W32/Filecoder.OBF!tr.ransom

description-logoAnalysis

W32/VHD.OBF!tr.ransom is a generic detection for ransomware trojans released by the Lazarus group.

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • 6d12547772b57a6da2b25d2188451983 - W32/VHD.1983!tr.ransom
    • ccc6026acf7eadada9adaccab70ca4d6 - W32/VHD.A4D6!tr.ransom
    • d0806c9d8bcea0bd47d80fa004744d7d - W32/VHD.A4D6!tr.ransom
    • dd00a8610bb84b54e99ae8099db1fc20 - W32/VHD.OBF!tr.ransom
    • efd4a87e7c5dcbb64b7313a13b4b1012 - W32/VHD.1012!tr.ransom
  • The following are some illustrations related to the malware during our quick analysis:
    • Figure 1: Ransom note.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-05-15 91.03286
2023-03-28 91.01837
2023-03-27 91.01810
2022-01-25 89.09023
2021-11-22 89.07110
2021-11-22 89.07105
2020-10-30 81.47400 Sig Updated
2020-09-22 80.56100 Sig Updated
2020-08-01 79.30200 Sig Updated
2020-07-31 79.29200 Sig Updated