Ransomeware attack?

While using Mozilla Firefox to browse the Internet, I suddenly got a pop-up window followed by a dialogue which appeared to be prompting me for my Microsoft credentials. It was accompanied by an audio announcement proclaiming that I might be the victim of ransomeware. Under the circumstances, I concluded that providing my credentials would not be prudent. Instead, I chose to restart the system. While the system was coming up – I can't remember whether it was before or after I logged in – a message appeared on the screen indicating that two files were being removed from Programs.

While under an apparent attack, I guess I could have lingered longer in order to collect more information. Instead, in order to minimize the damage, I chose to bail out as soon as possible. Whether this was a genuine attack or a farce, I could not tell you. I guess I'm wondering a couple of things. Are there Windows logs I can check to determine what might have occurred? In particular, I'm interested in finding out what generated the message indicating that two files were being removed from Programs.

I generate a backup of the system disk on a nightly basis. So, in the event something bad has actually happened, I can restore the system to a previous state.
babyb00merAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BembiCEOCommented:
Ransomware usually stay a while on the machine before you get messages....Such software usually encrypts files and this may take a while....
And ransomware encrypt usually not only files on the local machine but also on USB sticks / disc as well as on network drives...
My impression is, that the one has possibly nothing to do with the other...
The message, that two files are deleted may also be a message from a virus scanner....

Nevertheless change the password(s) which may be affected...

To be on a save path - if you want to find out what happened....
a.) First at all you should have a copy of your disc. A backup can already be infected. And a backup (i.e. image backup has to be restored first. It should be a separate disc.
This disc can be attached to any (clean) computer and your files are there in a (hopefully) unencrypted state...
As there are no services or OS running on such a disc, it usually cannot infect a clean system... (as long as you do not click on something suspicious...)
b.) You should not connect the possibly infected computer to a network as long you are not sure,. if it is affected or not.
c.) On the possibly infected system you may scan the system with several tools, i.e. MalwareBytes or similar.
As long as it is not a complete new ransomware, it should find it.
d.) Check the virus scanner log, if you can find something, i.e about the deleted files....
Maybe the virus scanner detected the malware...
e.) Check the drive for unusual file extensions, ransomware usually encrypt your documents, more seldom files from the OS.
So you may inspect your office files / documents and similar.

If you restore your computer from an image backup, make sure the backup is clean.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
babyb00merAuthor Commented:
I don't know whether I'm looking at the right log, or using it properly, but below are excerpts from the today's Windows security log. I will admit that I'm not presenting them in a very organized fashion. In particular, the timestamps are missing, but I assure you that the ones I've included are in chronological order.


The event logging service has shut down.

Boot Configuration Data loaded.

The Per-user audit policy table was created.

A logon was attempted using explicit credentials.

A logon was attempted using explicit credentials.

An account was successfully logged on.
An account was successfully logged on.
An account was successfully logged on.

Special privileges assigned to new logon.

Privileges:            SeAssignPrimaryTokenPrivilege
                  SeTcbPrivilege
                  SeSecurityPrivilege
                  SeTakeOwnershipPrivilege
                  SeLoadDriverPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeDebugPrivilege
                  SeAuditPrivilege
                  SeSystemEnvironmentPrivilege
                  SeImpersonatePrivilege
                  SeDelegateSessionUserImpersonatePrivilege
Special privileges assigned to new logon.

Privileges:            SeAssignPrimaryTokenPrivilege
                  SeTcbPrivilege
                  SeSecurityPrivilege
                  SeTakeOwnershipPrivilege
                  SeLoadDriverPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeDebugPrivilege
                  SeAuditPrivilege
                  SeSystemEnvironmentPrivilege
                  SeImpersonatePrivilege
                  SeDelegateSessionUserImpersonatePrivilege

A security-enabled local group membership was enumerated.
      Security ID:            BUILTIN\Administrators
A security-enabled local group membership was enumerated.
      Security ID:            BUILTIN\Backup Operators

The Windows Firewall Driver started successfully.

An account was logged off.

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
The Windows Firewall service started successfully.

An account was successfully logged on.

Logon Information:
      Logon Type:            5
      Restricted Admin Mode:      -
      Virtual Account:            No
      Elevated Token:            Yes

Impersonation Level:            Impersonation

Cryptographic operation.

