MSIL/Encrypt.6FA4!tr.ransom
Analysis
MSIL/Encrypt.6FA4!tr.ransom is a detection for a Ransomware Encrypt trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %NetworkSharedFolder%\PornPic.scr: This file is the copy of the original malware itself. This file is dropped with hidden attributes.
- %NetworkSharedFolder%\auto.inf : This file is a text file that is the autorun for the PornPic.scr file dropped in the network shared folder. This file is dropped with hidden attributes.
- Affected files of this Ransomware will use the filenaming format {OriginalFilename.Ext}.encrypt .
- This Ransomware kills the following processes:
- sample
- outpost
- npfmsg
- bdagent
- kavsvc
- egui
- zlclient
- taskmgr
- This Ransomware modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom note.
- Figure 2: auto.inf file.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |