W32/FilecoderPrestige.A!tr.ransom

Analysis

W32/FilecoderPrestige.A!tr.ransom is a generic detection for a ransomware trojan.
Since this is a generic detection, malware that are detected as W32/FilecoderPrestige.A!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is associated with the Prestige ransomware outbreak.


• Upon execution, this ransomware will traverse through the victim's system and encrypt files, excluding those found in C:\Windows\ and C:\ProgramData\Microsoft\. The encrypted files will have the extension ".enc" appended to the file name.


• Files with the following extensions will be targeted:
  


• A ransom note, named "README", will be dropped to C:\ and C:\Users\Public\. The note will instruct the victim to make contact with the attacker via email to purchase decryption software. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment.


• The ransomware will utilize "vssadmin.exe" and "wbadmin.exe" to delete all shadow copies and backup catalogs to prevent system recovery.


• This malware will add the following registry entries so that the ransom note will be displayed when any user attempts to open a file with the extension ".enc":


• HKEY_CLASSES_ROOT\.enc
  
  • Value: @
  • Data: "enc"


• HKEY_CLASSES_ROOT\enc\shell\open\command
  
  • Value: @
  • Data: "C:\Windows\Notepad.exe C:\Users\Public\README"


• Below are images of the result of executing the ransomware:
  

  Figure 1: Encrypted files

  
  

  Figure 2: Ransom note.

  
  

  Figure 3: Added registry entry.

  
  


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 8119c78b7cfb7d9ce37286ec9fc263e2
    Sha256: 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.