W32/Filecoder_LockedFile.E!tr.ransom

Analysis

W32/Filecoder_LockedFile.E!tr.ransom is a detection for a Ransomware Matrix trojan.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • %CurrentPath%\xxxxxxxx.exe : This file is a copy of the original malware itself, where x is any alphanumeric character.
  • !ReadMe_To_Decrypt_Files!.rtf : This file is dropped all over the affected hosts drive and will serve as ransom notes.


• This malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Readme = wordpad.exe !ReadMe_To_Decrypt_Files!.rtf
    This automatically executes the dropped file every time the infected user logs on.
    
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
    
    • Readme = wordpad.exe !ReadMe_To_Decrypt_Files!.rtf
    This registry corresponds to an autostart pointed out by windows for every restart of the host machine.
    


• Affected victims of this Ransomware are directed by the attacker via:
  
  • Files4463@tuta.io
  • Files4463@protonmail.ch
  • Files4463@gmail.com


• Affected files of this Ransomware will use the filenaming format XXXXXXXX-XXXXXXXX.[Files4463@tuta.io] , where X is any upper/lower alphanumeric character.


• Below is an illustration of the Ransomware effects:
  

  Figure 1: CMD display of Ransomware.

  
  

  Figure 2: Desktop Ransom notes.

  
  

  Figure 3: Ransom notes.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.