W32/Cryakl_V1_5_1_0!tr.ransom
Analysis
W32/Cryakl_V1_5_1_0!tr.ransom is a detection for a Ransomware Cryakl v1.5.1.0 trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- README.txt: This txt file will serve as ransom notes. It will be dropped in every affected folder.
- %AppData%\Local\Temp\XXXXXXXXXX.exe: This is a copy of the malware itself, where X is any capital letter.
- %Temp%\[UID] : This text file shows the end of encryption.
- Affected files of this Ransomware will use the filenaming format email-biger@x-mail.pro.ver-CL 1.5.1.0.id-UID-{Random}.fname-{Original file name.Ext}.doubleoffset.
- This malware was also observed to affect/encrypt files located on shared drive within the same subnet.
- This malware may also apply the following autorun registries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [UID] = “%CurrentUser%\%AppData%\Local\Temp\XXXXXXXXXX.exe”, where X is any capital letter.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- hxxp://gcr{Removed}.beget.tech
|
|
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-02-27 | 91.00976 | |
2022-10-11 | 90.06793 | |
2021-04-05 | 85.00239 | |
2019-07-15 | 70.00300 | Sig Updated |
2019-04-30 | 68.17900 | Sig Updated |
2019-04-09 | 67.67400 | Sig Updated |
2019-01-09 | 65.51600 | Sig Updated |
2019-01-08 | 65.49600 | Sig Updated |
2019-01-08 | 65.49300 | Sig Updated |
2019-01-07 | 65.47000 | Sig Updated |