Ransomeware without the demand

This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wfgllcAuthor Commented:
We've also gone around to each workstation, added a few more office files to the share, and do not see any similar behavior.
wfgllcAuthor Commented:
Also, it left the quickbooks files alone.
I guess you have to locate the infected computer. Can you pin down the time / date of the encryption (change file timestamp) and check in the domain controller logs when someone was accessing the share around that time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Richard ObenchainCommented:
Based on the name (my brain reads that suspiciously as "fish food"), I'd say either you had a computer virus or your network got hacked and someone wants to hold the files for ransom (which means you might not hear anything for a day or two; check your spam filters for your email as well).

Is there any way you could upload a small, innocuous (e.g., nothing sensitive or important) sample encrypted file?  It might shed some light on the method used and maybe provide avenues.
From what I have read about the cryptowall virus, is that you'll only get the message about the ransom when it has completely finished with the encryption. Maybe it is still not finished. Also, as already mentioned, that message will show on the infected PC, and not necessarily on the server.

In my point of view there is no point in waiting for the encryption to finish and getting the message. You should rather shutdown all PC's, then scan all of them using malwarebytes to remove the malware, and when that is done restore your data from your backups.
wfgllcAuthor Commented:
More info:  I found in several of the server event logs, all events missing from about 3:30 am to 1020 am; the client reported the files converted to me about 0915.  I went there and shut everything off for the night and will resume troubleshooting tomorrow.

Low and behold, I just got an email from spiceworks saying that TeamViewer was installed on one of the client's workstations.  I use teamviewer, but only it is only installed on the servers - and I use dameware once inside.  Someone installed a remote control app on one of the workstations.  Methinks this is the point of entry.
btanExec ConsultantCommented:
i do suggest changing of password for domain admin as of now, it seems untrusted environment already with such happening and lurking around. It seems "phszfud" is the ransomware that does not seek for ransom. it did not meant decrypting file though
Richard ObenchainCommented:
It looks like someone else on the forum here got hit with either the same thing or something similar (random 7-letter extension added, files encrypted).  It's possible this is a variant of the older "encryption" viruses which merely encrypt the header and for which comparing a pre-encryption and post-encryption sample can determine the key (the fact that it's adding an extension is similar to the other viruses that did this).
wfgllcAuthor Commented:
It was one machine infected; restored data from backups & re-imaged box.  The teamviewer alert from spiceworks gave us a clue, and we found other encrypted files on the workstation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.