Wiki Ransomware Being Distributed in Korea

Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.

Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the Startup Programs, as well as copying files.

Additionally, it decodes database-related service and process names to be terminated on the memory and looks up currently running services and processes and terminates them.

Terminated servicesFirebirdGuardianDefaultInstance
FirebirdServerDefaultInstance
sqlwriter
mssqlserver
sqlserveradhelper
Terminated processes1c8.exe
1cv77.exe
outlook.exe
postgres.exe
mysqld-nt.exe
mysqld.exe
sqlservr.exe
[Table 1]

Afterwards, it creates a cmd.exe process and executes a pipe command that configures the code page into Cyrillic script, as well as a command to delete volume shadow copies to prevent recovery after infection. Also, in the case where admin privilege is needed to delete the volume shadow copies and the ransomware has not been executed with admin privileges by the user, the ransomware displays a UAC window to attempt a successful removal of volume shadow copies.

  • mode con cp select=1251
  • vssadmin delete shadows /all /quiet

During the file encryption, the ransomware goes through the process of verifying folders and files excluded from infection to prevent users from not realizing the infection due to system errors.

Folders excluded from infectionWindows
Files excluded from infectionboot.ini, bootfont.bin, io.sys, ntdetec.com
[Table 2]

When the verification of the infection exception targets is complete, infection is carried out on files with the following file extensions.

.1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;
.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;
.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;
.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;
.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;
.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;
.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;
.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;
.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;
.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;
.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
[Table 3]

Upon infection, a file extension with the format of “[Original filename].id-Unique ID.[bitlocker@foxmail.com].wiki” is added, and info.hta is executed to let the user know that their system has been infected by the ransomware.

Crysis types of ransomware are usually distributed through RDP, so elaborate screening for RDP connection environments is advised. Moreover, as this Wiki ransomware is distributed in disguise as a normal program, users must be cautious when executing files downloaded from websites or emails of unknown sources, scan suspicious files with antivirus software, and keep the software updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

  • Ransomware/Win.Crysis.C5274546 (2022.11.11.02)
  • Trojan/Win32.Crysis.R213980 (2022.11.11.02)

[Behavior Detection]

  • Persistence/MDP.AutoRun.M224 (2022.11.11.02)

[IOC Info]

  • f09a781eeb97acf68c8c1783e76c29e6
  • 3a81e8f22e239c4ced0ddfa50eacdfa4

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments