Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Yet another Ransome ware

Posted on 2016-09-21
Medium Priority
1 Endorsement
Last Modified: 2016-10-01
client got the message below.

How can I be getting this issue with Sophos installed.

is there a fix for us



All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.51076 BTC (bitcoins).
Please follow this manual:

1. Create Bitcoin wallet here:


2. Buy 0.51076 BTC with cash, using search here:


3. Send 0.51076 BTC to this Bitcoin address:


4. Open one of the following links in your browser to download decryptor:


5. Run decryptor to restore your files.


      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
      - Nobody can help you except us.
      - It`s useless to reinstall Windows, update antivirus software, etc.
      - Your files can be decrypted only after you make payment.
      - You can find this manual on your desktop (DECRYPT.txt).
Question by:Joseph Salazar
  • 4
  • 3
  • 2
  • +3
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809548
If the information is encrypted like the messages specify... if that is true... the solution is restore that data from a backup. It is not feasible to fight against such strong encryption if it has been aplied.

How can it happened if Sophos was installed? Maybe a user was surfing the web and accepted a malicious code somehow, or opened an email with something malicious on it. In conclusion it usually happens with some user interaction and 'approval' of the bad process. :(

Author Comment

by:Joseph Salazar
ID: 41809552
Just Logged into the Computer and Sophos has been completely Grayed out....

I cannot even turn it on....

running NPE and malware bytes now

Author Comment

by:Joseph Salazar
ID: 41809556
Found C:\users\Username\AppData\Local\Envtion\a2.exe
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809557
Maybe for making it even easier for the malware... it is possible that Sophos was not working at the moment of the encryption. Or maybe there was something that made Sophos stop working and then the second attack was conducted.

Just some ideas.
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809569
It is good to quite the ransome-ware before making anything else, indeed. :). To make it less likely that it happens again. However, in my case I would prefer to backup the remaining valuable data and then just blow up anything there and refresh that system from scratch.
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 500 total points
ID: 41809640
How can I be getting this issue with Sophos installed.

First, you do realize the Ransomware creators WANT to infect you so they almost certainly have the same tools you use to block them.  That way, they can figure out how to get around the protection!  But your antivirus company generally has to SEE the virus before it can issue an update that can protect against it so you got hit with a new version... and they'll be another new version tomorrow.  You think Microsoft is issuing updates fast?  Malware creators issue them FAR faster to evade detection.

So how do you avoid them?  EDUCATE YOUR USERS.  That is the single most important thing.  If you can't they probably shouldn't be doing the job their doing because these days, being able to learn about the technology you use in a minimal way to ensure you don't cripple the company should be a job requirement.

Second thing to do is to use a business class router/firewall/unified threat management (UTM) device that can scan incoming and outgoing data and catch things before they even get into the network.  MAKE NO MISTAKE, things will still get through, but it should reduce those that do.

Use web filtering capabilities in the UTM and a DNS filtering service like OpenDNS to help ensure the bad software can't reach you or the things it needs to reach to work.

Use a GOOD anti-spam solution as a lot of these things come in as "UPS Delivery Notifications" or "Invoices", or "Faxes", among other things... use a good spam filter can keep MOST of these away from your end users.  

Then use a GOOD antivirus.  Sophos is supposedly good - I haven't used them in years.

Then properly secure your network's files.  Users should access to only the things they NEED access - Leaving everything open to everyone is a GREAT WAY to CRIPPLE your company (you may have just found that out).  If you limit access to those who need access, it limits the damage that can be done which can DECREASE your restore time and DECREASE your productivity lost, and in some cases increase the chances that something like Shadow Copy can restore the infected files with less data loss than last night's backup.

THEN BACKUP.  INTELLIGENTLY.  Off site.  Regularly.

FINALLY, rely on the end user's TRAINING not to do things that will cause problems like this.

Security - and avoiding problems like this - is a multi-layered approach.  If you just want one or two layers, this will happen again.  And again. And again...

Your options now are to restore from backup... or pay the ransom.
LVL 88

Assisted Solution

rindi earned 500 total points
ID: 41809651
All AV software will be at least a step behind new malware. So particularly when something new comes out they won't be able to catch it. No AV software is foolproof. So in such a situation your only option is to remove all your PC's from the LAN so they can't encrypt further files on the LAN.

After that, the best thing is to re-image those PC's. Although a lot of ransomeware removes itself automatically from the PC once it has finished it's job, it is still likely that other malware is still active. After all, if someone falls for ransomware, it is also very likely that he will also fall for all sorts of other threats.

Once the probably infected PC's have been re-imaged, just restore your data from your backups.

For the future make sure to make it harder for malware to get to your systems. Always make sure you only use a standard user account when you use the PC. Educate your users on how to use the emails and how to browse the web as safely as possible. Use application whitelisting so that only programs can be executed which you have given the OK for. Disable macro's for Office m$ Office documents, as that is how many of those viruses start. Or don't use m$ Office at all.
LVL 65

Expert Comment

ID: 41809855
I suspect you are in the same situation as in this and the file encrypted should be having the extension .crypted added to the filename.

Suggest you identify the ransomware in idransomware or Crypto Sheriff, if the Ransomware identified to be with a decryptor that can bypass the encryption without payibg ransom, then you may like to give it a try.

Make a clone of the files before uploading and disconnect your machine as well as advice customer to change their password to online Web and social sites esp those using the same common password.

Augment your AV with anti ransomware with application whitelisting such as Windows Applocker or Cryptoprevent or SecureAPlus. There are anti ransomware program such as Winpatrol Winantiransom and MalwareBytes anti ransomware as preventive suggested as preventive measures for consideration.
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 41810548
I agree id-ransomware is an excellent way to go. Also check Nomoreransom.org.

Without backups you're pretty much up the creek. Definitely make a backup just in case a key becomes available.

Author Comment

by:Joseph Salazar
ID: 41819943
Thanks Everyone,  We ended up formatting and re-installing Desktop

We Deployed Sophos router and Sophos on the Desktop and will be getting the Intercept X, anti-Ransom ware module when it comes out soon.

LVL 30

Accepted Solution

Thomas Zucker-Scharff earned 1000 total points
ID: 41820263
Intercept X looks to be an excellent piece of software.  I have been using HitmanPro.Alert/Cyberguard since before Sophos bought out SurfRight.  The Intercept X module is based on the HitmanPro.Alert software.  If you are a Sophos shop, this is the best way to go.  Others, like Cylance, claim 100% block rate when it comes to ransomware with few if any false positives.  Cryptodrop was also an excellent academic solution to the problem of ransomware (some companies have started to adopt the cryptodrop schema, which stops encryption malware after an average of 10 files have been encrypted).
LVL 65

Expert Comment

ID: 41820934
There is also CryptoTrap from TrapX forbsetting decoys to allow time for detection mechanism to alert users..

Author Closing Comment

by:Joseph Salazar
ID: 41825019

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question