Mongolock Ransomware deletes files and targets databases

Ransomware has become one of the most dangerous cyber-attack methods because of the different techniques it uses to encrypt the files and evade the detection of security software to earn money. Also, at a time, it’s not limited to encrypting user’s files but also deletes the files and formats the local disk drives.

Recently, Quick Heal Security Lab researchers observed a destructive ransomware variant named as ‘Mongolock’ which not only deletes all files and folders instead of encrypting them but also explicitly targets the databases as well.

While analyzing, we observed that after the execution of mother file it checks for user’s folders and specific locations such as Documents, Desktop, Recent, Favorites, Music and Videos. After which it executes ‘format.com’ command which is a windows genuine command for formatting the folders and drives, & then it starts deleting files and formats the local disk drives.

The command format is shown in the below snippet

Fig: 1 Process Tree & the command

Upon completion of the above commands operations, it executes below command to delete files and format the local hard drives:

• “C:\Windows\system32\cmd.exe” /c del C:\Users\Public\Desktop\* /F /Q
• “C:\Windows\system32\cmd.exe” /c del C:\Users\User\Videos\* /F /Q
• “C:\Windows\system32\cmd.exe” /c del D:\\* /F /Q
• “C:\Windows\system32\cmd.exe” /c format D: /fs:ntfs /q /y
• “C:\Windows\system32\cmd.exe” /c del C:\Users\User\Desktop\* /F /Q
• “C:\Windows\system32\cmd.exe” /c del C:\Users\User\Music\* /F /Q
• “C:\Windows\system32\cmd.exe” /c del C:\Users\User\Favorites\* /F /Q
• “C:\Windows\system32\cmd.exe” /c del C:\Users\User\Documents\* /F /Q

The code snippets below shows the hardcoded command in the malware

Fig: 2 Command to delete Desktop files

Fig: 3 Command to format local disk drive

Fig: 4 Command to delete files from favorite folder

We have observed that before deletion and formatting of the drives, the ransomware connects to CnC (Command & control) server to send the data of victim’s machine.

Below Wireshark snippet shows the connection.

Fig.5: Connection to CnC server

Though we have seen the connectivity of the ransomware to the CnC server, we have not seen any data being backed up on the server, hence, users are advised not to pay any ransom as the malware authors will not be able to restore the data.

In the end, it drops “Warning.txt” as a ransom note. According to “Warning.txt”, victim’s database and files back up on their secured server.

Fig 6:  Ransom Note

Quick Heal proactively protects its users from this threat:

Fig 7:  Virus protection

Fig 8:  Anti Ransomware

How to stay safe from ransomware attacks

• Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
• Do not install any freeware or cracked versions of any software.
• Do not open any advertisement shown on websites without knowing that they are genuine.
• Disable macros while using MS Office.
• Update your antivirus to protect your system from unknown threats.
• Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise: (MD5)

23273D60F2AA83D06891136310957501

Command and control server: (Domain)

hxxps://s.rapid7.xyz

Subject Matter Experts:

Manish Patil, Priyanka Dhasade| Quick Heal Security Labs

Shriram Munde