MSIL/ZeroLocker.46EF!tr.ransom

description-logoAnalysis

MSIL/ZeroLocker.46EF!tr.ransom is a detection for a ZeroLocker Ransomware trojan.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %Systemdrive%\ZeroLocker\address.txt : This file contains the address of where to send the bitcoin payment.
    • %Systemdrive%\zerolocker\zerorescue.exe: During our tests the file being pointed was not successfully dropped we suspect that this file is intended could be a copy of itself or malicious file.

    • Affected files of this Ransomware will use the filenaming format [OriginalFileName].encrypt.

    • This Ransomware will restart the system.

    • This Ransomware uses the ciper.exe from Windows.

    • This malware may apply any of the following registry modification(s):
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
        • FileRescue = "%systemdrive%\\zerolocker\\zerorescue.exe
        This automatically executes the dropped file every time the infected user logs on.

    • Below is an illustration of the malware's Ransom note:

      • Figure 1: Ransom Note.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2018-12-06 64.70300 Sig Updated