Is this the result of ransomware?
Posted on 2015-02-23
A client contacted me today with what I suspect is an infection with ransomware. Most of the documents (doc, xls, and pdf for example) on the server have ".ecc" added to the file name and they cannot be opened by the standard program. For example, I renamed a file named abc.doc.ecc to abc.doc and Word says it cannot recognize the format of the file. The time stamp on all of the files span about half hour from this afternoon.
An interesting quirk is that the outlook.pst files were not hit while the archive.pst files were. I'm suspecting that it is the large size of the outlook.pst files that caused them to be skipped. I did notice a smaller (75k) outlook.pst file that was hit.
No one has reported getting a screen about what was done and how to pay the ransom, but that could be for a variety of reasons. I'm expecting that it will be seen tomorrow.
The server has Trend Micro Worry-Free Business running on it and all computers on the network should have the client for it. Nearly all workstations are running Windows 7 though there may be one or two on XP. The server is running Windows Server 2003. Initial scans on the server don't show any sign of infection on it.
The good news is that it appears that we have a good backup. I had the server disconnect from the external backup drive to ensure that nothing more happens to it.
My plan is as follows:
1) Look at each computer (there are about a dozen of them), check the local Documents folder for .ECC files. If I find them, that computer is the likely source of the infection. As originally set up, there was no sharing of local folders.
2) Scan all of the computers and clean up anything that i find.
3) After the source is found and cleaned, restore the backup.
4) Educate the users about how this may have happened.
I didn't find anything online about any virus specifically adding ".ECC" to the file name, but everything else fits with what I have seen with a ransomware infection.
I have two questions here:
1) Do you agree that this is a virus/ransomware?
2) Would you recommend anything different in my approach to resolving it?