Customer PC infected with Locky Ransomeware

[xrad 0]

Hi

 

Some of my customer pc's with nod32 installed have been infected with the "Locky Ransomware" virus. Nod32 did not initially detect the infection our customer noticed a rouge file on a backup drive.

 

I would like to get more information such as the entry point etc. How can I find this?

 

On investigation I noticed that a nod32 scan seemed to detect the infection was introduced via a rouge email. I could only get a low res screen shot of this. Is it possible to find this info from the logs and if so where do I look?

 

Best regards,

D. 

collector_log.txt

data_dir_list.txt

Processes.txt

[Marcos 5,074]

Please email the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) to samples[at]eset.com. Do you know by chance what email client the user uses? If it's not supported and they receive email via IMAPS for instance, they would need to enable SSL filtering and IMAPS scanning to detect and block this kind of spammed threats (JS/Nemucod).

[xrad 0]

Thank you Macros

 

I will email the logs now. The user was using IE no client used (Private email). To the best of my knowledge the user is not authorised to use the system for private email as new business policy is in place now.

[xrad 0]

Does eset get back to you if you after submitting the eav_logs?

[Marcos 5,074]

Please drop me a pm with the email address that you submitted the files from. I was able to find only one ticket from July 13 where the reporter attached the ESET Log Collector's executable instead of the output archive containing logs. That submission came from <of..........er@f........r.net>.