Threat Research

Ransomware Roundup – Retch and S.H.O. | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup analyzes two Windows-focused variants, Retch and S.H.O, detailing their file-encrypting behavior, ransom notes, and attacker notes. The post also outlines Fortinet protections, recommended defenses, and associated IOCs for these families. #Retch #SHO #Windows #Fortinet #FortiGuard

Keypoints

  • Fortinet’s Ransomware Roundup assesses Retch and S.H.O ransomware variants in the Windows ecosystem.
  • Retch encrypts a wide range of file types on infected Windows hosts and drops ransom notes in each folder; a desktop note differs in tone and amount.
  • Retch appears to be based on public open-source code (HiddenTear) and showed samples submitted from multiple countries; Bitcoin wallet activity was not observed at the time.
  • S.H.O encrypts files and appends five randomized characters to file extensions, with two ransom-note variants and a consistent fee around $200.
  • Both families exclude certain directories (e.g., Windows, Program Files) from encryption and replace the desktop wallpaper with a ransom note.
  • Fortinet provides protections via AV signatures (e.g., MSIL/Filecoder.AK!tr.ransom for Retch and MSIL/Filecoder.APU!tr.ransom for S.H.O), FortiEDR, and guidance on backups, phishing awareness, and incident readiness.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Encrypts files on compromised machines and demands ransom for file decryption. Quote: “encrypts files on compromised machines”
  • [T1041] Exfiltration – Encrypts and exfiltrates victims’ files and demands ransom for file decryption. Quote: “Encrypts and exfiltrates victims’ files and demands ransom for file decryption”

Indicators of Compromise

  • [SHA2] Retch/S.H.O samples – 46ccde0b58abeec8e3e62eed462bbf663efd4c0027c692210b2922a2217fcaac, a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20, and 3 more hashes
  • [SHA2] Retch/S.H.O samples – f7ab2da0e0ba7e0290b74fea2f0438de4ba3b460f99c4c869285edb9bff5b846, 79972890083f7e47a3a221bff96ba5229618355cba24b685cc08e7f5672b2b7a, d2b9de087fdc05071283cb162bd94bf6608ccc3e09ca3b9e7ccafffd13e084d0
  • [PDB] Retch PDB Strings – C:UsersIlIlIlIlIlIlIlIlDesktopTEMPLATE AND MASTERS 09032023ransomware-master werkING for obfuscationGendarmerie B.V.3objReleaseteste25.pdb, D:SEPTEMBER WORKSGendarmerie ransomware-master_ one page Current Sun 08 12 23ransomware-masterGendarmerie_300.pdb
  • [RSA Public Key] S.H.O ransomware’s RSA Public Key – tUsmRqlrj5UCBgSc7H35O5BwodM0FI9hbK1VBimv/pjcWj9uAPjjfkyX28MAHnPKlHhfqk7rG0N1cVf46VOqW2tPDF91kCQmB2PATst0yfz5hmQUkvazSid78fwR43XwoQu4RwKmRxlzprZfHTTmiJP1zRyQlGOT7zrPWdS+3sdR9MkjBWl+nZUPBuRE7ApNSWt0M9M61P3psNkfDkEcaguzYkBv+ptpKRTTrK3ppstxhDKVdXuBlcZKNsiRciFOE8PdapN+8T0z7jOU9b5PE2vAeewKw5zOXwI6PDbDVEpRZHcXhNrcaKIXqO5OsXAi5/tGsk05QtEn/uBpzpQ==

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-retch-and-sho

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint