Jump to content

Customer PC infected with Locky Ransomeware


xrad
 Share

Recommended Posts

Hi

 

Some of my customer pc's with nod32 installed have been infected with the "Locky Ransomware" virus. Nod32 did not initially detect the infection our customer noticed a rouge file on a backup drive.

 

I would like to get more information such as the entry point etc. How can I find this?

 

On investigation I noticed that a nod32 scan seemed to detect the infection was introduced via a rouge email. I could only get a low res screen shot of this. Is it possible to find this info from the logs and if so where do I look?

 

Best regards,

D. 

post-12915-0-77929900-1468341255_thumb.png

collector_log.txt

data_dir_list.txt

Processes.txt

Link to comment
Share on other sites

  • Administrators

Please email the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) to samples[at]eset.com. Do you know by chance what email client the user uses? If it's not supported and they receive email via IMAPS for instance, they would need to enable SSL filtering and IMAPS scanning to detect and block this kind of spammed threats (JS/Nemucod).

Link to comment
Share on other sites

Thank you Macros

 

I will email the logs now. The user was using IE no client used (Private email). To the best of my knowledge the user is not authorised to use the system for private email as new business policy is in place now.

Link to comment
Share on other sites

  • Administrators

Please drop me a pm with the email address that you submitted the files from. I was able to find only one ticket from July 13 where the reporter attached the ESET Log Collector's executable instead of the output archive containing logs. That submission came from <of..........er@f........r.net>.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...