Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.FD [Threat Variant Name]

Category	trojan
Size	52736 B
Aliases	Trojan-Ransom.Win32.Ungluk.b (Kaspersky)
	Trojan.Encoder.2114 (Dr.Web)

Short description

Win32/Filecoder.FD is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.

Payload information

Win32/Filecoder.FD is a trojan that encrypts files on fixed, removable and network drives.

The trojan searches for files with the following file extensions:

.113
.1cd
.3dm
.3ds
.3fr
.3g2
.3gp
.3pr
.73b
.7z
.a3d
.ab4
.abf
.abk
.ac2
.accdb
.accde
.accdr
.accdt
.acr
.adb
.aep
.agd1
.ach
.ai
.ait
.al
.apj
.apk
.ark
.arw
.as4
.asf
.asm
.asp
.asset
.asvx
.asx
.ate
.ati
.avi
.awg
.azw
.azw4
.b1
.bac
.back
.backup
.backupdb
.bak
.bakx
.bar
.bay
.bb
.bc6
.bc7
.bck
.bcm
.bdb
.bgt
.big
.bik
.bin
.bkf
.bkp
.blend
.blob
.bpw
.bsa
.c
.cab
.cas
.cb7
.cbr
.cbt
.CCD
.cdf
.cdr
.cdr3
.cdr4
.cdr5
.cdr6
.cdrw
.cdx
.ce1
.ce2
.cer
.cf
.cfp
.cfr
.cgm
.cib
.cls
.cmt
.con
.cpi
.cpp
.cpt
.cr2
.craw
.crt
.crw
.cs
.csh
.csl
.css
.csv
.ctb
.d3dbsp
.dac
.das
.dat
.data
.db
.db0
.db3
.dba
.dbf
.dc2
.dc3
.dcr
.dcs
.ddrw
.dds
.der
.des
.desc
.design
.dgb
.dgc
.DICOM
.DivX
.djvu
.dmg
.dmp
.dng
.doc
.docm
.docx
.dot
.dotm
.dotx
.drf
.drw
.dt
.DTA
.DTAUS
.dtd
.dwfx
.dwg
.dxb
.dxf
.dxg
.EDI
.eml
.emlx
.epk
.eps
.epub
.erbsql
.erf
.esm
.exf
.fb2
.fbf
.fbk
.fbw
.fbx
.fdb
.ffd
.fff
.fh
.fhd
.fla
.flac
.flv
.forge
.fos
.fpk
.fpx
.fsh
.fxg
.gbk
.gdb
.gho
.gif
.GPX
.gray
.grey
.gros
.gry
.h
.hbk
.hkdb
.hkx
.hplg
.hpp
.htm
.html
.hvpl
.hxi
.hxq
.hxr
.hxs
.hxw
.chi
.chm
.chq
.chw
.ibank
.ibd
.ibz
.icxs
.idx
.IFF
.IMG
.inc
.incpas
.iso
.itdb
.itl
.itm
.iv2i
.iwd
.iwi
.jar
.java
.jpe
.jpeg
.jpg
.js
.kc2
.kdb
.kdbx
.kdc
.key
.keystore
.keystore
.kf
.kpdx
.layout
.lbf
.ldf
.lic
.lit
.litemod
.lrf
.ltx
.lua
.lvl
.m
.m2
.m2v
.m3d
.m3u
.m4a
.m4v
.map
.max
.mcmeta
.mdb
.mdbackup
.mdc
.mddata
.mdf
.MDS
.mef
.menu
.mfw
.mkv
.mlx
.mmw
.mobi
.model
.moneywell
.mos
.mov
.mp3
.mp4
.MPEG-1
.MPEG-2
.MPEG-4
.mpg
.mpg
.mpq
.mpqge
.mrw
.mrwref
.msg
.myd
.nbd
.ncf
.nd
.ndd
.nef
.NetCDF
.nk2
.nop
.nrw
.ns2
.ns3
.ns4
.nsd
.nsf
.nsg
.nsh
.ntl
.nwb
.nx1
.nx2
.nyf
.oab
.obj
.odb
.odc
.odf
.odg
.odm
.odp
.ods
.odt
.orf
.ost
.otg
.oth
.otp
.ots
.ott
.p12
.p7b
.p7c
.pab
.pak
.pas
.pat
.pcd
.pct
.pdb
.pdb
.pdd
.pdf
.pef
.pem
.pfx
.php
.pkpass
.pl
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.prf
.prproj
.ps
.psafe3
.psd
.psk
.pst
.ptx
.pub
.pwm
.py
.pz3
.qba
.qbb
.qbm
.QBO
.qbr
.qbw
.qbx
.qby
.qdf
.QFX
.qic
.QIF
.qt
.qvw
.s3db
.sav
.sb
.sbs
.sd0
.sd1
.sda
.sdf
.SDXF
.shtm
.shtml
.sid
.sidd
.sidn
.sie
.sis
.sldasm
.sldm
.sldprt
.sldx
.slm
.sln
.sn1
.sna
.snx
.spf
.sql
.sqlite
.sqlite3
.sqlitedb
.sr2
.srf
.srt
.srw
.st4
.st5
.st6
.st7
.st8
.stc
.std
.sti
.stw
.stx
.SUB
.sum
.suo
.svg
.swf
.swm
.sxc
.sxd
.sxg
.sxi
.sxm
.sxw
.t12
.t13
.tar
.tax
.tbl
.tex
.tga
.tib
.tis
.tlg
.trn
.txt
.upk
.vcf
.vdf
.vfs0
.vob
.vob
.vpk
.vpp_pc
.vtf
.w3x
.wab
.wallet
.wav
.wbb
.wbcat
.wdb
.WIF
.wim
.win
.wma
.wmo
.wmv
.wpd
.wps
.x3f
.xar
.xf
.xla
.xlam
.xlk
.xll
.xlm
.xlr
.xls
.xlsb
.xlsk
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.XMI
.xml
.ycbcra
.yuv
.z
.zip
.ztmp

