Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phantom-ransomware. Stumped.


  • Please log in to reply
14 replies to this topic

#1 Fledgey

Fledgey

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 11:43 AM

I work IT for a nonprofit mental health company. We've got a notification set up that emails us immediately when a file with the word "decrypt" shows up on a server or workstation.

For the last couple months we've been getting notifications from one of our sites on what seems to be random days, not consistent, but always around exactly 6 AM Here's what they look like.

This message indicates that a decryption instruction file has been detected 

Event Info:  Network share object "\\*\Home" checked for desired access by "**domain**\ASSET16337$"

Ransomware file Relative Path: **username**\DESKTOP\HOW TO DECRYPT AES FILES.LNK detected at 2016-01-07 06:04:34.0 on **site server**

I took out the more sensitive stuff and surrounded it with double asterisks.

 

So every time these popped up I'd investigate the computer. Nothing was encrypted, and no decryption files were in the noted locations. Nothing was encrypted on the site server either. So I'd simply grab the computer and reimage it and return it and the notification has yet to pop up on the same machine again. But it would, in the next couple days, pop up a notification from a different computer.

 

So here's what I know

  • Notification will only appear from one computer at a time, and will move to a new computer when that one is removed
  • The username listed in the notification isn't always the same, but is ALWAYS the first user in the users folder on the computer noted in the notification.
  • It has never moved past this specific site
  • Nothing is encrypted
  • All machines and the site server were virus scanned with symantec and came out clean
  • The notification when properly engaged will list a username in the place of where it says the computer name (ASSET16337) in these notifications, indicating that something is trying to use the computer account instead of a user account to accomplish its goal.
  • None of this behavior is consistent with the malware that is known to generate that decrypt file with that specific verbage
  • No file traces associated with that piece of malware were found on any of the noted computers or the site server.

 

Needless to say I'm stumped. Does anyone have any idea how I should proceed?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:28 PM

Posted 07 January 2016 - 12:56 PM

Does it have characteristics to this ransomware?

 

http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

 

When the ransom note appears, what process is it? Is it just a notepad document, or an actual program running? That should lead to where it is possibly. If it is simply a Notepad, I believe ProcessManager by Nirsoft should allow you to see where the file it has open is residing.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 01:01 PM

Nope, that's one of the weird things. As I mentioned, nothing is actually encrypted. And the decrypt file is never present. So I'm assuming after it does whatever it does maybe it deletes the file? Or maybe it's never there to begin with and is only trying to write it there.

 

Unfortunately that notification is all the information I've been able to collect about what is happening and when. The rest has just been me playing catch up.

 

I wouldn't even know this is happening without the notifications, but it worries me that something more sinister may be going on.


Edited by Fledgey, 07 January 2016 - 01:02 PM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:28 PM

Posted 07 January 2016 - 01:09 PM

So the notification you are getting, is that from a monitoring software? Something is definitely writing files. If you check the owner of the "HOW TO DECRYPT AES FILES.LNK" file, it may give you a clue as to the account to start tracing.

 

Do you have RDP completely locked down on the server? There's been several ransomwares going around by exploiting RDP and gaining remote access. It's always important to have that locked down as best as possible (or better yet, block it entirely from outside access on the firewall and only allow traffic on a VPN tunnel).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 01:18 PM

It is from a monitoring software. Solarwinds. That's the problem though. I'd definitely trace back the decrypt file if a file existed, but no computer I've checked has had one.

 

Our RDP is turned on on that site server but restricted to domain admins only. It's turned off on all of the workstations.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:28 PM

Posted 07 January 2016 - 01:27 PM

If the file never exists, is perhaps SEP on a workstation removing it? Check quarantine on all systems?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 01:32 PM

I checked that as well, actually! All clean.



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:28 AM

Posted 07 January 2016 - 03:20 PM

If it helps, I would ask what the owner of the workstation was doing at the time the alert shows up.

#9 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 03:35 PM

This site is actually closed at that time so there actually isn't anyone there. It appears to occur on computers that are left on overnight. They're all multi-user workstations.


Edited by Fledgey, 07 January 2016 - 03:35 PM.


#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:28 AM

Posted 07 January 2016 - 03:39 PM

Would there be some other kind of access log other than just the alert? It looks like a probing attempt to me, but then it is just speculation.

#11 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 03:42 PM

Unfortunately not. We tried to have the site managers implement a physical access log for each machine but they didn't really follow through or police it.


Edited by Fledgey, 07 January 2016 - 03:42 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:28 AM

Posted 07 January 2016 - 04:50 PM

Do all of the notifications on that computer involve the same user who works around 6 AM?

If so, has anyone asked that person what they are doing about that time?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 January 2016 - 05:57 PM

I mentioned up a little higher, but this site is closed at 6 AM, they don't open up until 8 so as far as anyone is aware that I've asked, no one is there at that time.



#14 Fledgey

Fledgey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 13 January 2016 - 10:48 AM

Anyone have any more ideas?



#15 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:28 AM

Posted 13 January 2016 - 11:07 AM

Install Sysmon, leave one machine running, check the event log what was going on at the time of the incident on that machine. Possibly check your monitoring scripts for errors as well.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users