Jump to content

..doc ransomware

santoso

By santoso
in Malware Finding and Cleaning

 Share

Recommended Posts

santoso

santoso 7

Posted
Posted (edited)

hello,

our user infected by ..doc ransomware. All files become ..doc extention
they said Eset installed in this pc but cannot detect it

is eset already can detect this ransomware? if can, with database version number?
is there any decryptor we can use?

please help, thank you.

Edited by santoso
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

The files were encrypted by Filecoder.FV. Unfortunately, decryption is not possible. It's likely that an attacker carried out a bruteforce RDP attack, remoted in, disabled ESET and ran the ransomware. Most of ransomware is self-removed after they finish encryption of files.

I'd recommend restricting RDP connections to specific IP addresses or subnets and using stronger passwords.

Link to comment
Share on other sites
santoso

santoso 7

Posted
  • Author
Posted (edited)
On 12/28/2017 at 6:38 PM, Marcos said:

The files were encrypted by Filecoder.FV. Unfortunately, decryption is not possible. It's likely that an attacker carried out a bruteforce RDP attack, remoted in, disabled ESET and ran the ransomware. Most of ransomware is self-removed after they finish encryption of files.

I'd recommend restricting RDP connections to specific IP addresses or subnets and using stronger passwords.

Thank you marcos,

we will inform to our user.

another case about ransomware, this user said their pc infected by Cryakl ransomware and send us infected file. then i upload to id-ransomware and the result is Cry36
the files extention is not change.

 


is eset already can detect this ransomware? if can, with database version number?

thank you for information.

Edited by santoso
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted
1 hour ago, santoso said:

Another case about ransomware, this user said their pc infected by Cryakl ransomware and send us infected file. then i upload to id-ransomware and the result is Cry36
the files extention is not change.
Is eset already can detect this ransomware? if can, with database version number?

Unfortunately, without getting a sample or at least a hash of the ransomware we cannot tell if it's detected or not. According to the information I've found, we probably detect it as Win32/Filecoder.NDT or Win32/Filecoder.NHT. Even if the ransomware family is known, there can be numerous variants of it. Remember that even if a particular ransomware sample is detected, attackers often carry out bruteforce RDP attacks, disable or uninstall the security software and then run the ransomware to encrypt files and extort money from the victim.

We strongly recommend setting a password to protect ESET's settings and to prevent protection modules from being easily disabled or the ESET security product from being uninstalled. Another things to consider are:
- enabling detection of potentially unsafe applications (cover tools that can be used to kill protected services)
- hardening RDP (e.g. restricting connections to specific IP addresses or ranges, using more complex passwords, denying logon through RDP for users who don't need it, etc.)
- using a fully supported OS and installing all critical security patches that are available, etc.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...