Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Ransom:Win64/Filecoder!MTB is a generic ransomware name, similar to Snatch ransomware. This ransomware uses the Rivest-Shamir-Adleman (RSA) and Advanced Encryption Standard (AES) algorithms to encrypt files and restarts the infected device in safe mode.
To mitigate the issue, follow these steps:
Apply security updates promptly, especially for the specified vulnerabilities, on all applications and operating systems. Consult the Microsoft Security Update Guide for comprehensive information on available Microsoft Security updates.
Follow the principle of least privilege and maintain credential hygiene. Avoid using domain-wide, admin-level service accounts. Restrict local administrative privileges to mitigate the potential installation of remote access trojans (RATs) and other undesirable applications.
Network segmentation is useful in constraining the propagation of malware infections. The process involves partitioning a network into smaller segments, effectively confining an infection to a single segment rather than permitting its unrestricted spread across the entire network.
Promote the use of Microsoft Edge and other web browsers that support SmartScreen, a feature identifying and blocking malicious websites, including phishing sites, scam sites, and those hosting exploits or malware.
Block the launch of downloaded executable content by disabling JavaScript or VBScript.
Threat behavior
Ransom:Win64/Filecoder!MTB is ransomware written in the Go programming language. Upon launch, it generates several batch files for running, such as:
Listing service names
Deleting shadow copies
The ransomware scans the hard drive from drive A: to Z:, stores folder information containing files to encrypt, and then creates a ransom note named "HOW TO RESTORE YOUR FILES.TXT" in each folder.
Here is an example of the ransom note:
It then encrypts the files using the Advanced Encryption Standard (AES) algorithm and appends a random eight-character extension.
Here is an example of encrypted files:
Finally, the ransomware forces the device to reboot in safe mode, rendering it unusable.
Trojan tools attack enterprises more often than individuals. Following the mitigation steps below can help prevent hack tool attacks.
Keep backups so you can recover data affected by trojans and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
When a device is infected by Ransom:Win64/Filecoder!MTB, users may observe the following symptoms:
Presence of ransom note titled "HOW TO RESTORE YOUR FILES.TXT"
Encrypted files with random 8-character extensions