Phantom-ransomware. Stumped.

I work IT for a nonprofit mental health company. We've got a notification set up that emails us immediately when a file with the word "decrypt" shows up on a server or workstation.

For the last couple months we've been getting notifications from one of our sites on what seems to be random days, not consistent, but always around exactly 6 AM Here's what they look like.

This message indicates that a decryption instruction file has been detected 

Event Info:  Network share object "\\*\Home" checked for desired access by "**domain**\ASSET16337$"

Ransomware file Relative Path: **username**\DESKTOP\HOW TO DECRYPT AES FILES.LNK detected at 2016-01-07 06:04:34.0 on **site server**

I took out the more sensitive stuff and surrounded it with double asterisks.

So every time these popped up I'd investigate the computer. Nothing was encrypted, and no decryption files were in the noted locations. Nothing was encrypted on the site server either. So I'd simply grab the computer and reimage it and return it and the notification has yet to pop up on the same machine again. But it would, in the next couple days, pop up a notification from a different computer.

So here's what I know

• Notification will only appear from one computer at a time, and will move to a new computer when that one is removed
• The username listed in the notification isn't always the same, but is ALWAYS the first user in the users folder on the computer noted in the notification.
• It has never moved past this specific site
• Nothing is encrypted
• All machines and the site server were virus scanned with symantec and came out clean
• The notification when properly engaged will list a username in the place of where it says the computer name (ASSET16337) in these notifications, indicating that something is trying to use the computer account instead of a user account to accomplish its goal.
• None of this behavior is consistent with the malware that is known to generate that decrypt file with that specific verbage
• No file traces associated with that piece of malware were found on any of the noted computers or the site server.

Needless to say I'm stumped. Does anyone have any idea how I should proceed?

Does it have characteristics to this ransomware?

http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

When the ransom note appears, what process is it? Is it just a notepad document, or an actual program running? That should lead to where it is possibly. If it is simply a Notepad, I believe ProcessManager by Nirsoft should allow you to see where the file it has open is residing.

Nope, that's one of the weird things. As I mentioned, nothing is actually encrypted. And the decrypt file is never present. So I'm assuming after it does whatever it does maybe it deletes the file? Or maybe it's never there to begin with and is only trying to write it there.

Unfortunately that notification is all the information I've been able to collect about what is happening and when. The rest has just been me playing catch up.

I wouldn't even know this is happening without the notifications, but it worries me that something more sinister may be going on.

Edited by Fledgey, 07 January 2016 - 01:02 PM.

So the notification you are getting, is that from a monitoring software? Something is definitely writing files. If you check the owner of the "HOW TO DECRYPT AES FILES.LNK" file, it may give you a clue as to the account to start tracing.

Do you have RDP completely locked down on the server? There's been several ransomwares going around by exploiting RDP and gaining remote access. It's always important to have that locked down as best as possible (or better yet, block it entirely from outside access on the firewall and only allow traffic on a VPN tunnel).

It is from a monitoring software. Solarwinds. That's the problem though. I'd definitely trace back the decrypt file if a file existed, but no computer I've checked has had one.

Our RDP is turned on on that site server but restricted to domain admins only. It's turned off on all of the workstations.

If the file never exists, is perhaps SEP on a workstation removing it? Check quarantine on all systems?

I checked that as well, actually! All clean.

This site is actually closed at that time so there actually isn't anyone there. It appears to occur on computers that are left on overnight. They're all multi-user workstations.

Edited by Fledgey, 07 January 2016 - 03:35 PM.

Unfortunately not. We tried to have the site managers implement a physical access log for each machine but they didn't really follow through or police it.

Edited by Fledgey, 07 January 2016 - 03:42 PM.

I mentioned up a little higher, but this site is closed at 6 AM, they don't open up until 8 so as far as anyone is aware that I've asked, no one is there at that time.

Anyone have any more ideas?

Install Sysmon, leave one machine running, check the event log what was going on at the time of the incident on that machine. Possibly check your monitoring scripts for errors as well.