Cryptographic Parameters:
      Provider Name:      Microsoft Software Key Storage Provider
      Algorithm Name:      RSA
      Key Name:      {F2D24C4B-CF1C-4FC3-AD80-89FF81F76DA2}
      Key Type:      User key.

Cryptographic Operation:
      Operation:      Open Key.
      Return Code:      0x0

An account was successfully logged on.


Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Information:
      Logon Type:            3
      Restricted Admin Mode:      -
      Virtual Account:            No
      Elevated Token:            No


Impersonation Level:            Impersonation

New Logon:
      Security ID:            ANONYMOUS LOGON
      Account Name:            ANONYMOUS LOGON



It's interesting that nothing in the log assigns an alert level to the events. Consequently, I don't know whether these are innocuous events or ones about which I should be concerned.
0
Dmitri FarafontovLinux Systems AdminCommented:
Have you actually perform any scans with an antivirus software as recorded above?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

jorge diazSECommented:
without looking at the configuration i'd dare to bet you $10 is was simply malware, most likely a browsing plugin got installed and they tried to scare the heck out of you.  Assume that since you got the logs your system you're able to work on your system so it was not the real ramsonware. The browsing plugin still installed on firefox so if you use it there's a pretty good chance it'll popup again, if you use chrome  or any other browser it wont.
0
arnoldCommented:
Did the prompt include a phone number to call to resolve the issue?
It was likely a fake as was mentioned earlier.
0
babyb00merAuthor Commented:
Yeah, I'm thinking it was probably a hoax. I did download, install and run the trial version of the Malwarebytes application. It claimed to have found 56 potentially harmful items on my system. I went ahead and allowed it to "quarantine" them. I don't mind installing a third-party product, but I can't help wondering why Windows Defender isn't providing similar protection.
0
babyb00merAuthor Commented:
And, no, I did not notice a phone number. To thwart the intruder and minimize damage, my priority was shutting the system down as quickly as possible. This is the first bogus attack I've received which masqueraded as Ransomware.
0
Dmitri FarafontovLinux Systems AdminCommented:
Might want to try Kaspersky offline CD as well.
0
arnoldCommented:
Looking at the url in firefox history may help identify the source of the mal-ad.....
0
UmbraEmsisoft Community Manager Commented:
Probably just a scam site.

to be sure download and install Emsisoft Anti-Malware > do a scan,  it may find malware or PUPs (Potentially Unwanted Program) if any.
0
Dmitri FarafontovLinux Systems AdminCommented:
MBAM on extended scan should be plenty. For extra paranoid points there is always offline scan as I had suggested.
0
BembiCEOCommented:
MalwareBytes may find more items than an usual virus scanner, but not everything what MalwareBytes find is really dangerous. It is sometimes just a good option to see, what another virus and malware scanner complains and sometimes MalwareBytes also finds i.e. registry keys, which are dead (because detected before) but left over. So you may inspect the result and maybe google a little bit about the findings. Note that for every virus/malware a process is necessary, so a program what runs on the machine. If a virus scanner identified a process and quarantined the file, it is possible that some settings are left over, which can give a hint to a previous infection, but are not really dangerous. MalwareBytes also find such settings and proposes to remove them.

Looking into the Firefox history as Arnold proposed is also a good idea to identify what you have clicked on. You may narrow it down by the time you got the message.

There are a lot of websites, which shows popups telling you your system is infected to push you to download a "virus scanner" or similar things. Usually a website is not able to detect viruses without installing at least some piece of software. This is mostly the intension of such websites, you catch the virus if you follow such popups. But also possible that is was just a fake or a phishing attack.

--> So better change your passwords wherever the given password was used before. Just a precaution.

Your event log doesn't show me something what look suspicious. But I would not expect to find something there.
0
babyb00merAuthor Commented:
As suggested by a number of the participating experts, I suspect that this was a bogus attack. Nonetheless, I did install Malwarebytes – although my guess is any number of similar applications are just as good.

I'm not familiar with the concept of impersonation levels, but finding that in the log was a little disconcerting. I'm accepting on faith and the feedback from the experts that this message is innocuous.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.