Import of the Visual Basic runtime

The ransomware binary is packed using a VB6 stub. The packer's stub obfuscates the path for the library import of MSVBVM60.DLL in such a way that Detect it Easy is not able to identify that it is indeed a Visual Basic 6 executable (see picture on the right side). Windows does not seem to care about additional slashes and backslashes in the path.

The packed file uses self-injection to execute the unpacked payload dynamically. Unlike older GarrantyDecrypt variants (see IOC list) the unpacked sample has obfuscated strings, e.g., for the ransom note name and contents, and folders which are excluded from encryption. The strings are decoded dynamically.

GarrantyDecrypt uses the CryptoAPI and RSA. A list of function imports from the CryptoAPI is below (created by PortexAnalyzer). Exact analysis of the encryption process is pending.

Like most ransomware families it deletes shadow volume copies to prevent recovery of files.