W32/Encoder.D!tr.ransom
Analysis
W32/Encoder.D!tr.ransom is a generic detection for a Ransomware Encoder trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- !!!HOW TO RECOVER ENCRYPTED FILES!!! : This file is dropped all over the affected hosts drive and will serve as ransom notes.
- Affected files of this Ransomware will use the filenaming format {OriginalFileName.ext}.Omen
- This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
- This malware was also observed to deletes itself after execution.
- Affected victims of this Ransomware are redirected by the attacker via:
- ProjectJoke@aol.com
- projectjoke@airmail.cc
- This malware may apply any of the following registry modification(s):
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- ctfmon.exe = %Appdata%\Microsoft\Windows\ctfmon.exe
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- Below is an illustration of the malware's Ransom notes:
- Figure 1: Ransom note.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2022-05-25 | 90.02622 | |
2021-03-09 | 84.00585 | |
2020-12-31 | 82.95500 | Sig Updated |
2020-03-24 | 76.19800 | Sig Updated |
2019-11-04 | 72.83800 | Sig Updated |
2019-10-22 | 72.51600 | Sig Updated |
2019-10-15 | 72.34800 | Sig Updated |
2019-09-20 | 71.74800 | Sig Updated |
2019-09-16 | 71.65700 | Sig Updated |
2019-09-06 | 71.41300 | Sig Updated |