RZML ransomware exfiltrates files, cookies and clipboard data


The SonicWall Capture Labs threats research team has been tracking a recent family of ransomware called RZML.  This ransomware appeared in the wild over the last 7 days and appears to be a variant of the STOP/Djvu family.  The sample we analyzed is a dropper that downloads multiple modules.  In addition to encrypting files, which is standard practice for ransomware, it also steals files, clipboard and browser cookie data from the infected system.  File decryption costs $490 USD in bitcoin after a “50% discount”.  However, as we have seen with most ransomware today, exfiltrated files can be used later to apply additional pressure to pay up.


Infection Cycle:


Upon execution, the malware reports the infection to a C&C server which replies with a public key used for file encryption:


It also requests data on what file types to target for exfiltration:


It proceeds to download the ransomware module and names it build2.exe:


It downloads a clipboard grabber component and names it build3.exe:


It also downloads htdocs.zip which contains some utility dlls including an sqlite database module:


Files on the system are encrypted and given a .rzml extension.


The following files are added to the filesystem:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Network\mstsca.exe [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build2.exe [Detected as: GAV: StopCrypt.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build3.exe (copy of mstsca.exe) [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • C:\SystemID\PersonalID.txt
  • %USERPROFILE%\AppData\Local\bowsakkdestx.txt
  • C:\ProgramData\55054064606124780548020057 (sqlite database)
  • _readme.txt (written to all directories with encrypted files)


The following registry entries are made:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatability Assistant\Store {malware file}


PersonalID.txt contains the following data:



bowsakkdestx.txt contains the public key that was downloaded earlier:


_readme.txt contains the following message:


When build3.exe is run, it uses the CreateMutex API function with “M5/610HP/STAGE2” as the parameter to check if it has been run previously:


If this mutex is not present, it proceeds to grab clipboard data:



The malware also steals browser cookies.  It stores this data in a sqlite database.  The following screenshot shows the database structure:


We visited chase.com and bankofamerica.com and can see that the cookies are stored in the database:


Targeted files, clipboard data and cookies stored in the sqlite database are uploaded to a remote server:


We reached out to the operator email addresses (support@freshmail.top, datarestorehelp@airmail.cc) stated in the ransom note and received the following reply:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ClipBanker.RSM (Trojan)
  • GAV: StopCrypt.RSM (Trojan)


This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.