RTF/BlackByte.DC56!tr.ransom
Analysis
RTF/BlackByte.DC56!tr.ransom is a generic detection for a Ransomware notes created by BlackByte Ransomware trojan.
Since this is a generic detection, malware that are detected as RTF/BlackByte.DC56!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with BlackByte ransomware. This ransomware can attempt to encrypt a user's data and append ".blackbyte" to the file extension name. A ransom note, containing instructions to retrieve the user's data, is usually dropped in the directories that contain the encrypted files, and as another side effects it may print out secondary ransom notes to any printers connected within the infected network.
- This malware has been associated with the following third party article/advisory.
https://www.ic3.gov/Media/News/2022/220211.pdfThe correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.
|
- Md5: 9344afc63753cd5e2ee0ff9aed43dc56
Sha256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad - Md5: e2eb5b57a8765856be897b4f6dadca18
Sha256: 91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130050cb8ed36b4eec3e
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |