W64/Lockfile.D65F!tr.ransom

Analysis

W64/Lockfile.D65F!tr.ransom is a detection for a Ransomware Lockfile trojan.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • LOCKFILE-README-[CurrentUserName]-XXXXXXXXXX.hta : On some instances this file is dropped all over the affected hosts drive and will serve as ransom notes.
  • [CurrentUserName]-LOCKFILE-README.hta : On some instances this file is dropped all over the affected hosts drive and will serve as ransom notes.


• There are instances of the malware that has been observed to delete itself after execution.


• Affected files of this Ransomware will use the filenaming format [OriginalFileName].lockfile .


• Below is an illustration of the malware's Ransom notes:
  

  Figure 1: Ransom Notes.

  
  


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: 1F0A89360BB9471AF8B2B1136EAFD65F
    Sha256: 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
  • Md5: 52E1FED4C521294C5DE95BBA958909C1
    Sha256: f315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce
  • Md5: EF37842FC159631F9DD8F94C5E05A674
    Sha256:a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0
  • Md5: F08E24F57501F2C4E009B6A7D9249E99
    Sha256: cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.