TZW Ransomware Being Distributed in Korea

Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.

This ransomware is being propagated with the version info marked as “System Boot Info”, disguising itself as a normal program file related to boot information.

It was created in a .NET format and includes a loader and the actual ransomware data within it. It ultimately loads and executes the ransomware file through the loader. Among the data in the resources, it decodes and runs ‘dVvYsaL’ on the memory. This data holds the loader and ransomware data. Such a method has been covered in a previous ASEC blog post.

The resource area also holds pornographic photos and the contents are shown in Figure 2 below.

The additionally executed loader file drops a copy under the name ‘GvsqHuTYODA.exe’ into the %AppData% directory and proceeds with task scheduler registration.

• schtasks.exe /Create /TN “Updates\GvsqHuTYODA” /XML “%Temp%\tmpF6C.tmp”

After registering to the task scheduler, the file recursively executes the PE file that performs the ransomware behavior along with the “{path}” parameter to encode files.

The executed process goes through a logic to check for a virtual environment before infecting the system.

Afterward, to expand the range of infection, it goes through a logic that checks the drive information before moving on to the file encryption routine.

The file encryption process is made up of the thread that encrypts shared folders and the thread that encrypts the local environment.

File encryption is conducted on all folders aside from the Windows folder, and after encryption, volume shadows are deleted to hinder system recovery.

The following ‘ReadMe.txt’ ransom note can be found in the path where file encryption occurred. The string “CRYPTO LOCKER” is found at the end of infected files.

AhnLab’s anti-malware software, V3, detects and responds to PE files used in TZW file extension ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

• Ransomware/Win.Generic.C5355494 (2023.01.11.02)
• Trojan/Win.MSILKrypt.C5020026 (2022.03.21.01)
• Trojan/Win32.RansomCrypt.R343432 (2020.07.08.05)

[Behavior Detection]

• Malware/MDP.Inject.M218 (2019.10.30.02)

[IOC Info]

• eae94abe9753634f79a91ecb4da7ff72
• 10daa4697b861d3dc45a0a03222ba132
• f1ab4f5cbf5fc72c4033699edadc4622

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.