New ransomware using the extension “.SaveTheQueen” was found in December by Twitter user @malwrhunterteam. To spread and track the infection, an attacker used the SYSVOL share on the domain controller by creating a scheduled task and creating log files for each infected device. Being able to write to the SYSVOL share means that the attacker already had achieved domain admin rights beforehand. The malware author made efforts to complicate analysis including base64-encoding a binary compressed with gzip which was used to inject shellcode into winlogon.exe. The shellcode turned out to be a full application protected with a utility called “ConfuserEx” and converted to shellcode using another tool called “Donut.” The original, unprotected binary is a simple .NET executable that performs the following actions:
- Enumerates local and shared drives on a victim machine
- Looks for files to encrypt
- Closes any process that is using the files to be encrypted
- Adds a “.SaveTheQueenING” extension to files before encryption
- Changes extension to “.SaveTheQueen” after encryption is finished for that file
- Adds a ransom note to the directory
The ransomware also ignores the following directories:
- C:\windows
- C:\Program Files
- C:\Program Files (x86)
- C:\Users\<user>\AppData
- C:\inetpub
Not encrypting “C:\inetpub” is an interesting choice, as it means the author did not want to disrupt web applications running under IIS web services. It also ignores the following extensions:
- .exe
- .dll
- .msi
- .iso
- .sys
- .cab