related services and processes during infection.
- It creates a cmd.exe process to set the code page to Cyrillic and deletes volume shadow copies to prevent recovery; it may display a UAC window if admin rights are needed.
- During encryption, it excludes specific folders/files and targets a wide range of file extensions, signaling infection via info.hta and a .wiki extension pattern.
- Wiki/Crysis ransomware is usually distributed through RDP, and users are advised to be cautious with files from unknown sources; detections and IOCs are provided by AhnLab.
MITRE Techniques
- [T1547.001] Registry Run Keys / Startup Folder – The ransomware copies itself into the %AppData% or %windir%system32 paths and … adding itself to the registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun) to be registered as one of the Startup Programs, as well as copying files. – “Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun) to be registered as one of the Startup Programs, as well as copying files.”
- [T1036] Masquerading – Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. – “Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.”
- [T1057] Process Discovery – It looks up currently running services and processes. – “and looks up currently running services and processes and terminates them.”
- [T1562.001] Impair Defenses – Termination of services and processes to hinder analysis and cleanup. – “Terminated services … and terminated processes …”
- [T1490] Inhibit System Recovery – Deletes volume shadow copies to prevent recovery after infection. – “delete volume shadow copies to prevent recovery after infection.”
- [T1486] Data Encrypted for Impact – Encryption of a broad set of file types; the process includes verification of infection targets before encryption. – “During the file encryption, the ransomware goes through the process of verifying folders and files excluded from infection to prevent users from not realizing the infection due to system errors.”
- [T1021.001] Remote Services: RDP – RDP is used as a distribution vector for this family; screening is advised. – “Crysis types of ransomware are usually distributed through RDP, so elaborate screening for RDP connection environments is advised.”
- [T1548.002] Abuse Elevation Control Mechanisms: Bypass UAC – The ransomware displays a UAC window to attempt a successful removal of volume shadow copies. – “the ransomware displays a UAC window to attempt a successful removal of volume shadow copies.”
Indicators of Compromise
- [Hash] File hash – f09a781eeb97acf68c8c1783e76c29e6, 3a81e8f22e239c4ced0ddfa50eacdfa4 (and 2 more items may be observed in related reports)
- [Process name] Terminated processes – 1c8.exe, 1cv77.exe, outlook.exe, postgres.exe, mysqld-nt.exe, mysqld.exe, sqlservr.exe
- [Process name] Terminated services – FirebirdGuardianDefaultInstance, FirebirdServerDefaultInstance, sqlwriter, mssqlserver, sqlserveradhelper
- [File extension] Infection files use extension pattern – .wiki (e.g., [Original filename].id-Unique ID.[[email protected]].wiki) and related artifacts like info.hta
- [File name] Executed file – info.hta used to notify user of infection
Read more: https://asec.ahnlab.com/en/42507/