VirusW32/GenKryptik.AGWR!tr
Analysis
W32/GenKryptik.AGWR!tr is a detection for a ransomware trojan.
Below are some of the observable characteristics and behaviours:
- This malware has been found to be downloaded by JS/Nemucod.DAG!tr.dldr from the following URL:
- hxxp://{Removed}wokia.top/admin.php?f=404 It is saved as undefinedAppDataundefined\Microsoft\Windows\Templates\[Random].exe.
- Once executed, the affected host becomes littered with the following files:
- [Filename].crypt : Encrypted hostage file
- how_to_back_files.html : Ransom instruction as illustrated below:
- Figure 1: Ransom note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2022-05-25 | 90.02622 |