Ransomeware without the demand

Posted on 2014-12-10
Last Modified: 2014-12-11
This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
Question by:wfgllc

Author Comment

ID: 40492528
We've also gone around to each workstation, added a few more office files to the share, and do not see any similar behavior.

Author Comment

ID: 40492533
Also, it left the quickbooks files alone.
LVL 27

Accepted Solution

Tolomir earned 100 total points
ID: 40492621
I guess you have to locate the infected computer. Can you pin down the time / date of the encryption (change file timestamp) and check in the domain controller logs when someone was accessing the share around that time.
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.


Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 200 total points
ID: 40492683
Based on the name (my brain reads that suspiciously as "fish food"), I'd say either you had a computer virus or your network got hacked and someone wants to hold the files for ransom (which means you might not hear anything for a day or two; check your spam filters for your email as well).

Is there any way you could upload a small, innocuous (e.g., nothing sensitive or important) sample encrypted file?  It might shed some light on the method used and maybe provide avenues.
LVL 88

Assisted Solution

rindi earned 100 total points
ID: 40492737
From what I have read about the cryptowall virus, is that you'll only get the message about the ransom when it has completely finished with the encryption. Maybe it is still not finished. Also, as already mentioned, that message will show on the infected PC, and not necessarily on the server.

In my point of view there is no point in waiting for the encryption to finish and getting the message. You should rather shutdown all PC's, then scan all of them using malwarebytes to remove the malware, and when that is done restore your data from your backups.

Author Comment

ID: 40492842
More info:  I found in several of the server event logs, all events missing from about 3:30 am to 1020 am; the client reported the files converted to me about 0915.  I went there and shut everything off for the night and will resume troubleshooting tomorrow.

Low and behold, I just got an email from spiceworks saying that TeamViewer was installed on one of the client's workstations.  I use teamviewer, but only it is only installed on the servers - and I use dameware once inside.  Someone installed a remote control app on one of the workstations.  Methinks this is the point of entry.
LVL 62

Assisted Solution

btan earned 100 total points
ID: 40493763
i do suggest changing of password for domain admin as of now, it seems untrusted environment already with such happening and lurking around. It seems "phszfud" is the ransomware that does not seek for ransom. it did not meant decrypting file though

Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 200 total points
ID: 40494167
It looks like someone else on the forum here got hit with either the same thing or something similar (random 7-letter extension added, files encrypted).  It's possible this is a variant of the older "encryption" viruses which merely encrypt the header and for which comparing a pre-encryption and post-encryption sample can determine the key (the fact that it's adding an extension is similar to the other viruses that did this).

Author Closing Comment

ID: 40494677
It was one machine infected; restored data from backups & re-imaged box.  The teamviewer alert from spiceworks gave us a clue, and we found other encrypted files on the workstation.

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now