The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password.
Inside the attached file, there is a file compressed with Alzip which contains three files as shown below.
Among them, the image named original.jpg file is a normal executable file, and the other two are the same ransomware. The files have disguised themselves as CCleaner Installer as shown below.
When the ransomware file is run, it deletes the volume shadow copy and proceeds with the encryption using the commands shown below.
|vssadmin delete shadows /all /quiet|
wbadmin delete catalog -quiet
wmic shadowcopy delete
Also, to encrypt currently running files such as documents, the malware terminates processes that match names shown below among the running processes.
|msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsrvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe|
The folders, files, and extensions which are not encrypted are as follows. usagoo and pecunia extension were added to the existing ransomware list.
|boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini|
|Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc, KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, usagoo, pecunia, exe, dll|
For the encrypted files, the extension of .[random 8 characters].[firstname.lastname@example.org].pecunia is added, and a ransom note with the readme-warning.txt filename is created in the encrypted folder.
This ransomware has been continually distributed as fake job applications and materials related to copyright violation. As such, users must proceed with extreme caution when approaching related materials. Also, it is required to refrain from opening files attached to an e-mail sent by an unknown user.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the aliases below.