W64/Filecoder.E278!tr.ransom
Analysis
W64/Filecoder.E278!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/Filecoder.E278!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Upon execution, this ransomware will drop a ransom note in the form of "read_me.html" on the desktop of the affected system. The note will direct the user to contact the attacker via email for further instructions on how to retrieve the encrypted data. Depending on which directory the malicious file was executed in, that directory will have thousands of copies of the malicious file dropped into it under a random name. The ransomware will seemingly select random files to encrypt and then proceed to append "[vote2024forjb@protonmail.com].encryptedJB" to the file name.
- Below are images of the malware:
- Figure 1: "read_me.html" on desktop and copies in directory.
- Figure 2: Ransom note.
- Figure 3: Randomly encrypted files.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: d5d2c4ac6c724cd63b69ca054713e278
Sha256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
- Md5: d5d2c4ac6c724cd63b69ca054713e278
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |