“The NtQuerySystemInformation operate permits the caller to acquire details about the present system’s bodily particulars such because the variety of logical processors out there,” Arctic Wolf stated. “This info might be helpful when figuring out what number of threads the multi-threaded encryption routine ought to allocate.”
As soon as important system info is obtained, encryption is tried. “Utilizing the system info found earlier, the pattern configures a thread pool devoted to encrypting all of the found information,” the report added. “This thread pool makes use of the logical processor info with a minimal variety of two processors and a most variety of sixteen processors. The deprecated Home windows APIs for CryptImportKey and the CryptEncrypt are referred to as in the course of the course of.”
After the encryption is accomplished, the miscreants depart a ransom observe, written to one of many configuration information on the disk, with a common ‘readme.txt’ title.