The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Ferrlock ransomware [Ferrlock.RSM] actively spreading in the wild.
The FERRLOCK ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.
Infection Cycle:
The ransomware adds the following files to the system:
-
Malware.exe
- % App.path%\!=How_recovery_files=!.txt
- Instruction for recovery
- %App.path%\ [Name]. yoba
- % App.path%\!=How_recovery_files=!.txt
Once the computer is compromised, the ransomware runs the following commands:
The ransomware encrypts all the files and appends the [.yoba] extension onto each encrypted file’s filename.
After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Ferrlock.RSM (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
