W32/Encoder.D!tr.ransom

description-logoAnalysis

W32/Encoder.D!tr.ransom is a generic detection for a Ransomware Encoder trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • !!!HOW TO RECOVER ENCRYPTED FILES!!! : This file is dropped all over the affected hosts drive and will serve as ransom notes.
  • Affected files of this Ransomware will use the filenaming format {OriginalFileName.ext}.Omen
  • This malware was also observed to affect/encrypt files located on shared drives within the same subnet.
  • This malware was also observed to deletes itself after execution.
  • Affected victims of this Ransomware are redirected by the attacker via:
    • ProjectJoke@aol.com
    • projectjoke@airmail.cc
  • This malware may apply any of the following registry modification(s):
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • ctfmon.exe = %Appdata%\Microsoft\Windows\ctfmon.exe
      This automatically executes the Ransomware every time the infected user logs on.
  • Below is an illustration of the malware's Ransom notes:
    • Figure 1: Ransom note.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-05-25 90.02622
2021-03-09 84.00585
2020-12-31 82.95500 Sig Updated
2020-03-24 76.19800 Sig Updated
2019-11-04 72.83800 Sig Updated
2019-10-22 72.51600 Sig Updated
2019-10-15 72.34800 Sig Updated
2019-09-20 71.74800 Sig Updated
2019-09-16 71.65700 Sig Updated
2019-09-06 71.41300 Sig Updated