Solved

Ransomeware without the demand

Posted on 2014-12-10
9
423 Views
Last Modified: 2014-12-11
This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
0
Comment
Question by:wfgllc
9 Comments
 

Author Comment

by:wfgllc
Comment Utility
We've also gone around to each workstation, added a few more office files to the share, and do not see any similar behavior.
0
 

Author Comment

by:wfgllc
Comment Utility
Also, it left the quickbooks files alone.
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 100 total points
Comment Utility
I guess you have to locate the infected computer. Can you pin down the time / date of the encryption (change file timestamp) and check in the domain controller logs when someone was accessing the share around that time.
0
 
LVL 3

Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 200 total points
Comment Utility
Based on the name (my brain reads that suspiciously as "fish food"), I'd say either you had a computer virus or your network got hacked and someone wants to hold the files for ransom (which means you might not hear anything for a day or two; check your spam filters for your email as well).

Is there any way you could upload a small, innocuous (e.g., nothing sensitive or important) sample encrypted file?  It might shed some light on the method used and maybe provide avenues.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 87

Assisted Solution

by:rindi
rindi earned 100 total points
Comment Utility
From what I have read about the cryptowall virus, is that you'll only get the message about the ransom when it has completely finished with the encryption. Maybe it is still not finished. Also, as already mentioned, that message will show on the infected PC, and not necessarily on the server.

In my point of view there is no point in waiting for the encryption to finish and getting the message. You should rather shutdown all PC's, then scan all of them using malwarebytes to remove the malware, and when that is done restore your data from your backups.
0
 

Author Comment

by:wfgllc
Comment Utility
More info:  I found in several of the server event logs, all events missing from about 3:30 am to 1020 am; the client reported the files converted to me about 0915.  I went there and shut everything off for the night and will resume troubleshooting tomorrow.

Low and behold, I just got an email from spiceworks saying that TeamViewer was installed on one of the client's workstations.  I use teamviewer, but only it is only installed on the servers - and I use dameware once inside.  Someone installed a remote control app on one of the workstations.  Methinks this is the point of entry.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 100 total points
Comment Utility
i do suggest changing of password for domain admin as of now, it seems untrusted environment already with such happening and lurking around. It seems "phszfud" is the ransomware that does not seek for ransom. it did not meant decrypting file though
http://fixvirusfast.blogspot.sg/2014/12/phszfud-encrypted-files-how-to-remove.html
0
 
LVL 3

Assisted Solution

by:Richard Obenchain
Richard Obenchain earned 200 total points
Comment Utility
It looks like someone else on the forum here got hit with either the same thing or something similar (random 7-letter extension added, files encrypted).  It's possible this is a variant of the older "encryption" viruses which merely encrypt the header and for which comparing a pre-encryption and post-encryption sample can determine the key (the fact that it's adding an extension is similar to the other viruses that did this).
0
 

Author Closing Comment

by:wfgllc
Comment Utility
It was one machine infected; restored data from backups & re-imaged box.  The teamviewer alert from spiceworks gave us a clue, and we found other encrypted files on the workstation.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now