virus logo Virus

W32/GenKryptik.AVEL!tr.ransom

description-logoAnalysis
W32/GenKryptik.AVEL!tr.ransom is a generic detection for a trojan that may include a potential Locky Ransomware. Since this is a generic detection, malware that are detected as W32/GenKryptik.AVEL!tr.ransom may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • %SystemRoot%\system32\videostorage.exe
    • %systemx86%\defragdefrag.exe
    • %systemx86%\systemprovider.exe
    • %SystemRoot%\system32\launchsystem.exe
    • %systemx86%\helpdcom.exe
    • %SystemRoot%\system32\cachecrypt.exe
    During our tests these files were attempted to be dropped but failed to do so, we believe that these dropped files may be detected as W32/GenKryptik.AVEL!tr.ransom well.

  • This malware may connect to any of the following remote sites(s):
    • 19{Removed}.119.78.54

  • This malware may start services that points to itself by applying any of the following registry modification(s):
    • HKEY_LOCAL_MACHINE\System\Controlset001\Services\Videostorage
      • Imagepath = %SystemRoot%\system32\videostorage.exe

    • HKEY_LOCAL_MACHINE\System\Controlset001\Services\Launchsystem
      • Imagepath = %SystemRoot%\system32\launchsystem.exe

    • HKEY_LOCAL_MACHINE\System\Controlset001\Services\Cachecrypt
      • Imagepath = %SystemRoot%\system32\cachecrypt.exe


  • During our tests we also observed some instances of Locky Ransomware under this detection that may drop any of the following file(s):
    • %Desktop%\asasin-[xxxx].html : where x is any hexadecimal character, this file is dropped all over the affected hosts drive and will serve as ransom notes.
    • %Desktop%\asasin.html : This will serve as ransom notes.
    • %Desktop%\asasin.bmp : This file is a picture/image and will serve as ransom notes.

  • Ransomware affected files will use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.asasin, where X is any alphanumeric character.

  • This malware was also observed to affect/encrypt files located on USB or external drives.

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom notes.


    • Figure 2: Ransom notes.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25100 Sig Added
2019-05-03 68.24700 Sig Updated
ID 7557114
Released Nov 09, 2017
Description
Updated		 Nov 08, 2017
Aliases Gen:Variant.Zusy.263558, Generik.KFADHWD trojan, Mal/EncPk-ANR, Ransom_LOCKY.DLDTAUK, RDN/GenericTrojan trojan, Troj/Ransom-ERZ, Trojan.Agent.CPZK, Trojan.Win32.Dovs.bnl, Trojan-FOMY!6E0BD2BAA749 trojan, Trojan-Ransom.Win32.Locky.acez, TSPY_EMOTET.AUSJMS,
Platform Profile Win32 file format / PE 32 bit