MSIL/FilecoderMc.8A80!tr.ransom

description-logoAnalysis

MSIL/FilecoderMc.8A80!tr.ransom is a detection for a McRansomware trojan.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • GetBack_MC_RANSOM_FILEs.HTML: This html file will serve as ransom notes.
    • {Original name+Ext}.mc_ransom_config: It may drop the configuration files for any encrypted file, which includes encryption key using RSA 2048 algorithm.
    • %Desktop%\ simple_key.mmm: This file includes RSA Key Value.

  • This malware was also observed to affect/encrypt files located on shared drive within the same subnet.

  • Affected files of this Ransomware will use the prepending filenaming format as {Original name+Ext}.mc_ransom.

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom notes.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2018-12-18 64.98900 Sig Updated
2018-12-17 64.96900 Sig Updated