W32/Xorist.DD8C!tr.ransom

Analysis

W32/Xorist.DD8C!tr.ransom is a generic detection for a Ransomware Xorist trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • HOW TO DECRYPT FILES.txt : This file is a text file and will serve as ransom note. It is dropped in every infected folder.
  • how to decrypt files.txt facebook contact Ahmed Mohamed Naser : This file is a text file and will serve as ransom note. It is dropped in every infected folder.
  • %Temp%\XXXXXXXXXXXXXXX.exe : This file is currently detected as W32/Xorist.DD8C!tr.ransom. For some variants, this file is the copy of the original malware itself. Here X is any alphanumeric character.
  • %Temp%\svchost.exe : This file is currently detected as W32/Xorist.DD8C!tr.ransom .


• One variant of this Ransomware can be downloaded through the obfuscated JavaScript file spread through the spam email. The description for that JavaScript file can be found as : JS/Xorist.DD8C!tr.ransom .


• Affected files of this Ransomware will use the filenaming format:
  
  • {OriginalMalware.Ext}....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_to_make_the_payment.
  • {Originalfilename.Ext}.Boom
  • {Originalfilename.Ext}.EnCiPhErEd


• This malware was also observed to affect/encrypt files located on shared drived within the same subnet.


• Affected victims of this Ransomware are redirected by the attacker via:
  
  • Email_Decryptor_Payment@scryptmail.com


• This malware may apply any of the following registry modification(s):
  
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
    
    • Alcmeter = %Temp%\XXXXXXXXXXXXXXX.exe
    The malware configures itself to run every time any user logs on to the infected system.
    
  • HKEY_LOCAL_MACHINE\Software\Wow6432node\Microsoft\Windows\Currentversion\Run
    
    • Alcmeter = %Temp%\XXXXXXXXXXXXXXX.exe
    The malware configures itself to run every time any user logs on to the infected system.
    


• This Ransomware may kill the following processes:
  
  • Taskhost.exe
  • Outlook.exe
  • Iexplorer.exe
  • Winmail.exe
  • explorer.exe


• Below is an illustration of the malware's Ransom notes:
  

  Figure 1: Ransom Note .

  
  

  Figure 2: Error Prompt .

  
  

  Figure 3: Ransom Note .

  
  

  Figure 4: Error Prompt .

  
  

  Figure 5: Ransom note .

  
  

  Figure 6: Error Prompt .

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.