to Bleeping Computer.
There are an increasing number of crypto ransomware variants being released these days. Just look at our forums and the list here
which I seem to be updating daily.
There have been reports that some victims have encountered crypto malware following a previous infection from one of several botnets (such as Zbot
frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A)
. US-CERT also advises that some ransomware variants have the ability to find and encrypt files located within shared (or mapped) network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.
It appears this is may be what you are encountering and the primary malware infection is most likely creating this new user profile.
Have you been able to identify the ransomware itself? Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .CTBL, .CTB2, .crinf, .XTBL, .encrypted, .vault, .HA3, .toxcrypt
or 6-7 length extension consisting of random characters?
Did you find any ransom note
? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url
These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt, DECRYPT_INSTRUCTION.TXT
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files.txt, encryptor_raas_readme_liesmich.txt
About_Files.txt, DecryptAllFiles_<user name>.txt, ReadDecryptFilesHere.txt
RECOVERY_FILES.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
Recovery_File_*****.txt, restore_files_*****.txt (where * are random characters)
recover_file_*****.txt, HOWTO_RESTORE_FILES_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)