computerlarry
asked on
Not sure if computer has Ransomware. Want to act right away. What to do?
I saw an error with the backup (Retrospect)
I looked at the log, and I see an odd user name, and a file that ends with DECRYPT_INSTRUCTION.HTML
It's late now, so I can't talk to anybody.
I'm not sure if it's Ransomware
System has Trend Micro Total Secure
Windows 7 Pro
The user had reported that the computer took longer than usual to start up.
If it is Ransomware, I assume that I should isolate the machine - Unplug from the network.
What other steps should I take?
There is a cloud backup of files
This is a workstation connected to a server
Thanks
I looked at the log, and I see an odd user name, and a file that ends with DECRYPT_INSTRUCTION.HTML
It's late now, so I can't talk to anybody.
I'm not sure if it's Ransomware
System has Trend Micro Total Secure
Windows 7 Pro
The user had reported that the computer took longer than usual to start up.
If it is Ransomware, I assume that I should isolate the machine - Unplug from the network.
What other steps should I take?
There is a cloud backup of files
This is a workstation connected to a server
Thanks
You need to isolate as a minimum that machine immediately. You can identify the ransomware from the text in the message.
Any folders to which that machine has access are at risk. If you have SMB1 enabled the active component can be copied to other machines on the network.
This is immediate action.
Others will hopefully post here too with more detail (am on train with pretty limited access to my normal ransomware kit)
Any folders to which that machine has access are at risk. If you have SMB1 enabled the active component can be copied to other machines on the network.
This is immediate action.
Others will hopefully post here too with more detail (am on train with pretty limited access to my normal ransomware kit)
yes it seems crypto locker sysmptoms... first isolate the pc from network then check the issues.
you can check about it
https://www.varonis.com/blog/cryptolocker/
do it immediately..
you can check about it
https://www.varonis.com/blog/cryptolocker/
do it immediately..
If you have already removed the machine from the network (pulled the network cable and / or disconnected the wifi card), then I'd run a full malware scan on the server, but no reason to be concerned if it comes up clean.
For the PC, I'd wipe it and reimage - good to start from scratch periodically anyway.
Alan.
For the PC, I'd wipe it and reimage - good to start from scratch periodically anyway.
Alan.
ASKER
What should I scan machines with? This might have gotten by Trend Micro Maximum Security
I like ESET, but anything is better than nothing.
For the PC, don't bother - just wipe it.
Alan.
For the PC, don't bother - just wipe it.
Alan.
ASKER
I see that the machine affected was an old server. I have remotely shut it down.
There are some shared files on an external USB drive.
Can I move that drive to another machine and scan from the other machine?
How do I determine if I have a clean USB drive?
There are some shared files on an external USB drive.
Can I move that drive to another machine and scan from the other machine?
How do I determine if I have a clean USB drive?
Yes - there is little risk if you just connect it to run a scan, but if you want to be certain, connect it to an isolated machine, then scan.
Alan.
Alan.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This computer was connected to a Windows Server using Active Directory.
There is a local directory on the infected computer C:\Users\sahib.BPS.000
Is this directory a local copy of what's on the server?
Does it sync?
If so, have the damaged files been copied back to the server?
There is a local directory on the infected computer C:\Users\sahib.BPS.000
Is this directory a local copy of what's on the server?
Does it sync?
If so, have the damaged files been copied back to the server?
Only way to be sure is to check.
If this is a server, I am guessing you will have backups, so should not be too major?
If this is a server, I am guessing you will have backups, so should not be too major?
What is the date on the DECRYPT... files? That should tell you when the computer was hit.
Otherwise, good advice above. Immediately disconnect the computer from the network. The safest approach is to wipe and start over. If that's not practical, scan with a variety of tools (I'd also include Malwarebytes and SuperAntiSpyware) and make sure that they find the active virus program.
Otherwise, good advice above. Immediately disconnect the computer from the network. The safest approach is to wipe and start over. If that's not practical, scan with a variety of tools (I'd also include Malwarebytes and SuperAntiSpyware) and make sure that they find the active virus program.
ASKER
Thanks to all! When I went in to look, I discovered a workstation that only had those instruction files on it. They were dated from 5 years ago, when there was some sort of malware attack. I was told that the infection was cleaned out then. We deleted all the files, which were in an old account, as wells the account itself.
I had disconnected the workstation from the network after installing Trend Micro Maximum security. Did several scans which found nothing. All the other workstations have Trend Micro. I relocated the files to a new server which had MalwareBytes on it, and scanned there. Everything has been clean since.
I had disconnected the workstation from the network after installing Trend Micro Maximum security. Did several scans which found nothing. All the other workstations have Trend Micro. I relocated the files to a new server which had MalwareBytes on it, and scanned there. Everything has been clean since.
Good to see your problem has resolved, Happy to help you
ASKER
Should I shut down the File Server?