“The NtQuerySystemInformation perform permits the caller to acquire details about the present system’s bodily particulars such because the variety of logical processors out there,” Arctic Wolf stated. “This info might be helpful when figuring out what number of threads the multi-threaded encryption routine ought to allocate.”
As soon as essential system info is obtained, encryption is tried. “Utilizing the system info found earlier, the pattern configures a thread pool devoted to encrypting all of the found recordsdata,” the report added. “This thread pool makes use of the logical processor info with a minimal variety of two processors and a most variety of sixteen processors. The deprecated Home windows APIs for CryptImportKey and the CryptEncrypt are referred to as through the course of.”
After the encryption is accomplished, the miscreants go away a ransom observe, written to one of many configuration recordsdata on the disk, with a common ‘readme.txt’ identify.
