W64/LockFile.B08A!tr.ransom

Analysis

W64/LockFile.B08A!tr.ransom is a detection for a Ransomware Lockfile trojan.
Below are some of its observed characteristics/behaviours:

• This detection has been associated with a Ransomware Lockfile, nonetheless during our quick tests the sample was not successful in applying its ransomware/encryption effects.


• This malware may drop any of the following file(s):
  
  • info.txt : On some instances this text file is dropped on the current location of the original malware and contains only the message "Files Blocked! CONTACT: [IDNumbers]".
  • Win32.bat : This file is a copy of the original malware and should be detected as W64/LockFile.B08A!tr.ransom and was observed to be dropped on %RootDir% (eg. C:\) and %Windir% (eg. C:\Windows).


• Our tests indicate that some instance of this malware attempts to issue a command line "TASKKILL".


• Below is an illustration of the malware's Ransom notes/messages:
  

  Figure 1: Message Prompt.

  
  


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: A4C386F31C951117D06A970B58CB11DF
    Sha256: 7cf2bc46de0faa603a561fc7973e1960ea69c6fa13b19c551f2c59352fb7b775

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.