Detailed Technical Analysis Report of LanRan Ransomware Detailed Technical Analysis Report of LanRan Ransomware
Malware Analysis | 07/19/2018

Detailed Technical Analysis Report of LanRan Ransomware

When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

LANRAN Ransomware Overview

Recently, a security researcher has found the new ransomware “LanRan Ransomware”.

This ransomware appends the filename of the affected file by adding .LanRan2.0.5 extension in the last.

Once the encryption has been completed it shows the ransom note UI on the screen in the form of notepad & also changes the Desktop Wallpaper.

As per the ransom note, it demands 0.5 BTC in exchange for decryption. This ransomware is using AES encryption technique for encryption.

This ransomware contains some bugs in the code might be due in the development stage.



Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7

Technical Analysis of LanRan Ransomware

File Name: lan_ran.exe

MD5: E168392066C6D00C6DE6B71C82ADCDB3

SHA1: 014EFBC6F7EF15CF466D615E0B9355120AEF2C2D

SHA256: EE5EBB71405D500052076C8E1885555DE9414454839E9C26A2746B1CC97FE7EF

File Type: .EXE


Detail Description of LanRan Ransomware with Screenshots

On execution of this ransomware, it first drops 2 files in %AppData%\Local folder

  • TempLanran.exe
  • Temprunsom.exe


Once the files are dropped thereafter it starts the encryption process, as you can see the following process tree


Figure 1 LanRan process tree

This ransomware targets the C:\Users directory and also containing a list of specials folders to target

Personal Folder

MyPictures Folder



Desktop Directory







As shown below, this ransomware uses AES Encryption technique with Password Hashing (SHA-256) Technique.


Figure 2 AES Encryption with Password Hashing


As shown below, while the encryption is running in the background it drops the ransom note on the system and changes the desktop background with a ransom note.

Encrypts Special Folder

Figure 3 Encrypts Folder & Drops Ransom Notes

This ransomware encrypts only those files that matches with its file extensions list. Following is the file extensions list

“.txt .doc .docx .mp3 .xls .xlsx .ppt .sql .wmv .mp4 .mp3 .iso .dll .jar .pptx .odt .jpg .tar .gz .bmp .pbm .rtf .png .csv .sql .mdb .sln .php .avi .mov .flv .amv .mpv .mtv .asp .aspx .html .xml .psd .pdf .exe .rv .rvx .ved .wm .wmv .TXT .JPG .rar .xwmv .wma .midi .fla .pdf .wma .ico .gif .GIF .ogg .mpg .icns .RAR .png .zip .BAT .Exe .c .exe .PNG .iso .7z .7Z”

Also, Read: Player Unknown Battlegrounds (PUBG) Reviews | PUBG Mobile | PUBG PS4

As shown below, this ransomware also tries to scan all the drive letters from “A to Z” so that they can infect all the drives on the system with the condition to avoid Windows Folder.


Figure 4 Drive Folder

As shown below, this ransomware attempts to create the persistence entry in the registry, but due to bugs in the code didn’t created it.

AutoRun Entry

Figure 5 Autorun Entry

This ransomware doesn’t delete any volume shadow copies or system restore point from the system might be due to in development stage.

As shown below after getting infected with LanRan Ransomware, we can still recover our files without contacting to malware actor, if the system has any restore point available or Folder Snapshots are available then we can easily recover our files.

 Folder Previous Versions

System Restore Point   Figure 5 Restore Points

As shown below, While the ransomware is running in the background it appends the affected filename by adding “.LanRan2.0.5” in the last.

LanRan File Extension

Figure 6 LanRan File Extension

As shown below, once the encryption has been completed it shows the ransom note in the form of a notepad.

This ransomware also drops the ransom note on the Desktop in form of a text file and also changes the desktop wallpaper.

Wallpaper Ransom Note

Figure 7 Wallpaper Ransom Note


Ransom Notepad

Figure 8 Notepad Ransom Note

As shown below, this ransomware looks for the specific folder “C:/Users/Cerberos/Desktop” to drop the ransom note. If this location didn’t exist on the system, it will throw the following error

Location Error

Figure 9 Ransom Note Location Error

If the ransomware founds the specified location, it drops the instructions.html ransom note. While opening the instructions.html it opens the following ransom note in the browser.

 RansomNote Browser

Figure 10 Browser Ransom Note

As shown below, this ransomware also contains the voice code that speeches the ransom note

Voice Speech Ransom Note

Figure 11 Voice Speech Ransom Note

As shown above, in the ransom note, ransomware creator has demanded ransom amount of 0.5 Bitcoin and also mentioned his Bitcoin Address (“1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS”) & Email Address (“lanran-decrypter@list.ru”) to contact them.

As shown below, none of the victims has paid any ransom amount on the given bitcoin address till yet & this bitcoin address doesn’t have any transaction history also.

Bitcoin Address Information

Figure 12 Bitcoin Address Information

During analysis we have found that this ransomware didn’t work properly might be due to in development stage and also contains some bugs in the code which can be easily rectify by anyone.

Also, Read: Android P (9.0) Beta [Everything To Know], API, Features

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Associated File Names & Hashes:


MD5: E168392066C6D00C6DE6B71C82ADCDB3

SHA1: 014EFBC6F7EF15CF466D615E0B9355120AEF2C2D

CRC32: 8DA25561

SHA-256: EE5EBB71405D500052076C8E1885555DE9414454839E9C26A2746B1CC97FE7EF

























Associated Contact ID:


Associated Bitcoin Address:


Tips to Prevent virus and malware from Infecting Your System:
  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool


× Zoom Image