Jump to content

Ransomware source?


mj5150
 Share

Recommended Posts

One of our customers was infected with a couple variants of the ransomware, Win32/Filecoder.EM trojan and Win32/Injector.BYPX trojan. The HELP_RESTORE text files are all over the C: drive on the server they RDP to, dated from 04/17/2015, but the quarantined files are from 04/20/2015 and 04/23/2015. No text files on the network drives on the server.

 

How do I find where this infection came from? I thought checking the owner under properties would tell you the source if the infection. When I checked the properties of a handful of the text files, the owner is the user profile where the file is located. 

 

Is there another way to find the source of the infection?

 

-Mike

Link to comment
Share on other sites

I agree, but how do I found out which computer that was?

 

I have about 25 users, none of them can recall a suspicious e-mail/attachment. At least they aren't admitting it.

 

ESET quarantined the infection, but it is sitting in the C:\Users\<username> folder for a handful of users.

 

-Mike

Link to comment
Share on other sites

  • Administrators

Is it that users log in to the network from various computers and thus knowing the owner won't help you identify the computer? If so, I'm afraid it won't be possible to find that computer if it's clean now and the infection doesn't occur any more.

Link to comment
Share on other sites

Is it that users log in to the network from various computers and thus knowing the owner won't help you identify the computer? If so, I'm afraid it won't be possible to find that computer if it's clean now and the infection doesn't occur any more.

 

The issue is, the HELP_RESTORE text files showed several different owners, so it's hard to tell if all these people got infected at the same time, or if it came from one spot and then spread out to others.

 

I was told by another person once that all you need to do to find the source of the infection is check the owner of the HELP_RESTORE text file. Well, I checked and found at least nine or ten different owners when I checked a few of those files.

 

-Mike

Edited by mj5150
Link to comment
Share on other sites

  • Administrators

Since Filecoders are often downloaded by massively spammed downloaders, it's quite likely that all those users ran a malicious file attached to a spammed email. It'd be good to have the ESET configuration reviewed and also to make sure that ESET Live Grid works on those machines as expected (you can use Cloudcar for this purpose which is similar to eicar but it's purpose is to test cloud blocking).

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...