W32/FilecoderPhobos.F!tr.ransom

Analysis

W32/FilecoderPhobos.F!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/FilecoderPhobos.F!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is associated with the Phobos ransomware family.


• Upon execution, this ransomware will delete shadow copies and backup catalogs before continuing on to traverse through the victim's system to encrypt their data, excluding .exe and .dll files. The encrypted file names will be appended with the Phobos variant name. The appended extension will be in the pattern of: id[victim_id].[email_address].[variant_name]. Possible variant names include: ".makop", ".harmagedon", ".sinister", ".snick", ".mkp", ".noctua", ".razer", ".moloch", and ".baseus".


• A ransom note will be dropped to the desktop and to any directory containing encrypted files. Depending on the variant, the ransom note may be named "readme-warning.txt" or "+README-WARNING+.txt". The note will ask for payment and instruct the victim to make contact with the attacker via email. Decryption for a few files will be offered as a guarantee. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment. Variants that drop "+README-WARNING+.txt", will also change the victim's desktop wallpaper to display a message stating that their files have been encrypted.


• Below are images of the result of executing the ransomware:
  

  Figure 1: Desktop with "readme-warning.txt".

  
  

  Figure 2: Desktop with "+README-WARNING+.txt".

  
  

  Figure 3: Ransom note.

  
  

  Figure 4: Encrypted files (excluding .exe and .dll files).

  
  

  Figure 5: Delete shadow copies and backup catalogs.

  
  


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: 6c95940c0c21c6d7bbf3cb8426cf3627
    Sha256: ec278c551e11f3e8de0bd4bca28a921e6ff50d3ad212b5943d5de290fd453985
  • Md5: 155d8ab199690db229abebcd36b959ba
    Sha256: ad612ef2bf6ce2bcaacb51f92c95ec7cf5ce0a3c4044e9557a0ffd52045899ff
  • Md5: 578961ae2ca365d4c4043aacb332b2ab
    Sha256: 082a2ce2dde8b3a50f2d499496879e85562ee949cb151c8052eaaa713cddd0f8
  • Md5: c7e4cf178b41282dbd12d1cda5413b24
    Sha256: 57279443071e6f375cc8c0d527c146ab5996aefd2f4d5cf97f8e3d6789bc1f18
  • Md5: ed5ac7631c8a66da51f2f40b8a2ad177
    Sha256: 8ccc96d44fa49f83dbb83a5367df3c719c42c670d4d1a489989854a5f7cb3e43

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.