Jump to content
Posted 01 February 2016 - 01:15 PM
Posted 05 February 2016 - 10:31 AM
I had this issue before and I was able to deduce what account was responsible by looking at the owner of the ransomnote. I would imagine that if the owner was not changed, then perhaps that IS the account responsible. In my case, it was a temp account that had RDP access to a terminal server. I was sure of this because the temp account was the owner of the ransomnote and on the server I checked, it was that only account on any computer on any account on the network to have the ransomnote ALSO on the local profile directories.
I hope this helps.
Posted 05 February 2016 - 02:57 PM
0 members, 0 guests, 0 anonymous users