W32/Kryptik.GLDE!tr.ransom

Analysis

W32/Kryptik.GLDE!tr.ransom is a detection for a potential Ransomware Crysis trojan.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • FILES ENCRYPTED.txt : This text file serves as ransom notes.
  • %SystemRoot%\system32\[Original Malware File] : This file is a copy of the original Ransomware file.
  • %Start Menu%\Programs\Startup\[Original Malware File] : This file is a copy of the original Ransomware file.
  • %Start Menu%\Programs\Startup\Info.hta : This file serves as ransom notes.


• This malware attempts to delete backup shadow copies of affected hosts, hampering recovery of victim.
• This malware may apply any of the following registry modification(s):
  
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
    
    • [Original File] = %SystemRoot%\system32\[Original Malware File]
    This registry corresponds to an autostart pointed out by windows for every restart of the host machine.
    
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • [Original File] = %SystemRoot%\system32\[Original Malware File]
    This automatically executes the dropped file every time the infected user logs on.
    


• Affected files of this Ransomware will use the filenaming format [FileName].[Ext].id-XXXXXXXX.[bitpandacom@qq.com].combo , where X is any hexadecimal character.


• This malware was also observed to affect/encrypt files located on shared drived within the same subnet.


• This malware was also observed to affect/encrypt files located on USB or external drives.


• Below is an illustration of the malware:
  

  Figure 1: Ransom notes.

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.