Elbie Ransomware Being Distributed in Korea

The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program.

Figure 1. File properties

The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2).

Figure 2. Decoded executable

Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment.

Figure 3. Checking for the VM environment

The injected and executed ransomware drops a copy into the %AppData% path and registers it as a startup program. Also, to block system recovery, it opens a UAC window to prompt an access attempt via admin privileges.

Figure 4. UAC

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun:ieinstal=C:UserskkAppDataLocalieinstal.exe

After the process gains admin privilege, it executes two cmd.exe processes. The first process deletes the volume shadow to prevent system recovery and executes the command to disable Windows environment recovery.

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled no
  • wbadmin delete catalog -quiet

The second cmd.exe process modifies the firewall settings as shown below.

  • netsh advfirewall set currentprofile state off
  • netsh firewall set opmoe mode=disable

Figure 5. RAPIT process tree

Afterward, the name of the infected file is changed to the filename below, and the ransom notes info.txt and info.hta are created in the infection path.

Figure 6. Info.hta Figure 7. Info.txt Figure 8. The infected file

Because this ransomware is disguised as a normal program, it is very likely that not only corporations but personal PC users are also targeted. All personal users, as well as each corporation, must refrain from running programs from unknown sources and update their anti-malware software to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

  • Ransomware/Win.EncryptExe.C5285322
  • Ransomware/Win.Generic.R363595

[Behavior Detection]

  • Ransom/MDP.Command.M2255
  • Ransom/MDP.Decoy.M1171

[IOC Info]

  • 4f1025c0661cc0fa578a52466fa65b71
  • 62885d0f106569fac3985f72f0ca10cb

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Leave a Reply

Your email address will not be published. Required fields are marked *