MSIL/Filecoder.SE!tr.ransom
Analysis
MSIL/Filecoder.SE!tr.ransom is a generic detection for a Ransomware Filecoder trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %startup%\pacman.url : This file is dropped in the startup folder and contains a link to the original malware.
- This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
- Affected files of this Ransomware will use the filenaming format OriginalFileName.encrypted.ext, where italic strings are replaced.
- This Ransomware was observed to encrypt all files except for the following file types:
- .bat
- .bin
- .class
- .dll
- .dmp
- .exe
- .ini
- .jar
- .lnk
- .log
- .sys
- .tmp
- .ttf
- .xml
- Below is an illustration of the malware's Ransom notes:
- Figure 1: The Ransomware's running process. Note that decrypt-files.exe may be replaced with a different filename. In this case, 'Pacman' is the description of the process.
- Figure 2: The pacman.url file, as seen in the Start Menu.
- Figure 3: Properties of pacman.url, showing that the URL is a path to the original malware.
- Figure 3: Pacman ransom note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |