?
Solved

Ransomeware without the demand

Posted on 2014-12-10
9
Medium Priority
?
446 Views
Last Modified: 2014-12-11
This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
0
Comment
Question by:wfgllc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Author Comment

by:wfgllc
ID: 40492528
We've also gone around to each workstation, added a few more office files to the share, and do not see any similar behavior.
0
 

Author Comment

by:wfgllc
ID: 40492533
Also, it left the quickbooks files alone.
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 400 total points
ID: 40492621
I guess you have to locate the infected computer. Can you pin down the time / date of the encryption (change file timestamp) and check in the domain controller logs when someone was accessing the share around that time.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 3

Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 800 total points
ID: 40492683
Based on the name (my brain reads that suspiciously as "fish food"), I'd say either you had a computer virus or your network got hacked and someone wants to hold the files for ransom (which means you might not hear anything for a day or two; check your spam filters for your email as well).

Is there any way you could upload a small, innocuous (e.g., nothing sensitive or important) sample encrypted file?  It might shed some light on the method used and maybe provide avenues.
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 400 total points
ID: 40492737
From what I have read about the cryptowall virus, is that you'll only get the message about the ransom when it has completely finished with the encryption. Maybe it is still not finished. Also, as already mentioned, that message will show on the infected PC, and not necessarily on the server.

In my point of view there is no point in waiting for the encryption to finish and getting the message. You should rather shutdown all PC's, then scan all of them using malwarebytes to remove the malware, and when that is done restore your data from your backups.
0
 

Author Comment

by:wfgllc
ID: 40492842
More info:  I found in several of the server event logs, all events missing from about 3:30 am to 1020 am; the client reported the files converted to me about 0915.  I went there and shut everything off for the night and will resume troubleshooting tomorrow.

Low and behold, I just got an email from spiceworks saying that TeamViewer was installed on one of the client's workstations.  I use teamviewer, but only it is only installed on the servers - and I use dameware once inside.  Someone installed a remote control app on one of the workstations.  Methinks this is the point of entry.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 400 total points
ID: 40493763
i do suggest changing of password for domain admin as of now, it seems untrusted environment already with such happening and lurking around. It seems "phszfud" is the ransomware that does not seek for ransom. it did not meant decrypting file though
http://fixvirusfast.blogspot.sg/2014/12/phszfud-encrypted-files-how-to-remove.html
0
 
LVL 3

Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 800 total points
ID: 40494167
It looks like someone else on the forum here got hit with either the same thing or something similar (random 7-letter extension added, files encrypted).  It's possible this is a variant of the older "encryption" viruses which merely encrypt the header and for which comparing a pre-encryption and post-encryption sample can determine the key (the fact that it's adding an extension is similar to the other viruses that did this).
0
 

Author Closing Comment

by:wfgllc
ID: 40494677
It was one machine infected; restored data from backups & re-imaged box.  The teamviewer alert from spiceworks gave us a clue, and we found other encrypted files on the workstation.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question