W32/GenKryptik.AGWR!tr
Analysis
W32/GenKryptik.AGWR!tr is a detection for a ransomware trojan.
Below are some of the observable characteristics and behaviours:
- This malware has been found to be downloaded by JS/Nemucod.DAG!tr.dldr from the following URL:
- hxxp://{Removed}wokia.top/admin.php?f=404 It is saved as undefinedAppDataundefined\Microsoft\Windows\Templates\[Random].exe.
- Once executed, the affected host becomes littered with the following files:
- [Filename].crypt : Encrypted hostage file
- how_to_back_files.html : Ransom instruction as illustrated below:
- Figure 1: Ransom note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2022-05-25 | 90.02622 |