Fenrir Ransomware pretends to be Adobe Acrobat Reader

July 7, 2017

This week, SonicWALL Threats research team has received reports of yet another ransomware called Fenrir. This ransomware purports to be an Adobe Reader file and appends an extension to encrypted files using the victim computer's HWID .

Infection Cycle:

This Trojan uses the following icon and file properties:

Upon execution, it makes the following DNS query:

It then proceeds to encrypt the victim's files. It appends a new extension to all encrypted files using the computer's HWID:

It also drops the following files:

  • %Desktop%Ransom.rtf

The file "Ransom.rtf" contains the instructions on how to pay to get your files back. It then displays a splash screen which has the same ransom message and intructions with a 72 hour countdown.

When you choose to click on the red "I will not pay" button, this message appears but then none of the files will be deleted:

If you click on the blue button which reads "I sent my payment, retrieve my files" it will ask for a password, presumably given if you had communicated with these cybrecriminals. Typing in a bogus password, does not really do anything, so it is unclear whether files will be retrieved once payment is made.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fenrir.RSM (Trojan)