W32/Filecoder_LockedFile.E!tr.ransom
Analysis
W32/Filecoder_LockedFile.E!tr.ransom is a detection for a Ransomware Matrix trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %CurrentPath%\xxxxxxxx.exe : This file is a copy of the original malware itself, where x is any alphanumeric character.
- !ReadMe_To_Decrypt_Files!.rtf : This file is dropped all over the affected hosts drive and will serve as ransom notes.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Readme = wordpad.exe !ReadMe_To_Decrypt_Files!.rtf
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- Readme = wordpad.exe !ReadMe_To_Decrypt_Files!.rtf
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Affected victims of this Ransomware are directed by the attacker via:
- Files4463@tuta.io
- Files4463@protonmail.ch
- Files4463@gmail.com
- Affected files of this Ransomware will use the filenaming format XXXXXXXX-XXXXXXXX.[Files4463@tuta.io] , where X is any upper/lower alphanumeric character.
- Below is an illustration of the Ransomware effects:
- Figure 1: CMD display of Ransomware.
- Figure 2: Desktop Ransom notes.
- Figure 3: Ransom notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |