EKING Ransomware

The EKING Ransomware is powerful crypt locker malware. The EKING Ransomware is not a wholly unique threat, though, according to the researchers who analyzed it, EKING is a variant of the Phobos Ransomware and part of the Phobos Ransomware family.

The EKING Ransomware is distributed through poisoned word documents that carry corrupted macro scripts. Once the document is opened, a security warning asking the users if they want to enable macros is displayed. However, the threat bypass this check through a built-in event function that is started when MSWord closed automatically. In short, the macro is executed when the targeted user exits the document. The goal of the macro script is to download and execute the ransomware payload by contacting a hardcoded URL address - 'hxxp://178.62.19.66/campo/v/v,' and fetching a file that it then deposits in a hardcoded path at 'C:\Users\Public\cs5\cs5.exe.'

When EKING Ransomware's payload file is executed, it creates a second process of itself, but this time with elevated permissions, thanks to abusing an Explorer.exe token. The EKING Ransomware then invokes two series of commands. The first group is tasked with disrupting the default Windows backup capabilities. It deletes the Shadow Volume Copies and the Windows Restore copies from the local computer, disables the automatic startup repair and deletes the backup catalog. The specific commands used are:

• vssadmin delete shadows /all /quiet
• wmic shadowcopy delete
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} recoveryenabled no
• wbadmin delete catalog –quiet
• exit

The second group is responsible for disabling Windows Firewall, and it consists of command for Windows 7 and up and one appropriate for Windows XP and Windows 2003.

To achieve persistence, the EKING Ransomware modifies the Registry of the compromised computer by creating an auto-run item under the root key 'HKEY_CURRENT_USER.' In addition, it creates copies of its executable file 'cs5.exe' into two auto startup folders - '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup' and '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup.' To prevent any potential conflicts such as the execution of multiple different instances of the ransomware on system boot, a check that uses a Mutex object, ensuring that only one process is running, is implemented.

The Main Functions of the EKING Ransomware

All of the actions carried out by this point are preparation work for the ransomware's main goal - to start encrypting data. This process's first step is to terminate several popular programs' processes, forcing them to release any files that the user might have been working on currently. The affected processes are for MS SQL Server, Oracle Database, VMware, MySql, Firefox, SQL Anywhere, RedGate SQL Backup, MS Office, and WordPad. To avoid interrupting the system's normal operations, the EKING Ransomware excludes two folders from encryption - '%WinDir%' and '%ProgramData%\Microsoft\Windows\Caches.' It also excludes the extensions used by the Phobos Ransomware family threats previously, as well as some specific files such as the ransom notes it leaves for the victims and certain boot files - info.hta, info.txt, boot.ini, ntldr, bootfont.bin, ntdetect.com, io.sys and osen.txt. All other files are encrypted with the AES cryptographic algorithm and are renamed to include 'id[<>-2987].[wiruxa@airmail.cc].eking' in their filenames.

The EKING Ransomware doesn't stop there. Its ability to cause damage also affects network sharing resources by calling the API WNetOpenEnum() using different values for dwScope the argument such as RESOURCE_CONNECTED, RESOURCE_RECENT, RESOURCE_CONTEXT, RESOURCE_REMEMBERED, and RESOURCE_GLOBALNET. If a suitable resource is found, EKING scans it and executes its encryption process.

And if that wasn't enough, the EKING Ransomware can also encrypt any USB or smartphone connected to the compromised system. Windows treats such devices as logical drives, and the EKING Ransomware performs a check every second to see if any such logical drives have been added.

Finally, the EKING Ransomware drops its ransom note as a text file called 'info.txt' and an HTML version 'info.hta.' The .hta file is then executed and used to display a pop-up window onto the victim's screen. The EKING Ransomware is a powerful malware threat, but affected users should rush to obey the hackers' demands behind it. Look for alternatives to restore the encrypted data because sending any amount of money to the criminals will simply be used to spread their threatening operations further.