VirusMSIL/Encrypt.6FA4!tr.ransom
Analysis
MSIL/Encrypt.6FA4!tr.ransom is a detection for a Ransomware Encrypt trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %NetworkSharedFolder%\PornPic.scr: This file is the copy of the original malware itself. This file is dropped with hidden attributes.
- %NetworkSharedFolder%\auto.inf : This file is a text file that is the autorun for the PornPic.scr file dropped in the network shared folder. This file is dropped with hidden attributes.
- Affected files of this Ransomware will use the filenaming format {OriginalFilename.Ext}.encrypt .
- This Ransomware kills the following processes:
- sample
- outpost
- npfmsg
- bdagent
- kavsvc
- egui
- zlclient
- taskmgr
- This Ransomware modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom note.
- Figure 2: auto.inf file.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |