virus logo Virus

W32/Kryptik.FSNS!tr

description-logoAnalysis



W32/Kryptik.FSNS!tr is a generic detection for a type of trojan. Since this is a generic detection, malware that are detected as W32/Kryptik.FSNS!tr may have varying behavior. At the time of this analysis, this has been detecting variants of the Cerber Ransomware.
Below are examples of some of the behaviors observed in this malware:

  • Drops files on the affected host using the following filenames:
    • _R_E_A_D___T_H_I_S___[Random]_.hta : This is an HTML file that contains ransom instructions and is detected as HTML/Kryptik.FSNS!tr. It shows the following when opened:

      • Figure 1: Ransom instructions.

    • _R_E_A_D___T_H_I_S___[Random]_.txt : This file is another ransom instruction in text format as illustrated below:

      • Figure 2: Ransom instructions.

    • undefinedAppDataundefined\Local\Temp\[Random].bmp : This picture file is displayed on the user's desktop

      • Figure 3: Host's desktop.

  • In some instances, this ransomware has been observed to only partially encrypt the target file.

  • It applies the following registry modification that affects the user's desktop:
    • HKEY_CURRENT_USER\Control Panel\Desktop
      • Wallpaper="undefinedAppDataundefined\Local\Temp\[Random].bmp"

  • It also issues the following command to enable the Windows Firewall, possibly disallowing other malware from taking over affected hosts.
    • "undefinedSystemDirundefined\netsh.exe advfirewall set allprofiles state on"
    • "undefinedSystemDirundefined\netsh.exe advfirewall reset"

  • This malware also generates network traffic via UDP on the subnet 178.xx.160.xx.

  • It connects to the following URLs:
    • api.block{Removed}.com
    • btc.blo{Removed}.io

  • This ransomware employs a captcha scheme, possibly designed by the attacker to avoid automated attempts on obtaining the attackers decrypt tool.

    • Figure 4: Cerber's captcha.

  • In some instances, this malware deletes itself after execution.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25100 Sig Added
2019-05-03 68.24700 Sig Updated
ID 7394147
Released May 22, 2017
Description
Updated		 May 26, 2017
Aliases Trojan-Ransom.Win32.Zerber.eddh Trojan-Ransom.Win32.Zerber.edeb Trojan-Ransom.Win32.Zerber.edjv Ransom_HPCERBER.SMONT2 Win32/Filecoder.Cerber.G trojan Win32/GenKryptik.AHKF trojan Win32/Kryptik.FSPF trojan Gen:Variant.Razy.177145 Mal/Elenoocka-E Trojan.Age
Platform Profile Win32 file format / PE 32 bit