virus logo Virus

MSIL/Filecoder.PL!tr.ransom

description-logoAnalysis

MSIL/Filecoder.PL!tr.ransom is a detection for a Ransomware Filecoder trojan, possibly targeting French Users.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %UserProfile%\readme.txt : This text file will serve as ransom note.

  • Affected files of this Ransomware will use the filenaming format {OriginalFilename.Ext}.enc.

  • This Ransomware encrypts the files with the following file extensions:
    • .txt
    • .doc
    • .docx
    • .xls
    • .xlsx
    • .ppt
    • .pptx
    • .odt
    • .jpg
    • .png
    • .csv
    • .sql
    • .mdb
    • .sln
    • .php
    • .asp
    • .aspx
    • .html
    • .xml
    • .psd
    • .pdf
    • .odt
    • .swp

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom note.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-03-13 67.02500 Sig Updated
2019-01-01 65.32400 Sig Updated
2018-12-31 65.30300 Sig Updated
ID 7970138
Released Jan 02, 2019
Description
Updated		 Dec 31, 2018
Aliases Ransom_RAMSIL.SM,DeepScan:Generic.Ransom.Hiddentear.A.FE9912D9,a variant of MSIL/Filecoder.PL trojan
Platform Profile Microsoft Intermediate Language (used for MSIL compiled binaries)