BleepingComputer recently obtained a sample of Threat Finder and performed an analysis of the ransomware. The ransomware itself is distributed as a Windows DLL (Dynamic Link Library) file that is started by the Windows Regsvr32.exe program. Once infected, a startup entry will be created in the Windows Registry called WINUP.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WINUP" = regsvr32 "C:\Users\<account name>\AppData\Local\Temp\reg.dllOnce the reg.dll is loaded, it will connect to its Command & Control server at 22.214.171.124 and download the t0.da0, t0.da1, t0.daa files to the %Temp% folder. The t0.da0 is an image file containing the main interface screen for the ransomware, the t0.da1 file is the Check Payment button image, and it is currently unknown what the t0.daa file is for.
Threat Finder will then begin to scan your computer for certain file extensions and encrypt them. The file extensions that Threat Finder currently looks for are:
*.txt, *.html, *.htm, *.css, *.wmv, *.wallt, *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cWhen Threat Finder encrypts a file it will not change its name. Therefore the only indication that you will have that your file is encrypted is that your program will not be able to display it properly.
Finally, when the encryption has been completed, you default web browser will open and display the %UserProfile%\Desktop\HELP_DECRYPT.HTML file and Threat Finder v2.4 screen shown above. This html file will display a warning about how your data was encrypted and that you must pay a ransom in order to get your files back.
The main interface will provide instructions on how to make a payment, a bitcoin address to send it to, and a special BOT ID that you are supposed to include with your payment. The provided bitcoin address, 1NadLTgZHFGJmqUuQ58dGsB7ADCbe5N6z1, is the same for everyone and blockchain shows that there have been approximately 10 ransom payments made to it. The main interface also contains a Check Payment button that displays a message when you click on it. In our testing, clicking on this button does not perform any network requests, so we are unsure if this button really does anything.
At this time we are still waiting for confirmation as to whether the files are actually being encrypted and with what algorithm. The good news, though, is that this infection does not delete your Shadow Volume Copies so it is possible to restore your files using the Windows Previous Versions feature or a tool like Shadow Explorer. For detailed instructions on how to restore your data files from Shadow Volume Copies, please see this section of the CryptoWall guide: