Threat Spotlight: Inside VSSDestroy Ransomware

VSSDestroy is a variant of the Matrix ransomware which targets Windows workstations. Matrix ransomware was spread via Rig EK as recently as 2017. This paper details the observations made by the Cylance Threat Research team during their analysis of VSSDestroy.

Our analysis begins with the execution of the malware payload. Upon execution, the ransomware drops a copy of the malware file to the same directory of the original with the following filename:

  • NW[0-9a-zA-Z]{6}.exe

The copy of the malicious file then executes with the”-n” option: (NW[0-9a-zA-Z]{6}.exe -n )


VSSDestroy encrypts files and renames them with the .newrar extension:  

Figure 1: File types encrypted by VSSDestroy

The ransomware creates a README document for victims to read after encryption (Figure 2):

Figure 2: Encrypted file and the README document

The document instructs victims to email newrar(at)tuta[.]io or newrar(at)cock[.]lu to acquire a decryption key. A second avenue for communication, via bitmsg (hxxps://bitmsg[.]me/), is provided in case targets cannot communicate via email (Figure 3):

Figure 3: Contents of #NEWRAR_README#.rtf

VSSDestroy changes the background image of the affected system. The ransomware drops an image file named 0-9a-zA-Z]{8}.bmp and sets it as the wallpaper (Figure 4). The malware modifies wallpaper settings in the following system registry locations:

  • HKCUControl PanelDesktopWallpaper
  • HKCUControl PanelDesktopWallpaperStyle
  • HKCUControl PanelDesktopTileWallpaper

Figure 4: Ransom wallpaper image

Victims will see the wallpaper after Windows reboot.

The Trojan drops a modified version of the Sysinternals tool called “Handle Viewer v4.11”. The tool closes handles grabbed by running processes, allowing the ransomware to encrypt them as well (Figure 5):

Figure 5: Handle Viewer [gLxNMqwr.exe]

The modified version is packed with UPX whereas original HashViewer 4.11 is not packed.

If you unpack the modified version, there is only a slight difference between the original HashViewer 4.11 and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Threat Research Team. Read the original post at: