W32/Filecoder.NOZ!tr.ransom

Analysis

W32/Filecoder.NOZ!tr.ransom is a generic detection for a ransomware trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware encrypts files on the victim’s computer and adds the file extension “.rapid” to the name of the file.


• This malware may drop any of the following files:
  
  • %AppData%\info.exe: This file is a copy of the original malware itself.
  • %AppData%\recovery.txt: This file is a ransom note.
    

    Figure 1: recovery.txt

    
    
  • !How Decrypt Files.txt: This file containing a ransom note is dropped in every folder.

    Figure 2: !How Decrypt Files.txt

    
    
  • How Recovery Files.txt: This file containing a ransom note is dropped in every folder.
  • %System32%\Tasks\Encrypter: This file defines a Windows task to execute %AppData%\info.exe, the malware copy.


• This malware may apply any of the following registry modifications:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Encryper = %AppData%\info.exe
    This automatically executes the dropped file every time the infected user logs on.
    
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • userinfo = %AppData%\recovery.txt
    This automatically displays the ransom note every time the infected user logs on.
    

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.