Ransom.Win32.SPOOSH.THGAGBC is a Windows-targeting ransomware strain first documented by Trend Micro in July 2023. While classified as low-risk overall, it poses medium damage potential and high risks for data exfiltration. The malware spreads via malicious downloads or as a secondary payload, avoiding critical system files but actively harvesting sensitive information.
Key Characteristics and Distribution
This ransomware primarily targets Windows systems and is distributed through compromised websites or as a dropped file by other malware. It has been aliased as Generic.Ransom.DCRTR.7E80656D by Bitdefender. The primary risk lies in its data exfiltration capabilities rather than destructive encryption.
| Attribute | Detail |
|---|---|
| Platform | Windows |
| Aliases | Generic.Ransom.DCRTR.7E80656D (Bitdefender) |
| Distribution | Malicious sites/dropped files |
| Primary Risk | Data exfiltration (High) |
Technical Analysis
Infection and Command & Control
Upon execution, SPOOSH.THGAGBC establishes connections to C2 servers such as tcp://[BLOCKED].154.137:21119 to exfiltrate system metadata including OS version, hostname, network details, and hardware identifiers. It specifically terminates security-related processes including Symantec Backup Exec (Agntsvc.exe), Sybase SQL (Dbeng50.exe), and Microsoft Encryption Service (Encsvc.exe).
Evasion and Persistence Mechanisms
The ransomware modifies registry keys to maintain persistence, including creating entries under HKEY_CURRENT_USER\Printers\SettingsLow and altering values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. It also employs standard anti-recovery techniques by deleting shadow copies and system recycle bins.
Detection and Mitigation
Indicators of Compromise
Key IOCs include the presence of %AppDataLocal%\wallpaper.jpg (used as ransom note background) and {Encrypted Directory}\information.hta (the ransom note itself). Network traffic to suspicious domains like i.[BLOCKED]g.cc/JzpfvBFf/wallapaper.jpg should be monitored.
Remediation Steps
Organizations should perform registry cleanup to remove malicious entries and restore default values. Trend Micro recommends system scans with pattern files version 18.583.00 or later for effective detection. PowerShell commands can be used to remove registry modifications:
Remove-Item -Path "HKCU:\Printers\SettingsLow" -Recurse -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Value 0
Security Implications
While SPOOSH.THGAGBC lacks sophisticated encryption capabilities, its data harvesting functionality makes it a significant threat to organizations handling sensitive information. Security teams should focus on detecting unusual registry modifications and unexpected process terminations.
References
- Trend Micro Threat Encyclopedia – Original analysis of SPOOSH.THGAGBC
- NSU Computing Help Desk – Virus information assistance
- HiNet Secure Info – Additional technical details
