Ransomware Attack Reading Time: 4 minutes

Most people are aware of ransomware by now, certainly those who regularly read the Comodo blog section and similar publications. For those who don’t, ransomware is an attack whereby the attacker encrypts all the files on a victim’s computer or server, making them completely unusable. The attacker then demands a fee, a ransom usually in Bitcoins, to de-crypt the files. The beauty of the attack from the criminal’s point of view is that there is almost never a solution for victim once the encryption has taken place. No antivirus, no help from technical experts, no police force, and no amount of crying can ever recover those files for you. You must have the decryption key or kiss goodbye to your files.

When staring down the unforgiving barrel of this gun, many high-profile victims find they have no choice but to pay the fee. They need those files to continue in business or to provide their services to society, and they cannot afford any downtime at all. Hospitals, government departments, charities, universities, magistrate courts and newspaper offices are just a few examples of major institutions that have relented and paid the ransom.

Ransomware is usually spread in the form of a Trojan horse program. These are programs that trick you into thinking they are a normal program when you install them but are actually a malicious executable which encrypts your drives. Each piece of ransomware has its own unique way of infecting the target machine, and each uses several levels of obfuscation to avoid detection. This blog is a deep-dive from one of Comodo’s leading engineers into the inner workings of one such piece of ransomware – WONSYS.

What is WONSYS Ransomware?

Wonsys is a strain of malware that is either obfuscated by cryptor software, or packed into a file like UPX, ASPROTECT or VMPROTECT. The actual executable, wonsys.exe, is buried deep inside another, apparently innocent, program, so it is one of those trojans we mentioned earlier. This is a common method used by a criminal to help it avoid detection by antivirus products.


The malware drops itself onto the target computer and runs using the SHELL32 API, ShellExecuteW:


Once the ransomware is run by the user, it creates a “RunOnce” key in the registry:


It also counts all drives on the target machine so it can encrypt them all:


Wonsys then creates a ‘kill-list’ of processes that it needs to shut-down. These are programs that, if left running, could potentially prevent Wonsys from infecting the entire system. Specifically, they are programs like Word, PowerPoint, Notepad, Thunderbird which can ‘lock’ files and so prevent their encryption. After closing them these programs, Wonsys also deletes the shadow copy of the files so the user can’t restore them:


The command prompt window is opened through COMSPEC in the system32 folder with administrator privileges:wonsys1

The attacker also collects the date, time format, system name and locale info using API functions and pings the iplogger.org site, thus collecting detailed info on the machine.wonsys1

Wonsys now has all the information it needs. The screenshot below shows that ‘dccdc’ is the extension it will add to all filenames after encryption, ‘PC-Administrator’ is the computer name, and drive ‘C:’ is the drive it will infect:


Finally, the WONSYS ransomware unleashes its payload, encrypting all files on the machine. All files are left with the ‘.dccdc’ extension apart a single, unencrypted file which the user can open – ‘CLICK_HERE-dccdc.txt’:


This .txt file is how the attacker tells the victim what to do next. Each infected machine is given its own ID and personal key. The note tells the user to visit a web page where they will need this info to login to a chat service:


The note tries to create the impression that the chat is a friendly service with a kindly operator who will help them recover their files. In reality, the chat is where the hacker demands their payment in Bitcoin or else the victim’s files are lost forever.