W32/Stop.BO!tr.ransom
Analysis
W32/Stop.BO!tr.ransom is a generic detection for a Ransomware Stop trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %ProgramFiles%\Company\64Product\1.exe : This file is a dropped component of the Ransomware and is detected as W32/Kryptik.GUUL!tr.
- %ProgramFiles%\Company\64Product\1.exe : This file is a dropped component of the Ransomware and is also detected as W32/Kryptik.GUUL!tr. A copy of this file is also later dropped in the path %AllUsersProfile%\216c40503e\kntd.exe.
- %WinDir%\ADS.reg : This file is a dropped component of the Ransomware that modifies the system registry files.
- _readme.txt : This file is dropped all over the affected hosts drive and will serve as ransom notes.
- Affected files of this Ransomware will use the filenaming format OriginalFileName.ext.madek, where italic strings are replaced.
- This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
- Affected victims of this Ransomware are redirected by the attacker via:
- gorentos@bitmessage.ch
- varasto@firemail.cc
- This malware may connect any of the following remote site(s):
- 78.90.{removed}.124
- 95.111.{removed}.122
- amn{removed}.com
- bru{removed}.com
- eli{removed}.net
- dsn{removed}.top
- This malware may apply any of the following registry modification(s):
- HKU\S-1-5-21-4066781692-1635331123-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- UNCAsIntranet = 0
- AutoDetect = 1
- HKU\S-1-5-21-4066781692-1635331123-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |