Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2071
  • Last Modified:

Is this the result of ransomware?

A client contacted me today with what I suspect is an infection with ransomware.  Most of the documents (doc, xls, and pdf for example) on the server have ".ecc" added to the file name and they cannot be opened by the standard program.  For example, I renamed a file named abc.doc.ecc to abc.doc and Word says it cannot recognize the format of the file.  The time stamp on all of the files span about  half hour from this afternoon.

An interesting quirk is that the outlook.pst files were not hit while the archive.pst files were.  I'm suspecting that it is the large size of the outlook.pst files that caused them to be skipped.  I did notice a smaller (75k) outlook.pst file that was hit.

No one has reported getting a screen about what was done and how to pay the ransom, but that could be for a variety of reasons.  I'm expecting that it will be seen tomorrow.

The server has Trend Micro Worry-Free Business running on it and all computers on the network should have the client for it.  Nearly all workstations are running Windows 7 though there may be one or two on XP.  The server is running Windows Server 2003.  Initial scans on the server don't show any sign of infection on it.

The good news is that it appears that we have a good backup.  I had the server disconnect from the external backup drive to ensure that nothing more happens to it.

My plan is as follows:
1)  Look at each computer (there are about a dozen of them), check the local Documents folder for .ECC files.  If I find them, that computer is the likely source of the infection.  As originally set up, there was no sharing of local folders.
2)  Scan all of the computers and clean up anything that i find.
3)  After the source is found and cleaned, restore the backup.
4)  Educate the users about how this may have happened.

I didn't find anything online about any virus specifically adding ".ECC" to the file name, but everything else fits with what I have seen with a ransomware infection.

I have two questions here:
1)  Do you agree that this is a virus/ransomware?
2)  Would you recommend anything different in my approach to resolving it?
5 Solutions
It is almost certainly a virus. It only needs to be on one PC with mapped drives to the server. You need to locate the infected PC and remove the virus. That PC will almost certainly have popups on it telling you to pay a ransom.
The reason the Outlook files aren't infected is because they are open and locked in Outlook so the virus can't delete them.
You may find additional files in the infected folders telling you haw to pay the ransom.
Your strategy for dealing with this is appropriate.
The extension generated by the virus appears to be random so that explains why you cannot find any reference to it. It typically takes some time for it to finish encrypting discovered files before it will let its presence known. Your approach is appropriate.
It may be worth looking at your network switch and see if one PC is generating a lot of traffic. That could be the culprit PC.
Also, if the virus hasn't finished doing its job you may want to consider turning off the network switch so it can't continue to encrypt more files.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Gary CaseRetiredCommented:
Your approach is sound.    This is likely a CryptoLocker infection, which is very difficult to recover from without backups ... fortunately you have good backups, so if you get the infection removed you should be fine.

If it's a less severe form of Ransomware, you may be able to restore the files with Panda's Ransomware Decrypter [ ] => but from your description of the altered file names I don't think your infection is this simple.

The suggestions above to isolate all of your computers from each other until you identify the infected computer(s) is a good one.    The quicker you stop additional spreading of the infection, the less time it will take you to recover.
CompProbSolvAuthor Commented:
Thanks to all of you for your input.  I will be visiting this first thing in the morning.
☠ MASQ ☠Commented:
Random file extensions are added by CBT-Locker not Cryptolocker and are a characteristic of the former. Although they are variants of each other, operate much the same way and the distinction is almost academic if you are infected, it is important as many Cryptolocker infections can now be recovered by reverse engineering in much the same way as the Panda tool garycase describes works.

Having good back-ups as you describe is the best solution here once the systems are disinfected.  The important issue which may have been overlooked is that all Cryptolocker variants pose a network-wide risk as they index and encrypt any data file which is visible to the infection as a network share with read/write access - so there is a possibility that files on network shares on uninfected machines can also be at risk.

As a trojan, the infection itself is unable to spread from machine-to-machine.

The ransom note for CBT-Locker is created as a graphic within a My Documents file on the affected machine - usually (but not always) in infected profile.  It contains the unique public key for decryption and it is this image that is displayed once the Trojan has completed indexing and encrypting files.

As akb points out only unmounted .pst files can be encrypted as they are locked for read/write access. There isn't a files size limit on encryption but the code in some variants skips larger files, returning to them later, probably to ensure maximum damage.

Some more details on the CBT in my post here

Including a link to some of the preventative measures that can be put in place to reduce future risk but as this is caused by a trojan infection a lot of prevention is based on improving safe behaviour of users.

So yes, yours is a good approach. Also check locations that infected machines have access to and incorporate simple preventative measures to reduce reinfection risk including end user education.
It is also possible that the encryption process hasn't finished yet. It can take a long time, and the ransom note is only shown when everything has been finished. That could also be the reason your pst isn't encrypted yet (but that could also be because the file was open and in use by outlook).

As long as the process isn't finished, chances are good that you can recover the unencrypted files. Most ransomeware copies the unencrypted files to a temporary location, and deletes that after it has finished the encryption, so you can search for the original files in other locations. Besides that, you can probably look for previous versions via file properties. Those previous versions and shadowcopies get deleted before the ransom note is shown, so once the encryption has finished, and the note is shown, you can't use previous versions or look for the files in the temporary location anymore.
CompProbSolvAuthor Commented:
Thanks to all for the input.

I visited today and the situation was pretty clear.  Only one computer had the ransom note displayed and local files encrypted.  I isolated that computer and restored the files from the backup so only a day's work was lost.  I used robocopy to move the encrypted files to a separate folder just in case they were needed.  I expect to delete them shortly.

The virus had created Software Policies to prevent running programs in McAfee, Symantec, or TrendMicro folders.  I corrected that and was able to reinstall the TrendMicro agent.

I'm not sure how the initial infection occurred.  I didn't see any recent emails that looked suspicious.  The user didn't have any suggestions as to what he may have done to invite the infection.

I had looked at the machine earlier yesterday because the user reported that it was very sluggish.  I noted that it had a couple of files in startup that looked suspicious (semi-random names, location in Application Files) and I removed them from startup.  I installed and scanned with SuperAntiSpyware, rebooted, and left it with Malwarebytes scanning.  It was a few hours later that the encryption (based on file dates and times) occurred.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now