Cyble – % Fake Ransomware Infection Under Widespread

MITRE Techniques

• [T1204] User Execution – The user is directed to download the fake ransomware via phishing links. “The link of this website may be available on dating websites that redirect the user to download the fake ransomware after opening it.”
• [T1059] Command and Scripting Interpreter – After download, the malware drops multiple executables and a batch file and executes them. “Upon execution, the malware file drops four executable files (del.exe, open.exe, windll.exe and windows.exe) and one batch file (avtstart.bat) in %temp% directory and executes them.”
• [T1064] Scripting – The chain of VBS/BAT files is used to perform actions such as file renaming and ransom note propagation. “The .VBS file further executes windowss.bat which initiates the Fake ransomware activity.”
• [T1547] Registry Run Keys / Startup Folder – Persistence achieved as avtstart.bat copies executables to Startup folder. “avtstart.bat runs and it copies all the executable files to Startup folder for persistence.”
• [T1036] Masquerading – The downloaded executable is masqueraded as an image with a double extension (SexyPhotos.JPG.exe). “double extension i.e. SexyPhotos.JPG.exe and masquerading as an image file”
• [T1027] Obfuscated Files or Information – The rename operation and presence of exception.lst show attempts to hide/skip certain extensions. “reads exception.lst which contains the extensions to be excluded from the rename operation.”
• [T1083] File and Directory Discover – The malware enumerates folders and extensions for the rename operation. “The below table shows the folders and file extensions used by the malware for performing rename operations.”
• [T1082] System Information Discovery – The analysis context references the file/folder set used during operation.
• [T1486] Data Encrypted for Impact – The malware attempts to delete system drives as part of destructive behavior. “deletes all system drives [A: – Z:] except C: drive.”