The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program.
Figure 1. File properties
The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2).
Figure 2. Decoded executable
Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment.
Figure 3. Checking for the VM environment
The injected and executed ransomware drops a copy into the %AppData% path and registers it as a startup program. Also, to block system recovery, it opens a UAC window to prompt an access attempt via admin privileges.
Figure 4. UAC
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun:ieinstal=C:UserskkAppDataLocalieinstal.exe
After the process gains admin privilege, it executes two cmd.exe processes. The first process deletes the volume shadow to prevent system recovery and executes the command to disable Windows environment recovery.
- vssadmin delete shadows /all /quiet
- wmic shadowcopy delete
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
- wbadmin delete catalog -quiet
The second cmd.exe process modifies the firewall settings as shown below.
- netsh advfirewall set currentprofile state off
- netsh firewall set opmoe mode=disable
Figure 5. RAPIT process tree
Afterward, the name of the infected file is changed to the filename below, and the ransom notes info.txt and info.hta are created in the infection path.
Figure 6. Info.hta 
Figure 7. Info.txt 
Figure 8. The infected file
Because this ransomware is disguised as a normal program, it is very likely that not only corporations but personal PC users are also targeted. All personal users, as well as each corporation, must refrain from running programs from unknown sources and update their anti-malware software to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
- Ransomware/Win.EncryptExe.C5285322
- Ransomware/Win.Generic.R363595
[Behavior Detection]
- Ransom/MDP.Command.M2255
- Ransom/MDP.Decoy.M1171
[IOC Info]
- 4f1025c0661cc0fa578a52466fa65b71
- 62885d0f106569fac3985f72f0ca10cb
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.