Threat Research

Ransomware Roundup – UNIZA | FortiGuard Labs

Securonix

FortiGuard Labs analyzes the UNIZA ransomware, a Windows-targeting variant that encrypts user files and displays its ransom message via the Command Prompt. It also notes the likely phishing-based infection vector, limited current spread, and Fortinet protections and guidance for defense and response.
#UNIZA #FortiGuardLabs #Fortinet #Windows #TikTok #Bitcoin

Keypoints

  • UNIZA is a Windows-targeting ransomware that encrypts files on victims’ machines and demands payment for restoration.
  • It uses the Command Prompt (cmd.exe) window to display its ransom message, and it does not append the filename to encrypted files, complicating detection.
  • The infection vector is not disclosed; the likely method is phishing via email, as is common with many ransomware strains.
  • Encryption targets all directories under %userprofile% and Desktop, applying a rolling-key scheme to encrypt file content.
  • The ransom note appears gradually via the command line, with the attacker allegedly able to remotely control the display to appear as if typing.
  • Fortinet protections include AV signature W64/Filecoder.IB!tr and coverage across FortiGate/ FortiEDR/ FortiClient products; Fortinet also offers phishing training and backup strategies as defenses.

MITRE Techniques

  • [T1059] Command-Line Interface – The ransomware uses the Command Prompt (cmd.exe) window to display its ransom message. ‘uses the Command Prompt (cmd.exe) window to display its ransom message.’
  • [T1486] Data Encrypted for Impact – It encrypts files on victims’ machines and targets all directories under %userprofile% and Desktop, using a rolling key. ‘encrypts files on compromised machines’ and ‘targets all directories and files found under %userprofile% and Desktop’
  • [T1566.001] Phishing: Spearphishing via Email – The infection vector is not disclosed but is likely via email, as many ransomware variants are distributed that way. ‘the likely attack vector is via email as many ransomware variants are distributed that way.’

Indicators of Compromise

  • [File hash] File-based IOCs – eefa1271d1a2a937d0baa3f0c7d904941151d6c8f915aed4dd51f10fa5d09b2a, d9a3f2ad7cfc6989cc4da117d5a4f8097362aad6b91391e89746d68d8d7aa29f and 1 more hash

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage