MSIL/ZeroLocker.46EF!tr.ransom
Analysis
MSIL/ZeroLocker.46EF!tr.ransom is a detection for a ZeroLocker Ransomware trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %Systemdrive%\ZeroLocker\address.txt : This file contains the address of where to send the bitcoin payment.
- %Systemdrive%\zerolocker\zerorescue.exe: During our tests the file being pointed was not successfully dropped we suspect that this file is intended could be a copy of itself or malicious file.
- Affected files of this Ransomware will use the filenaming format [OriginalFileName].encrypt.
- This Ransomware will restart the system.
- This Ransomware uses the ciper.exe from Windows.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- FileRescue = "%systemdrive%\\zerolocker\\zerorescue.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Below is an illustration of the malware's Ransom note:
- Figure 1: Ransom Note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2018-12-06 | 64.70300 | Sig Updated |