Threat Watch

New “SaveTheQueen” Ransomware Found

New ransomware using the extension “.SaveTheQueen” was found in December by Twitter user @malwrhunterteam. To spread and track the infection, an attacker used the SYSVOL share on the domain controller by creating a scheduled task and creating log files for each infected device. Being able to write to the SYSVOL share means that the attacker already had achieved domain admin rights beforehand. The malware author made efforts to complicate analysis including base64-encoding a binary compressed with gzip which was used to inject shellcode into winlogon.exe. The shellcode turned out to be a full application protected with a utility called “ConfuserEx” and converted to shellcode using another tool called “Donut.” The original, unprotected binary is a simple .NET executable that performs the following actions:

  • Enumerates local and shared drives on a victim machine
  • Looks for files to encrypt
  • Closes any process that is using the files to be encrypted
  • Adds a “.SaveTheQueenING” extension to files before encryption
  • Changes extension to “.SaveTheQueen” after encryption is finished for that file
  • Adds a ransom note to the directory

The ransomware also ignores the following directories:

  • C:\windows
  • C:\Program Files
  • C:\Program Files (x86)
  • C:\Users\<user>\AppData
  • C:\inetpub

Not encrypting “C:\inetpub” is an interesting choice, as it means the author did not want to disrupt web applications running under IIS web services. It also ignores the following extensions:

  • .exe
  • .dll
  • .msi
  • .iso
  • .sys
  • .cab


Malware utilizing SYSVOL in any capacity is particularly dangerous because that means domain admin rights have been acquired by the attacker at some point. Using a domain controller to spread an infection could bring entire the business to a halt in just a few minutes. Limiting who has access to domain admin privileges is common for an enterprise environment, but administrators should also have a separate account for day-to-day activities. These accounts may still have higher rights than the average account, but it still prevents an instant takeover in the event of a compromise. Ransomware operators typically start by compromising a local user account on a workstation, then attempt to escalate privileges to SYSTEM so that they can steal credentials or tokens from the workstation’s memory. If Domain Administrator accounts are used to log on to the compromised system, the attacker can gain access to those accounts and cause much greater damage across the enterprise. File monitoring could be put in place to watch sensitive directories such as inetpub and SYSVOL to immediately alert administrators and security operations teams to changes. Detecting attacks against Kerberos that target service accounts is another important security control to find attackers attempting to expand their access.