“The NtQuerySystemInformation function allows the caller to get information about the current system information such as the number of logical processors available,” says Arctic Wolf. “This information can be useful when deciding how many multi-threaded encryption cables to allocate.”
Once critical system information has been obtained, encryption is attempted. “Using previously acquired system information, the sample configures a thread pool dedicated to encrypting all found files,” the report added. “This thread pool uses a processor specification with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and CryptEncrypt are called during the process.
After the encryption is completed, the criminals leave a ransom note, written in one of the configuration files on the disk, with the common name ‘readme.txt’.
Source link