Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Mozilla Overhauls Content Blocking Settings in Firefox 65

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

How to find the culprit computer where the TeslaCrypt is located?

Started by creosotepost , Dec 04 2015 04:56 AM

This topic is locked

2 replies to this topic

#1 creosotepost

Members
3 posts
OFFLINE

Local time:11:01 AM

Posted 04 December 2015 - 04:56 AM

I have 2 network drives wiped by *.vvv files (and the associated ransom files). Drives are located on a Synology box, which I don't think can be infected itself (?).

There are several Windows 7 computers possible connecting to these drives (this is an educational environment) but I haven't been able to find any tell-tale signs yet - none have local files destroyed with the .vvv extension. Went through the hosts file, processes, msconfig, etc. and found nothing. Is there an easy way/file that identifies what computer has the ransomware on it that spread to the network shares?

It would seem from the things I read (ransom messages, most files non opening, etc) an infected computer would be obvious, but I have not heard a thing/complaint from any user having problems with their laptop.

Thank you for any advice, if this is more appropriate in the Removal Forum, please let me know and I'll move this over.

Nathan

Edited by Chris Cosgrove, 04 December 2015 - 05:09 AM.
Moved from AII to 'General security'

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 SleepyDude

Malware Response Team
3,130 posts
ONLINE

Gender:Male
Location:Portugal
Local time:06:01 PM

Posted 04 December 2015 - 05:28 AM

Hi Nathan :welcome: to BleepingComputer

If every user have different credentials to access the NAS check the file properties of those .vvv files on the NAS using the File Station, right click then Properties it should say how is the owner of the file.

If several users connect using the same user/pass and there are more vvv files been created right now you need to check the active connection on the NAS and the IP of the connected machines on the Resource Monitor.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

Proud graduate of GeekU and member of UNITE
___
Rui

Back to top

#3 quietman7

Bleepin' Janitor

Global Moderator
51,954 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:01 PM

Posted 04 December 2015 - 05:59 AM

What you need to know about TeslaCrypt, Alpha Crypt, and Network Shares.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.

New TeslaCrypt version that uses the .EXX extension Support & Discussion

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015