I work IT for a nonprofit mental health company. We've got a notification set up that emails us immediately when a file with the word "decrypt" shows up on a server or workstation.
For the last couple months we've been getting notifications from one of our sites on what seems to be random days, not consistent, but always around exactly 6 AM Here's what they look like.
This message indicates that a decryption instruction file has been detected Event Info: Network share object "\\*\Home" checked for desired access by "**domain**\ASSET16337$" Ransomware file Relative Path: **username**\DESKTOP\HOW TO DECRYPT AES FILES.LNK detected at 2016-01-07 06:04:34.0 on **site server**
I took out the more sensitive stuff and surrounded it with double asterisks.
So every time these popped up I'd investigate the computer. Nothing was encrypted, and no decryption files were in the noted locations. Nothing was encrypted on the site server either. So I'd simply grab the computer and reimage it and return it and the notification has yet to pop up on the same machine again. But it would, in the next couple days, pop up a notification from a different computer.
So here's what I know
- Notification will only appear from one computer at a time, and will move to a new computer when that one is removed
- The username listed in the notification isn't always the same, but is ALWAYS the first user in the users folder on the computer noted in the notification.
- It has never moved past this specific site
- Nothing is encrypted
- All machines and the site server were virus scanned with symantec and came out clean
- The notification when properly engaged will list a username in the place of where it says the computer name (ASSET16337) in these notifications, indicating that something is trying to use the computer account instead of a user account to accomplish its goal.
- None of this behavior is consistent with the malware that is known to generate that decrypt file with that specific verbage
- No file traces associated with that piece of malware were found on any of the noted computers or the site server.
Needless to say I'm stumped. Does anyone have any idea how I should proceed?