W64/Lockfile.D65F!tr.ransom
Analysis
W64/Lockfile.D65F!tr.ransom is a detection for a Ransomware Lockfile trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- LOCKFILE-README-[CurrentUserName]-XXXXXXXXXX.hta : On some instances this file is dropped all over the affected hosts drive and will serve as ransom notes.
- [CurrentUserName]-LOCKFILE-README.hta : On some instances this file is dropped all over the affected hosts drive and will serve as ransom notes.
- There are instances of the malware that has been observed to delete itself after execution.
- Affected files of this Ransomware will use the filenaming format [OriginalFileName].lockfile .
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom Notes.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 1F0A89360BB9471AF8B2B1136EAFD65F
Sha256: 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a - Md5: 52E1FED4C521294C5DE95BBA958909C1
Sha256: f315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce - Md5: EF37842FC159631F9DD8F94C5E05A674
Sha256:a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 - Md5: F08E24F57501F2C4E009B6A7D9249E99
Sha256: cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915
- Md5: 1F0A89360BB9471AF8B2B1136EAFD65F
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |