W32/Kryptik.GLDE!tr.ransom
Analysis
W32/Kryptik.GLDE!tr.ransom is a detection for a potential Ransomware Crysis trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- FILES ENCRYPTED.txt : This text file serves as ransom notes.
- %SystemRoot%\system32\[Original Malware File] : This file is a copy of the original Ransomware file.
- %Start Menu%\Programs\Startup\[Original Malware File] : This file is a copy of the original Ransomware file.
- %Start Menu%\Programs\Startup\Info.hta : This file serves as ransom notes.
- This malware attempts to delete backup shadow copies of affected hosts, hampering recovery of victim.
- This malware may apply any of the following registry modification(s):
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- [Original File] = %SystemRoot%\system32\[Original Malware File]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- [Original File] = %SystemRoot%\system32\[Original Malware File]
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- Affected files of this Ransomware will use the filenaming format [FileName].[Ext].id-XXXXXXXX.[bitpandacom@qq.com].combo , where X is any hexadecimal character.
- This malware was also observed to affect/encrypt files located on shared drived within the same subnet.
- This malware was also observed to affect/encrypt files located on USB or external drives.
- Below is an illustration of the malware:
- Figure 1: Ransom notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |