On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers Trash Panda and a new minor variant of the NoCry ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High
Trash Panda is a ransomware that runs on the Windows platform that was first spotted in early August. It encrypts files on compromised machines, replaces the desktop wallpaper, and drops a ransom note that includes politically themed messages.
Information about the infection vector used by the Trash Panda ransomware threat actor is not currently available. However, it is unlikely to be significantly different from other ransomware groups.
Trash Panda ransomware samples have been submitted to a public file scanning service from the following countries:
Once the Trash Panda ransomware is executed, it launches a Command Prompt that clearly states that it’s encrypting files.
Figure 1: Command Prompt screen displayed by the Trash Panda ransomware
It encrypts files on the compromised machine except for files with the following file extensions:
.diagcab, .cpl, .mod, .bat, .nls, .ldf, .dll, .ps1, .adv, .prf .idx,.rtp, .ocx, .icl, .ani, .cab, .rom, .key, .wpx, .icns, .themepack, .msc, .msp, .cur, .theme, .cmd, .diagpkg, .lnk, .ico, .drv, .bin, .nomedia, .lock, .mpa, .hlp, .scr, .shs, .com, .ics, .hta, .msi, .exe, .diagcfg, .msu, .deskthe, .mepack, .386, .msstyles, .spl, .sys
The ransomware adds a “.monochromebear” extension to the files it encrypts.
Figure 2. Files encrypted by the Trash Panda ransomware
Figure 3: Ransom note dropped by the Trash Panda ransomware
While no definitive conclusion can be made, the following message included in the ransom note provides a clue as to the possible origin of the Trash Panda ransomware and the country it targets:
Let’s make a D341 (Deal). You free our people. We free your data. We don't care your data. We don't care money. We want our family to return back to us and YOU GET OUT OFF OUR MOTHERLAND.
The ransomware also replaces the desktop wallpaper, which asks victims to check the dropped readme file.
Figure 4: Desktop wallpaper replaced by the Trash Panda ransomware
NoCry is a ransomware designed for the Windows platform that was first discovered in April 2021. NoCry ransomware variants are generated by NoCry ransomware builders and sold on the group’s Telegram channel.
Figure 5: NoCry ransomware builder 1.3.5
It appears that this NoCry ransomware variant was hosted on a website with a URL containing the name of a private bank in India as a string ([bank’s name]-india[.]github[.]io/Start[.]exe), so we believe that the threat actor used the bank as bait or to make the file look legitimate.
The NoCry ransomware variant was submitted to a public file scanning service from the following locations:
Once executed, this NoCry ransomware variant encrypts files on the compromised machines, adds a ".rcry" extension to the encrypted files, and displays a ransom note.
Figure 6: Ransom note displayed by the NoCry ransomware variant
An interesting aspect of this ransomware is that it specifies USDT-TRC20 as the ransom payment. USDT-TRC20 is a stablecoin issued by Tether on the TRON network. It is pegged to the U.S. dollar and designed so that one USDT is approximately equal to one USD.
The Bitly link in the ransom note leads to a Web page of a purported cybersecurity company based in California that offers services such as data encryption, malware removal, and firewalls with pricing plans. The Web site was created using a website builder called “Pineapple Builder.” The Pineapple badge at the bottom right of the Web site indicates that it was created using the free version. To use the services offered by this company, users must pay the fee in the same cryptocurrency to the same address specified by this ransomware. While we cannot say with certainty, it seems likely that the ransomware threat actor fabricated this company or website to collect additional money from users. This also indicates that the group uses multiple traps to increase the financial success of their attack.
Figure 7: Service pricing listed on the alleged cyber security company
Figure 8: Payment information listed on the Web site
According to Tronscan (tronscan[.]org), the attacker’s wallet has received a few transactions. Since all incoming transactions have been less than 50 USDT, however, it's safe to assume that neither the NoCry ransomware variant nor the related fake service had successfully victimized anyone at the time of writing.
Figure 9: Transactions recorded on the attacker’s wallet
The ransomware also drops a separate ransom note in an HTML file labeled “How to Decrypt My Files.html.”
Figure 10: Files encrypted by the NoCry ransomware variant
Figure 11: Ransom note dropped by the NoCry ransomware variant
Fortinet customers are already protected from these malware variants through AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects the Trash Panda ransomware sample with the following AV signature:
FortiGuard Labs detects the NoCry ransomware variant with the following AV signature:
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
The FortiGuard Web Filtering Service blocks the NoCry ransomware distribution site and the associated potential scam site.
File-based IOCs:
SHA2 |
Malware |
ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db |
Trash Panda ransomware |
521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a |
A minor variant of NoCry ransomware |
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).