W32/FilecoderPhobos.F!tr.ransom
Analysis
W32/FilecoderPhobos.F!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/FilecoderPhobos.F!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the Phobos ransomware family.
- Upon execution, this ransomware will delete shadow copies and backup catalogs before continuing on to traverse through the victim's system to encrypt their data, excluding .exe and .dll files. The encrypted file names will be appended with the Phobos variant name. The appended extension will be in the pattern of: id[victim_id].[email_address].[variant_name]. Possible variant names include: ".makop", ".harmagedon", ".sinister", ".snick", ".mkp", ".noctua", ".razer", ".moloch", and ".baseus".
- A ransom note will be dropped to the desktop and to any directory containing encrypted files. Depending on the variant, the ransom note may be named "readme-warning.txt" or "+README-WARNING+.txt". The note will ask for payment and instruct the victim to make contact with the attacker via email. Decryption for a few files will be offered as a guarantee. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment. Variants that drop "+README-WARNING+.txt", will also change the victim's desktop wallpaper to display a message stating that their files have been encrypted.
- Below are images of the result of executing the ransomware:
- Figure 1: Desktop with "readme-warning.txt".
- Figure 2: Desktop with "+README-WARNING+.txt".
- Figure 3: Ransom note.
- Figure 4: Encrypted files (excluding .exe and .dll files).
- Figure 5: Delete shadow copies and backup catalogs.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 6c95940c0c21c6d7bbf3cb8426cf3627
Sha256: ec278c551e11f3e8de0bd4bca28a921e6ff50d3ad212b5943d5de290fd453985 - Md5: 155d8ab199690db229abebcd36b959ba
Sha256: ad612ef2bf6ce2bcaacb51f92c95ec7cf5ce0a3c4044e9557a0ffd52045899ff - Md5: 578961ae2ca365d4c4043aacb332b2ab
Sha256: 082a2ce2dde8b3a50f2d499496879e85562ee949cb151c8052eaaa713cddd0f8 - Md5: c7e4cf178b41282dbd12d1cda5413b24
Sha256: 57279443071e6f375cc8c0d527c146ab5996aefd2f4d5cf97f8e3d6789bc1f18 - Md5: ed5ac7631c8a66da51f2f40b8a2ad177
Sha256: 8ccc96d44fa49f83dbb83a5367df3c719c42c670d4d1a489989854a5f7cb3e43
- Md5: 6c95940c0c21c6d7bbf3cb8426cf3627
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |