W32/RaRansomware.2E5B!tr.ransom is a generic detection for Ra Ransomware trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %AppData%\xxxxx\xxxxx.exe : This file is a copy of the original malware itself. Here x is any lowercase alphabet.
    • %AppData%\xxxxx\public.key : This file is non-malicious and contains public key for the infected system.
    • %AppData%\xxxxx\private.enc : This file is non-malicious. This is a data file.
    • %CurrentPath%\README IMPORTANT.html: This html file will serve as ransom notes.
    • %CurrentPath%\README IMPORTANT.txt: This text file will serve as ransom notes.
    • %CurrentPath%\PERSONAL-ID.txt: This text file contains the ID unique to the victim.

  • Affected files of this Ransomware will use the file naming format [Random].xxxxx, where X is any lowercase alphabet.

  • This malware was also observed to affect/encrypt files located on shared drive within the same subnet.

  • This malware was also observed to affect/encrypt files located on USB or external drives.

  • This malware attempts to inject PE image to the other processes.

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • xxxxx = %AppData%\xxxxx\xxxxx.exe
      This automatically executes the dropped file every time the infected user logs on.

  • This malware may connect to any of the following remote sites(s):
    • 8{Removed}.99.66.31
    • 2n{Removed}.co

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom Notes.

    • Figure 2: Ransom notes .

    • Figure 3: Unique ID .

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.