santoso 7 Posted December 28, 2017 Share Posted December 28, 2017 (edited) hello, our user infected by ..doc ransomware. All files become ..doc extention they said Eset installed in this pc but cannot detect it is eset already can detect this ransomware? if can, with database version number? is there any decryptor we can use? please help, thank you. Edited December 28, 2017 by santoso Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted December 28, 2017 Administrators Share Posted December 28, 2017 The files were encrypted by Filecoder.FV. Unfortunately, decryption is not possible. It's likely that an attacker carried out a bruteforce RDP attack, remoted in, disabled ESET and ran the ransomware. Most of ransomware is self-removed after they finish encryption of files. I'd recommend restricting RDP connections to specific IP addresses or subnets and using stronger passwords. Link to comment Share on other sites More sharing options...
santoso 7 Posted December 29, 2017 Author Share Posted December 29, 2017 (edited) On 12/28/2017 at 6:38 PM, Marcos said: The files were encrypted by Filecoder.FV. Unfortunately, decryption is not possible. It's likely that an attacker carried out a bruteforce RDP attack, remoted in, disabled ESET and ran the ransomware. Most of ransomware is self-removed after they finish encryption of files. I'd recommend restricting RDP connections to specific IP addresses or subnets and using stronger passwords. Thank you marcos, we will inform to our user. another case about ransomware, this user said their pc infected by Cryakl ransomware and send us infected file. then i upload to id-ransomware and the result is Cry36 the files extention is not change. is eset already can detect this ransomware? if can, with database version number? thank you for information. Edited January 2, 2018 by santoso Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted December 29, 2017 Administrators Share Posted December 29, 2017 1 hour ago, santoso said: Another case about ransomware, this user said their pc infected by Cryakl ransomware and send us infected file. then i upload to id-ransomware and the result is Cry36 the files extention is not change. Is eset already can detect this ransomware? if can, with database version number? Unfortunately, without getting a sample or at least a hash of the ransomware we cannot tell if it's detected or not. According to the information I've found, we probably detect it as Win32/Filecoder.NDT or Win32/Filecoder.NHT. Even if the ransomware family is known, there can be numerous variants of it. Remember that even if a particular ransomware sample is detected, attackers often carry out bruteforce RDP attacks, disable or uninstall the security software and then run the ransomware to encrypt files and extort money from the victim. We strongly recommend setting a password to protect ESET's settings and to prevent protection modules from being easily disabled or the ESET security product from being uninstalled. Another things to consider are: - enabling detection of potentially unsafe applications (cover tools that can be used to kill protected services) - hardening RDP (e.g. restricting connections to specific IP addresses or ranges, using more complex passwords, denying logon through RDP for users who don't need it, etc.) - using a fully supported OS and installing all critical security patches that are available, etc. Link to comment Share on other sites More sharing options...
Recommended Posts