Day by day, the state of security is constantly evolving, with new threats emerging regularly. The latest threat to watch for is the ELPACO-team ransomware. This malicious software is designed to infiltrate systems, encrypt critical data, and extort victims.
ELPACO-team ransomware, a stealthy and destructive malware, that is targeting organizations worldwide. At first glance, ELPACO-team may seem like a harmless file. Named ELPACO-teamv.exe, it masquerades as a standard Windows executable, but beneath its unassuming appearance, it harbors a malicious payload capable of wreaking havoc. Developed using Microsoft Visual C++, this 32-bit Windows executable contains a hidden 7zSFX (an archive file format that supports a variety of compression methods and encryption).
What sets ELPACO-team apart?
ELPACO-team deploys a highly strategic attack path, ensuring persistence, hiding traces, and disabling critical security mechanisms. When executed, ELPACO-teamv.exe functions as a dropper, silently creating a folder in the system’s %Temp% directory, where it extracts its components.
The contents include tools like 7za.exe, Everything.exe, and some Everything.dll libraries—tools that, on their own, would appear helpful. The key here is Everything.exe, a legitimate file search tool used for locating files quickly on Windows. However, in this case, it is weaponized to serve the ransomware’s objectives.
One of the most cunning aspects of this ransomware is its use of Everything64.dll, which contains a password-protected archive with malicious files. After unpacking the archive using the extracted 7za.exe tool, the attacker is left with several malicious binaries, including the ransomware payload, ELPACO-team.exe.
After extracting the payload, ELPACO-team begins a methodical process to establish persistence. The svhostss.exe binary, a renamed version of ELPACO-team.exe, is moved to a new directory, making it harder to detect. From this point on, the ransomware takes full control. This is by executing commands to disable Windows Defender and altering system settings to avoid detection.
The malware is designed to self-propagate and persist even after rebooting the system. It achieves this by configuring Everything.exe to run automatically at system startup, ensuring the ransomware remains active.
The Encryption Process
Once the ransomware is firmly in control, it begins the task of data encryption. Files are encrypted with a strong cipher, making them unreadable without the decryption key. The ELPACO-team ransomware doesn’t just encrypt the files—it also ensures that all recovery options are disabled. By using tools like DC.exe, it disables critical security features like Windows Defender, rendering the system vulnerable to further attacks.
ELPACO-team goes a step further to cover its tracks and complicate any attempts at recovery. The ransomware executes a series of commands that clear Windows event logs using wevtutil.exe, delete backup catalogs with wbadmin.exe, and disable virtual machine environments. Even more alarming, the malware utilizes fsutil to overwrite critical system files like svhostss.exe to prevent forensic recovery.
Additionally, it tampers with system configurations, including power settings via powercfg.exe to prevent hibernation or sleep mode, ensuring the ransomware has a continuous running time to carry out its attack uninterrupted.
As the attack intensifies, ELPACO-team ensures that the victim’s system is entirely compromised. Commands are executed to stop running virtual machines, dismount disk images, and disable system backups. The final touches involve registry modifications to allow remote access to the system and disable recovery options. The ransomware also uses cmd.exe to open a backdoor via the Sticky Keys feature, giving attackers persistent command-line access.
“The information in this article is based on research conducted by Cyfirma, which provided in-depth analysis of the ELPACO-team ransomware, a new and highly sophisticated variant of the MIMIC ransomware family.”
