{"id":87478,"date":"2019-01-29T11:00:20","date_gmt":"2019-01-29T05:30:20","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87478"},"modified":"2023-09-25T15:58:40","modified_gmt":"2023-09-25T10:28:40","slug":"mongolock-ransomware-deletes-files-targets-databases","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/mongolock-ransomware-deletes-files-targets-databases\/","title":{"rendered":"Mongolock Ransomware deletes files and targets databases"},"content":{"rendered":"<p>Ransomware has become one of the most dangerous cyber-attack methods because of the different techniques it uses to encrypt the files and evade the detection of security software to earn money. Also, at a time, it\u2019s not limited to encrypting user\u2019s files but also deletes the files and formats the local disk drives.<\/p>\n<p>Recently, Quick Heal Security Lab researchers observed a destructive ransomware variant named as \u2018<strong>Mongolock\u2019<\/strong> which not only deletes all files and folders instead of encrypting them but also explicitly targets the databases as well.<\/p>\n<p>While analyzing, we observed that after the execution of mother file it checks for user\u2019s folders and specific locations such as Documents, Desktop, Recent, Favorites, Music and Videos. After which it executes \u2018format.com\u2019 command which is a windows genuine command for formatting the folders and drives, &amp; then it starts deleting files and formats the local disk drives.<\/p>\n<p>The command format is shown in the below snippet<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87479\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/1.png\" alt=\"\" width=\"438\" height=\"81\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/1.png 438w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/1-300x55.png 300w\" sizes=\"(max-width: 438px) 100vw, 438px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig: 1<\/strong> Process Tree &amp; the command<\/p>\n<p>Upon completion of the above commands operations, it executes below command to delete files and format the local hard drives:<\/p>\n<ul>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\Public\\Desktop\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\User\\Videos\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del D:\\\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c format D: \/fs:ntfs \/q \/y<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\User\\Desktop\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\User\\Music\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\User\\Favorites\\* \/F \/Q<\/li>\n<li>\u201cC:\\Windows\\system32\\cmd.exe\u201d \/c del C:\\Users\\User\\Documents\\* \/F \/Q<\/li>\n<\/ul>\n<p>The code snippets below shows the hardcoded command in the malware<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87480\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/2.png\" alt=\"\" width=\"663\" height=\"147\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/2.png 663w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/2-300x67.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/2-650x144.png 650w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig: 2<\/strong> Command to delete Desktop files<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87481\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/3-1.png\" alt=\"\" width=\"558\" height=\"171\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/3-1.png 558w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/3-1-300x92.png 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig: 3<\/strong> Command to format local disk drive<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87482\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/4.jpg\" alt=\"\" width=\"673\" height=\"146\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/4.jpg 673w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/4-300x65.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/4-650x141.jpg 650w\" sizes=\"(max-width: 673px) 100vw, 673px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig: 4<\/strong> Command to delete files from favorite folder<\/p>\n<p>We have observed that before deletion and formatting of the drives, the ransomware connects to CnC (Command &amp; control) server to send the data of victim\u2019s machine.<\/p>\n<p>Below Wireshark snippet shows the connection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87484\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/5-1.png\" alt=\"\" width=\"740\" height=\"105\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/5-1.png 740w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/5-1-300x43.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/5-1-650x92.png 650w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig.5:<\/strong> Connection to CnC server<\/p>\n<p>Though we have seen the connectivity of the <a href=\"https:\/\/blogs.quickheal.com\/the-perils-of-ransomware-how-to-save-yourself-from-the-next-attack\/\">ransomware<\/a> to the CnC server, we have not seen any data being backed up on the server, hence, users are advised not to pay any ransom as the malware authors will not be able to restore the data.<\/p>\n<p>In the end, it drops \u201cWarning.txt\u201d as a ransom note. According to \u201cWarning.txt\u201d, victim\u2019s database and files back up on their secured server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87485\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/6-1.jpg\" alt=\"\" width=\"645\" height=\"276\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/6-1.jpg 645w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/6-1-300x128.jpg 300w\" sizes=\"(max-width: 645px) 100vw, 645px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig 6:<\/strong>\u00a0 Ransom Note<\/p>\n<p><strong>Quick Heal proactively protects its users from this threat:<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87486\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/7.jpg\" alt=\"\" width=\"301\" height=\"162\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/7.jpg 301w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/7-300x161.jpg 300w\" sizes=\"(max-width: 301px) 100vw, 301px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig 7:<\/strong>\u00a0 Virus protection<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87487\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/01\/8-1.png\" alt=\"\" width=\"459\" height=\"263\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/8-1.png 459w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2019\/01\/8-1-300x172.png 300w\" sizes=\"(max-width: 459px) 100vw, 459px\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Fig 8:<\/strong>\u00a0 Anti Ransomware<\/p>\n<p><strong>How to stay safe from ransomware attacks<\/strong><\/p>\n<ul>\n<li>Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.<\/li>\n<li>Do not install any freeware or cracked versions of any software.<\/li>\n<li>Do not open any advertisement shown on websites without knowing that they are genuine.<\/li>\n<li>Disable macros while using MS Office.<\/li>\n<li>Update your antivirus to protect your system from unknown threats.<\/li>\n<li>Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Indicators of compromise: (MD5)<\/strong><\/p>\n<p>23273D60F2AA83D06891136310957501<\/p>\n<p><strong>Command and control server: (Domain)<\/strong><\/p>\n<p>hxxps:\/\/s.rapid7.xyz<\/p>\n<p><strong>Subject Matter Experts:<\/strong><\/p>\n<p>Manish Patil, Priyanka Dhasade| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware has become one of the most dangerous cyber-attack methods because of the different techniques it uses to encrypt the files and evade the detection of security software to earn money. Also, at a time, it\u2019s not limited to encrypting user\u2019s files but also deletes the files and formats the local disk drives. Recently, Quick [&hellip;]<\/p>\n","protected":false},"author":39,"featured_media":87488,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,5],"tags":[22,50,47],"class_list":["post-87478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-security","tag-email-malware","tag-ransomware","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87478"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87478"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87478\/revisions"}],"predecessor-version":[{"id":92087,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87478\/revisions\/92087"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87488"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}