W32/Stop.BO!tr.ransom

Analysis

W32/Stop.BO!tr.ransom is a generic detection for a Ransomware Stop trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  • %ProgramFiles%\Company\64Product\1.exe : This file is a dropped component of the Ransomware and is detected as W32/Kryptik.GUUL!tr.
  • %ProgramFiles%\Company\64Product\1.exe : This file is a dropped component of the Ransomware and is also detected as W32/Kryptik.GUUL!tr. A copy of this file is also later dropped in the path %AllUsersProfile%\216c40503e\kntd.exe.
  • %WinDir%\ADS.reg : This file is a dropped component of the Ransomware that modifies the system registry files.
  • _readme.txt : This file is dropped all over the affected hosts drive and will serve as ransom notes.
• Affected files of this Ransomware will use the filenaming format OriginalFileName.ext.madek, where italic strings are replaced.
• This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
• Affected victims of this Ransomware are redirected by the attacker via:
  • gorentos@bitmessage.ch
  • varasto@firemail.cc
• This malware may connect any of the following remote site(s):
  • 78.90.{removed}.124
  • 95.111.{removed}.122
  • amn{removed}.com
  • bru{removed}.com
  • eli{removed}.net
  • dsn{removed}.top
• This malware may apply any of the following registry modification(s):
  • HKU\S-1-5-21-4066781692-1635331123-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    • UNCAsIntranet = 0
    • AutoDetect = 1
    The above modifications lowers the internet security settings.
• Below is an illustration of the malware's Ransom notes:

  Figure 1: Ransom note.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.