Fenrir Ransomware pretends to be Adobe Acrobat Reader


This week, SonicWALL Threats research team has received reports of yet another ransomware called Fenrir. This ransomware purports to be an Adobe Reader file and appends an extension to encrypted files using the victim computer’s HWID .

Infection Cycle:

This Trojan uses the following icon and file properties:

Upon execution, it makes the following DNS query:

It then proceeds to encrypt the victim’s files. It appends a new extension to all encrypted files using the computer’s HWID:

It also drops the following files:

  • %Desktop%Ransom.rtf

The file “Ransom.rtf” contains the instructions on how to pay to get your files back. It then displays a splash screen which has the same ransom message and intructions with a 72 hour countdown.

When you choose to click on the red “I will not pay” button, this message appears but then none of the files will be deleted:

If you click on the blue button which reads “I sent my payment, retrieve my files” it will ask for a password, presumably given if you had communicated with these cybrecriminals. Typing in a bogus password, does not really do anything, so it is unclear whether files will be retrieved once payment is made.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fenrir.RSM (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.