Link to home
Start Free TrialLog in
Avatar of Reyesrj
ReyesrjFlag for Guam

asked on

Ransomeware

We just got hit by ransomware.  
webmafia.asia.com.wallet.

We are trying to narrow down the time our system was infected.
How long does it take for the ransomware to get on the system to the time it makes it's self known (When it starts to encrypt files)?
SOLUTION
Avatar of akb
akb
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Reyesrj

ASKER

Thanks everyone.  At this point we just want to remove the ransomware.  I can restore the data from backup but, don't want to reinstall windows.  Is there a ransomware removal tool?
Avatar of btan
btan

You cannot rely on Traditional AV and for antimalware to come in to remove may not be totally clean as there can be exploit kit that callback to retrieve and dropped the ransomware in the victim machine to start the lockdown. It is better to use a clean machine - do consider it.

There is Ransomnote cleaner though but the crucial part is to remove the infection which maybe you can try Malware Bytes Anti Malware or its Anti Ransomware. Actually they are more from the preventive angle and not removal.
https://www.bleepingcomputer.com/download/ransomnotecleaner/

Is more worthwhile to have a clean build machine and recover your data.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Reyesrj

ASKER

Thank you all!
Most of Ransomware will not encrypt system files as it defeat the purpose as system become inoperable whem machine is rebooted. They skip the system32 folder and instead target user specific files folders.
Avatar of Reyesrj

ASKER

Makes sense.  I noticed certain files did not get touched.  They were system files.

Thank you for pointing this out.
They may or may not touch files in the system32 folder but there are plenty of others they will encrypt. They will likely encrypt all text files and images, many of which will cause issues with the system.
There is "amateur" ransomware which is in testing mode and not correctly developed hence the fire and forget will normally just ruin the whole machine. The well known one typically will not touch those kernel system files because they are not user data - and user is not bother with it even if it is encrypted.