MSIL/Filecoder.SE!tr.ransom

description-logoAnalysis

MSIL/Filecoder.SE!tr.ransom is a generic detection for a Ransomware Filecoder trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %startup%\pacman.url : This file is dropped in the startup folder and contains a link to the original malware.
  • This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
  • Affected files of this Ransomware will use the filenaming format OriginalFileName.encrypted.ext, where italic strings are replaced.
  • This Ransomware was observed to encrypt all files except for the following file types:
    • .bat
    • .bin
    • .class
    • .dll
    • .dmp
    • .exe
    • .ini
    • .jar
    • .lnk
    • .log
    • .sys
    • .tmp
    • .ttf
    • .xml
  • Below is an illustration of the malware's Ransom notes:
    • Figure 1: The Ransomware's running process. Note that decrypt-files.exe may be replaced with a different filename. In this case, 'Pacman' is the description of the process.
    • Figure 2: The pacman.url file, as seen in the Start Menu.
    • Figure 3: Properties of pacman.url, showing that the URL is a path to the original malware.
    • Figure 3: Pacman ransom note.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-07-02 69.68600 Sig Updated
2019-03-29 67.41900 Sig Added