Attention: We have transitioned to a new AAD or
Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at
Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Provide feedback
Send us feedback
Tell us about your experience
Submit feedback
Thank you for your feedback
Published May 24, 2016
|
Updated Sep 15, 2017
Ransom:Win32/Zekwacrypt.A
Technical information
Threat behavior
Installation
It modifies the following registry key:
In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\ ext
In subkey: HKU\Administrator\Software\Classes\<encrypt extensions>\ default <encrypt extension>.run
In subkey: HKU\Administrator\Software\Classes\<encrypt extensions>\shell\open\command default notepad “%documents%\_<encrypted extension>_encrypted_readme.txt”
Payload
Encrypts your files
This ransomware can search for files in all of the folders with the following extensions and then encrypt them:
.APR .BOX .dot .GML .mb .PAS .rt .VC6
.jas .bpw .dotm .GO .MCD .PDB .rtf .VCD
.ari .BRD .dotx .GRB .md2 .pdd .RVM .VCPROJ
.arw .BREP .dotXSI .GTABLE .md3 .pdf .RVT .vdi
.srf .BSDL .dpm .GTC .MDA .PDI .rw2 .VDPROJ
.1CD .bzip .DPR .GXK .MDB .PDX .rwl .vfd
.3dm .C .dproj .gz .mdc .pef .rwx .vhd
.3dmf .C2D .drf .gzip .MDE .pem .rwz .VHDL
.3dmlw .c4d .DRW .H .MDF .pfx .S .vimproj
.3ds .CAD .dsa .ha .MDS .php .S12 .VIP
.3DV .cal3d .dsk .hdd .mdx .php2 .S19 .VLM
.3dxml .cap .dsm .hdmov .mef .php3 .sav .vmc
.3fr .CATDrawing .DSPF .HPP .mesh .php4 .SCAD .vmdk
.3g2 .CATPart .dss .HS .mht .php5 .SCALA .vmem
.3ga .CATProcess .dsv .htm .mhtml .php6 .SCDOC .vmsd
.3gp .CATProduct .dtd .html .mid .php7 .SCE .vmsn
.3gp2 .CBL .dts .HXX .midi .phps .SCI .vmss
.3gpp .CBP .DWB .IAM .mka .phtml .SCM .vmtm
.3mf .CC .DWF .ICD .mkv .PIPE .SD7 .vmx
.4DB .CCC .DWG .IDW .ML .pl .SDB .vmxf
.4DD .CCD .DXF .IFC .mlp .PLN .SDC .VND
.4DIndx .CCM .E .ifo .mm3d .ply .SDF .vob
.4DIndy .CCP4 .E2D .IGES .model .PM .SDI .VS
.4DR .CCS .EAP .ihtml .mos .png .shtml .vsv
.7z .cda .EASM .iiq .mov .pot .sia .vud
.aac .CDI .EDIF .IMG .mp2 .potm .sib .vue
.ABC .CDL .EDRW .imp .mp2v .potx .skp .vwx
.ac .CDR .EFS .INC .mp3 .pov .sldasm .w3d
.ac3 .cer .EGG .indd .mp4 .PP .SLDDRW .waData
.ACCDB .cfg .EGT .info .mp4v .ppam .sldm .waIndx
.ACCDE .cfl .eip .IPN .mpa .ppk .sldprt .waJournal
.ACCDR .cfm .EL .IPT .mpc .pps .sldx .waModel
.ACCDT .cgi .EMB .ISO .mpe .ppsm .SLN .wav
.ace .CGM .EMF .ivf .mpeg .ppsx .smd .wb2
.ACP .cgr .eml .j2c .mpg .ppt .smk .WDB
.ADA .CHML .EPRT .j2k .mpls .pptm .snd .webm
.ADB .CIF .eps .jar .MPO .pptx .SPEF .WGL
.ADF .CIR .epub .JAVA .mpv2 .PRC .SPI .wings
.adp .CLJ .erf .jp2 .mpv4 .PRG .SQL .wm
.ADS .CLS .ESS .jpc .MRC .PRO .SQLITE .wma
.ADT .CMX .ESW .jpe .mrw .PRT .sr2 .WMDB
.ADZ .CO .evo .jpeg .MS12 .ps .SREC .WMF
.AEC .COB .EXCELLON .jpf .mts .psb .srw .wmp
.AI .core3d .EXP .jpg .MYD .psd .ssh .wmv
.aif .CPF .F .jpx .MYI .PSM .std .wpd
.aifc .CPP .f4v .jsp .NCF .PSMODEL .STEP .wps
.aiff .cr2 .F77 .JT .NDF .pst .STIL .wrl
.ain .crt .F90 .k25 .nef .ptx .STK .wv
.alac .crw .fac .kdb .nif .pub .STL .x
.AMF .CS .fb2 .kdbx .NRG .pva .stm .X_B
.amr .CSPROJ .fbx .kdc .nrw .pvs .SUB .X_T
.amv .csv .FDB .KEXI .NSF .PWI .SV .X3D
.an8 .ctm .fff .KEXIC .NTF .pxn .SVG .x3f
.aob .CUE .flac .KEXIS .NV2 .PY .swf .XAR
.aoi .CXX .flc .L .nvram .PYT .SWG .XE
.ape .D .fli .las .OASIS .R .SXD .xhtml
.apl .D64 .flic .lasso .obj .R3D .tak .xla
.AR .DAA .flv .lassoapp .OCD .ra .tar .xlam
.arc .dae .FM .LDB .ODB .raf .TCL .xll
.arj .DAF .FMZ .LEF .ODG .ram .TCT .xlm
.ART .DB .FOR .LISP .odm .rar .TCW .xls
.ASC .DBA .FP .log .odp .raw .tex .xlsb
.asf .DBF .FP3 .lwo .odt .RB .TIB .xlsm
.ASM .DBPro123 .FP5 .lws .off .RC .tif .xlsx
.asp .dcr .FP7 .lxo .ofr .RC2 .tiff .xlt
.aspx .dcs .FRM .lzh .ofs .rec .tp .xltm
.au .DEF .FRX .M .oga .RED .trp .xltx
.avi .der .FS .m1a .ogex .REDS .ts .xlw
.AWG .DFF .FSDB .m1v .ogg .REL .tta .xml
.b3d .dfm .FTH .m2a .ogm .RESX .txt .XPL
.B6T .DFT .FTN .m2p .ogv .RFA .u3d .XQ
.BAS .DGK .g .m2t .OpenAccess .RIN .uc2 .XSI
.bay .DGN .GBR .m2ts .opus .rk .UDL .XSL
.bdmv .divx .GDB .m2v .ORA .RKT .UNV .Y
.bik .DMG .gdoc .M4 .orf .RKTL .UPF .z3d
.BIM .DMS .GDSII .m4a .ott .RLF .V .zip
.BIN .DMT .GED .m4b .P .rm .V2D
.bkf .dng .gif .m4r .p12 .rmi .VAP
.blend .doc .glm .m4v .p7b .rmm .VB
.block .docb .GM6 .ma .p7c .rmvb .VBG
.bml .docm .GMD .maff .pages .rp .VBP
.bmp .docx .GMK .max .PAR .rss .VBPROJ
It looks throught the files and removes files with the following names:
After the files are encrypted, the ransomware renames the files by appending ".[alphabet]{7} "to the affected file extension. For example:
file.png is renamed to file.png.zekwakc file.bin is renamed to file.bin.zekwakc
It drops the following file after encryption in the C drive:
Clog.txt - It contains all the information that it encrypts probably for debugging purposes
The malware doesn't encrypt files in the directories that contains the following applications:
Microsoft Windows Borland Content.IE5 Mozilla Framework Temp I386 Torrents Torrent
It creates the following file in %documents% folder:
psawfcsnbd_encrypted_readme.txt.bmp (same content as encrypted_readme.txt encrypted_readme.txt) _< encrypt extensions>_encrypted_readme.txt
It drops a couple of text files in every directory it encrypts:
encrypted_readme.txt encrypted_list.txt
Connects to a remote host
This ransomware does not require internet connection for encryption.
Analysis by Carmen Liang
Prevention
Symptoms
The following can indicate that you have this threat on your PC :
Debug Version = 1.0.0.0;
