W64/Filecoder.E278!tr.ransom

description-logoAnalysis

W64/Filecoder.E278!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/Filecoder.E278!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • Upon execution, this ransomware will drop a ransom note in the form of "read_me.html" on the desktop of the affected system. The note will direct the user to contact the attacker via email for further instructions on how to retrieve the encrypted data. Depending on which directory the malicious file was executed in, that directory will have thousands of copies of the malicious file dropped into it under a random name. The ransomware will seemingly select random files to encrypt and then proceed to append "[vote2024forjb@protonmail.com].encryptedJB" to the file name.

  • Below are images of the malware:

    • Figure 1: "read_me.html" on desktop and copies in directory.


    • Figure 2: Ransom note.


    • Figure 3: Randomly encrypted files.


  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: d5d2c4ac6c724cd63b69ca054713e278
      Sha256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-02-27 91.00982
2022-02-28 90.00046