Ransom:Win32/Tibbar.A

Installation

This threat can arrive when visiting compromised websites or if you click a fake Adobe Flash Update:

When clicked, this file (we have seen SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0) drops the file infpub.dat (SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907) into the %SystemRoot% folder and runs it as "rundll32.exe %SystemRoot%\infpub.dat,#1 15".

It then drops the file cscc.dat in %windows%. This file is a driver for an open-source encryption solution, DiskCryptor. It then writes "cscc" into the registry:

• Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters
• Write "cscc" to KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters
• Write "cscc" to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFilters

It also drops a malicious version of the DiskCryptor program (dispci.exe, we have seen SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add) into %SystemRoot%.

The infpub.dat file starts the encryption with the following commands by using cmd.exe:

• cmd.exe schtasks /Delete /F /TN rhaegal
• cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1082924949 && exit"
• cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:14:00
• cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
• cmd.exe /c schtasks /Delete /F /TN drogon

As part of the process, it creates a number of scheduled tasks to run the encryption program at every Windows start, reboot the computer, delete or modify the history of file changes, and then delete the scheduled tasks.

Payload

Encrypts files

This ransomware overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).

It searches each drive and encrypts files with the following extensions:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

Demands payment  

After a forced reboot, you are locked out of your PC and coerced into purchasing a key to regain access. This message appears on your PC and you can't log in to Windows:

The message says:

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.

You might have been looking for a way to recover your files.

Don't waste your time. No one will be able to recover them without our

decryption service.

We  guarantee that you can recover all your files safely. All you

need to do is submit the payment and get the decryption password.

Visit our web service at <TOR .onion address>

Your personal installation key#<number>:

<key>

If you have already got the password, please enter it below.

Password#<number>

Going to the provided .onion address provides a screen similar to the following:

Attempts to spread through the network 

The ransomware tries to connect to the network, so it can infect files on other computers. It uses a hardcoded set of usernames and passwords to try to brute force into the network:

Usernames:

Passwords:

Additional information

We used the following samples in our analysis:

• 79116fe99f2b421c52ef64097f0f39b815b20907 
• afeee8b4acff87bc469a6f0364a81ae5d60a2add
• De5c8d858e6e41da715dca1c019df0bfb92d32c0