• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

Ransomeware without the demand

This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
0
wfgllc
Asked:
wfgllc
5 Solutions
 
wfgllcAuthor Commented:
We've also gone around to each workstation, added a few more office files to the share, and do not see any similar behavior.
0
 
wfgllcAuthor Commented:
Also, it left the quickbooks files alone.
0
 
TolomirAdministratorCommented:
I guess you have to locate the infected computer. Can you pin down the time / date of the encryption (change file timestamp) and check in the domain controller logs when someone was accessing the share around that time.
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Richard ObenchainCommented:
Based on the name (my brain reads that suspiciously as "fish food"), I'd say either you had a computer virus or your network got hacked and someone wants to hold the files for ransom (which means you might not hear anything for a day or two; check your spam filters for your email as well).

Is there any way you could upload a small, innocuous (e.g., nothing sensitive or important) sample encrypted file?  It might shed some light on the method used and maybe provide avenues.
0
 
rindiCommented:
From what I have read about the cryptowall virus, is that you'll only get the message about the ransom when it has completely finished with the encryption. Maybe it is still not finished. Also, as already mentioned, that message will show on the infected PC, and not necessarily on the server.

In my point of view there is no point in waiting for the encryption to finish and getting the message. You should rather shutdown all PC's, then scan all of them using malwarebytes to remove the malware, and when that is done restore your data from your backups.
0
 
wfgllcAuthor Commented:
More info:  I found in several of the server event logs, all events missing from about 3:30 am to 1020 am; the client reported the files converted to me about 0915.  I went there and shut everything off for the night and will resume troubleshooting tomorrow.

Low and behold, I just got an email from spiceworks saying that TeamViewer was installed on one of the client's workstations.  I use teamviewer, but only it is only installed on the servers - and I use dameware once inside.  Someone installed a remote control app on one of the workstations.  Methinks this is the point of entry.
0
 
btanExec ConsultantCommented:
i do suggest changing of password for domain admin as of now, it seems untrusted environment already with such happening and lurking around. It seems "phszfud" is the ransomware that does not seek for ransom. it did not meant decrypting file though
http://fixvirusfast.blogspot.sg/2014/12/phszfud-encrypted-files-how-to-remove.html
0
 
Richard ObenchainCommented:
It looks like someone else on the forum here got hit with either the same thing or something similar (random 7-letter extension added, files encrypted).  It's possible this is a variant of the older "encryption" viruses which merely encrypt the header and for which comparing a pre-encryption and post-encryption sample can determine the key (the fact that it's adding an extension is similar to the other viruses that did this).
0
 
wfgllcAuthor Commented:
It was one machine infected; restored data from backups & re-imaged box.  The teamviewer alert from spiceworks gave us a clue, and we found other encrypted files on the workstation.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now