Only folders which do not contain one of the following string in their path are searched:

%allusersprofile%
%appdata%
%commonappdata%
%localappdata%
%programfilescommon%
%programfilescommonX86%
%public%
%windir%

The trojan encrypts the file content.

The AES encryption algorithm is used.

The file name and extension of the newly created file is derived from the original one.

An additional ".0x0" extension is appended.

The trojan creates the following file:

%currentfolder%\READTHISNOW!!!.txt

It contains the following text:

Hello. All your files have been encrypted using our private key. There is no way to recover them without our assistance. If you want to get your files back you must be ready to pay for them. If you are ready to pay then follow the instructions: 1) Create an archive (rar or zip) with 3 files inside: Secret.key + Secret.key2 (should be on your desktop) + Any encrypted file of a small size. It can be a .doc or .pdf or .xls or whatever you have. 5 mb max. Note that this file should have this extention: .0x0; please don’t put more than one file in the archive, one file is enough. If you can’t find Secret.key2, that’s OK. It will take just a little bit more time to restore your files, so you shouldn’t worry. 2) Upload this archive to any file sharing site. Dropbox, Google Drive, sendspace.com etc. 3) Go to http://bitmessage.org/ and download Bitmessage. 4) Run Bitmessage. Select ‘Your Identities’ tab. Then click New. Then click OK. Then select ‘Send’ tab. TO: BM-%redacted% (this is our address) SUBJECT: your PC name (Start -> Control Panel -> System) MESSAGE: Link to the archive with three files in it. Then click ‘Send’. ### You are done! To get the fastest reply from us with all further instructions, please keep Bitmessage running on your computer all the time, if possible. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan creates the following files:

%currentfolder%\secret.key
%temp%\83sa9Pd.txt

The trojan executes the following command:

cmd.exe /Q /C vssadmin.exe delete shadows /all /quiet