W32/DearCry.OGE!tr.ransom is a generic detection for a Ransomware DearCry trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- readme.txt : This file is dropped all over the affected hosts drive and will serve as ransom notes.
- Affected files of this Ransomware will use the filenaming format [OriginalFileName.Ext].CRYPT .
- The malware may target files with the following extensions:
- Python files source codes.
- Extesion Names: TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG.CSV .DAT .ISO .PST .PGD .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA
- EXEcutable files .exe
- This malware was also observed to affect/encrypt files located on shared drives.
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom Notes.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
- Our FortiSandbox solution can flag this Ransomware please check this sample report on W32/DearCry.OGE!tr.ransom.