W32/Phobos.3257!tr.ransom

description-logoAnalysis

W32/Phobos.3257!tr.ransom is a generic detection for a Ransomware Phobos trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %Desktop%\info.hta : This is an HTA file and will serve as ransom note.
    • %Desktop%\info.txt : This is a text file and will serve as ransom note.
  • This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
  • This malware was also observed to delete shadow copies by using Microsoft WMIC program.
  • Affected victims of this Ransomware are redirected by the attacker via:
    • lockhelp@xmpp.jp
    • lockhelp@qq.com
  • Affected files of this Ransomware will use the filenaming format OriginalFileName.ext.id[ID].[Email].Extension, where italic strings are replaced.
  • Below are the file extensions and email addresses:
    • Extensions:
      • .acute
    • Email addresses:
      • lockhelp@qq.com
  • This malware may apply any of the following registry modification(s):
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • [OriginalMalware].exe = %Appdata%\Local\[OriginalMalware].exe
      This automatically executes the Ransomware every time the infected user logs on.
  • Below is an illustration of the malware's ransom notes:
    • Figure 1: Ransom note.
    • Figure 2: Ransom note.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-08-13 70.68900 Sig Updated
2019-07-18 70.07200 Sig Updated