“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.”
Once critical system information is obtained, encryption is attempted. “Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files,” the report added. “This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.”
After the encryption is completed, the miscreants leave a ransom note, written to one of the configuration files on the disk, with a usual ‘readme.txt’ name.