Noel Arriola
Noel Arriola used Ask the Experts™
Hello security experts out there.  It seems that we've been hit a ransomware that adds an extension of {}.lock which has propagated to our servers and possibly workstations.   Has anyone encountered this issue. If so, what have you done to fix it other than restoring from backup which is what we are doing.

Please advise. You response would be greatly appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Russ SuterSenior Software Developer

There are a handful of ransomware programs who's encryption has been cracked. You can find out about those here:

Other than that you have exactly two options:
1. Pay the ransom and hope it works
2. Restore from backups

It seems like you're already doing the 2nd which is definitely the better choice. Your focus now needs to be on prevention of future infections. There are a couple of things you can do that have proven largely (though not 100%) effective.

1. Create a group policy or local policy that prevents applications from running in unprotected spaces. CryptoPrevent uses this approach. Cryptolocker Prevention Kit is another.
2. If you have control over your mail server you can add filtering rules to automatically block attachments with .exe files in them.
3. If you have control over your firewall you can block IP ranges. Some ransomware programs use TOR but not all. This will work for those that don't.
4. This one is probably the hardest to implement and the most important. Educate your users!

I'm glad to hear you have backups. Too many of these stories end badly due to lack of advanced preparation.
btanExec Consultant
Distinguished Expert 2018

First off, do isolate the machine (remove from internet and network) and change the login credential and those account using the same password. You can check out the owner of those files stored in network shares by looking at its file properties as this is likely the account used to further infect other file in the network shares.

will be good to identify hat ransomware family it belongs to e.g. by uploading to cyber sheriff ( or ID Ransom (

But from the name shared, it seem very similar to a past known crypto malware ransomware that encrypts all kind of documents (e.g. (doc, xls, xlsx, ...), database files (db, ...), .pst, .zip, .bak, .txt, ..) and rename it as <filename>.<id>-<10 digit random number> e.g. An antivirus program may not recognized it if this Funa@india is a new variant. Most likely it didnt just encrypted the files but also erased all the shadow copies. The netokr mapped drive's files would also be encrypted.

I recommend not to pay ransom as there is no guarantee that you can get back the decryption key to restore your encrypted files or re-infection will not recur. Also payment just feed and advocate the attacker doing - this may be also have some legal implication.

Instead you should check back your existing backup source store to get the back those files. Also do rebuild into a clean slate instead of attempting to clean the machine - the ransomware is likely dropped from other malware that came in from user browsing (or clicked a URL in phished email) a compromised website, or opening an infected email attachment files or open from an unknown thumbdrives etc. The cleaning may come to a void as the reinfection may recur.

For long term preventive measures,
-remove user from having administer right and from administrator group,
-employ application whitelisting to run only trusted and authorised appls (check out applocker)
-employ anti-ransomware tool to augment the existing AV e.g. Malwarebytes Anti-Ransomware or WinPatrol WinRansom
-exercise diligent to have regular backup, verify the backup and keep it off the machine and network mapped drive in separate system, have a copy offsite if possible
-employ other measures to prevent exploit as AV may not be effective e.g. use Malware Bytes anti-malware and anti-exploit, Microsoft EMET or Sophos Intercept X (has a feature called CryptoGuard)
Noel ArriolaDirector of IT


Thanks for your contributions.  I just wanted to add that we've had several Ransomware attacks almost one every month.  We have instituted a system from Symantec called Advanced Threat Protection which is mainly focused in monitoring systems for any ransomware variants.  However, this last one was not even  caught at all.   We had one this month and attacks each for the past 2 months.  The interesting part is that we don't even get a ransom note either.  We have already been educating our users through another service so we've got that covered too but obviously we have not been successful so just need to keep educating our users.  The other thing is that I know that this is also coming from users who are accessing our remote desktop.  Is there a better way for them to access remote desktop then ?

Thank you for your assistance.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

btanExec Consultant
Distinguished Expert 2018

There are Ransomware without notes and they just named the encrypted files with the email for the victim to emaul rhem for further instructions. There are instance of using disposable email account which will not be easily traceable. The criminal is just trying to lessen their footprint and make sure a true victim engage in ransom payment instead of any LE spoofing identity

As for RDP, the spread is due to the use of weak password that allows brute force attempt to succeed. So you will need to review your RDP and password policy to make sure authentication can be levelled up for stronger password and consider having 2FA authentication instead of simple username and password. Also consider not to have RDP over Internet esp exposing server unnecessary to the external threat.

Choosing a strong passphrase is preferred as compared to password. See
Senior Software Developer
A few thoughts...

* Never rely on commercial products, especially Symantec, for detection and prevention of viruses. They're just not good at it. The only reason they're still around is that they once were useful and have a good marketing department.
* If you're getting ransomware as often as you say then you should definitely implement the preventative measures I listed in my first post. They aren't a 100% fix but they will certainly reduce your attack surface.
* Your users are in desperate need of training and education. Social engineering is by far the number one source of ransomware infection.
* You may not be seeing ransom notes because you're catching the ransomware before it gets a chance to finish. Most of the time ransomware programs won't make themselves known until they've done maximum damage or can no longer phone home.
* The 2FA idea that btan suggested is a good one. Look into Duo Security as an option. It's free for up to 10 users and cheap for more than that (as little as $1 per user per month) and it integrates well with RDP services.
Noel ArriolaDirector of IT


OK Thanks.  Much appreaciated.  I am already in communication with Duo Security.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial