W32/Locky.BAPU!tr.ransom

description-logoAnalysis



W32/Locky.BAPU!tr.ransom is a generic detection for a Ransomware Locky trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • undefinedTempundefined\[Random].exe : This file is detected as W32/Locky.BAPU!tr.ransom.
    • asasin-[XXXX].htm : where X is any hexadecimal character, this file is dropped all over the affected hosts drive and will serve as ransom notes.
    • undefinedDesktopundefined\asasin.bmp : This file is a picture/image and will serve as ransom notes.
    • undefinedDesktopundefined\asasin.html : This file is an html and will serve as ransom notes.

  • This malware was known to be downloaded by VBA/Agent.F442!tr.dldr from hxxp://rosewineg{Removed}.info/2 and will be located as undefinedTempundefined\[Random].exe.

  • This Ransomware also changes desktop background to ransom notes using undefinedDesktopundefined\asasin.bmp.

  • Affected files of this Ransomware will use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.asasin, where X is any alphanumeric character.

  • This malware was also observed to affect/encrypt files located on shared drived within the same subnet.

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom notes.


    • Figure 2: Ransom notes.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25100 Sig Added
2019-05-03 68.24700 Sig Updated