W64/LockFile.B08A!tr.ransom
Analysis
W64/LockFile.B08A!tr.ransom is a detection for a Ransomware Lockfile trojan.
Below are some of its observed characteristics/behaviours:
- This detection has been associated with a Ransomware Lockfile, nonetheless during our quick tests the sample was not successful in applying its ransomware/encryption effects.
- This malware may drop any of the following file(s):
- info.txt : On some instances this text file is dropped on the current location of the original malware and contains only the message "Files Blocked! CONTACT: [IDNumbers]".
- Win32.bat : This file is a copy of the original malware and should be detected as W64/LockFile.B08A!tr.ransom and was observed to be dropped on %RootDir% (eg. C:\) and %Windir% (eg. C:\Windows).
- Our tests indicate that some instance of this malware attempts to issue a command line "TASKKILL".
- Below is an illustration of the malware's Ransom notes/messages:
- Figure 1: Message Prompt.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: A4C386F31C951117D06A970B58CB11DF
Sha256: 7cf2bc46de0faa603a561fc7973e1960ea69c6fa13b19c551f2c59352fb7b775
- Md5: A4C386F31C951117D06A970B58CB11DF
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |