Jump to content

How to find out what end user let the ransomware in?


tmuster2k
 Share

Go to solution Solved by EricJ,

Recommended Posts

Is there a straight forward way to find out what end user clicked on the Phishing email to let the ransomware in ? 

 I know on a smaller network it might be easy to look through emails but on a much larger scale network this may not work. I know I can look at the properties 

of a shared drive that was encrypted but this is not totally accurate since a lot of different users can be accessing this share. 

Link to comment
Share on other sites

  • Former ESET Employees
  • Solution

Hello tmuster2k,

Just adding my 2 cents, however, the best way I've seen to locate the user that was initially infected is to run a scan of all computers and check for detections of 'Ransom-notes' on the systems' local %systemdrive%. ESET should detect Ransom-notes and log these as threats. At that point, it's a matter of reviewing your scan information/logs to look for these detected ransom-notes.

Ransom-notes are typically text files that are placed in the same directory as encrypted documents, they usually have names similar to 'help-decrypt.txt' or 'recover-files.txt'. If you find a computer with detected ransom-notes on the system drive, then it's likely the filecoder infection was run from that computer. If it's a computer with multiple users, check C:\Users directories to see what users have ransom-notes/encrypted files.


Additionally, you can check ownership of these ransom-note files. This method is typically unreliable though. In my experience, the ownership is usually set to a group such as 'users' or 'administrators'. Steps:
- Locate a Ransom-note

- Right-click, select properties.

- Click on "Security" tab

- Click 'Advanced'

- Click owner tab, and you should be able to view the owner of the file

Hopefully this information helps!

 

Regards,

EricJ

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...