Threat Research

Ransomware Roundup – Trash Panda and A New Minor Variant of NoCry | FortiGuard Labs

Securonix

Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights Trash Panda and a new minor NoCry variant, describing infection details and defenses. Trash Panda encrypts files on Windows, replaces the desktop wallpaper, and drops a politically themed ransom note. #TrashPanda #NoCry

Keypoints

  • FortiGuard Labs’ Ransomware Roundup covers Trash Panda and a new minor NoCry variant, outlining their behaviors and Fortinet protections.
  • Trash Panda operates on Windows, encrypting files, altering the wallpaper, and dropping a ransom note with political messages; it also appends a .monochromebear extension to encrypted files.
  • The infection vector for Trash Panda is not disclosed, but its behavior appears consistent with other ransomware families, with samples submitted from the US and Czech Republic.
  • A new minor NoCry ransomware variant encrypts files, adds a .rcry extension, and presents a ransom note; it appears to have been hosted via a site using an Indian private bank’s name as bait.
  • The NoCry variant uses a Bitly link to a fake cybersecurity site offering paid services in USDT-TRC20, suggesting multiple traps to increase revenue; wallet activity is minimal as of writing.
  • Fortinet’s protections include AV signatures (Trash Panda: W32/PossibleThreat; NoCry: MSIL/Filecoder.AFL!tr) and Web Filtering to block distribution sites, with FortiGate, FortiMail, FortiClient, and FortiEDR integration.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – “It encrypts files on the compromised machine except for files with the following file extensions: …”
  • [T1041] Exfiltration – “Encrypts and exfiltrates victims’ files and demands ransom for file decryption.”
  • [T1059.003] Command and Scripting: Windows Command Shell – “Once the Trash Panda ransomware is executed, it launches a Command Prompt that clearly states that it’s encrypting files.”
  • [T1189] Drive-by Compromise – “Infection Vector: It appears that this NoCry ransomware variant was hosted on a website with a URL containing the name of a private bank in India as a string …”
  • [T1587] Acquire Capabilities – “NoCry ransomware variants are generated by NoCry ransomware builders and sold on the group’s Telegram channel.”

Indicators of Compromise

  • [SHA2] Trash Panda ransomware – ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db
  • [SHA2] NoCry minor variant – 521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant