Posted 02 June 2015 - 05:31 PM
Posted 03 June 2015 - 02:12 PM
Posted 03 June 2015 - 02:13 PM
Posted 05 June 2015 - 09:37 PM
Hello,
His server got hacked, unfortunately we do not have the infected files..
Thank you guys
Posted 15 January 2016 - 05:40 PM
I just today came across a ransomware infection with the extension .lechiffre appended to the files. I have been searching for some info on this variant and am not finding anything. Does anyone on here know anything about the ransomware variant?
Posted 15 January 2016 - 05:43 PM
I found this topic from June of someone reporting this: http://www.bleepingcomputer.com/forums/t/578220/ransomware-lechiffre/
Not finding anything about a way to decrypt it yet.
I would submit a sample to the malware channel with a link to this topic. An encrypted file and if you have a dropper or malicious file would probably be handy.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 15 January 2016 - 05:52 PM
I haven't found a dropper or malicious file yet. Ran Malwarebytes on two computers with encrypted files and came up empty. Ran Autoruns looking for suspicious activity and came up empty there too. I thought I had the entry point computer for the infection narrowed down, but like I said Malwarebytes came up empty. Any other thoughts on tools to use to find the source? I run a rebranded version of Bit Defender across my networks and it didn't catch it initially and so far hasn't found it in a rescan of the environment. Where do I submit the encrypted file sample? I would be happy to do that.
Posted 15 January 2016 - 05:57 PM
http://www.bleepingcomputer.com/submit-malware.php?channel=3
Any ransom notes? I'm not finding a whole lot of reputable information on it either, so I can't point you to any particular spots to check other than the usual %TEMP%, %APPDATA%, and %LOCALAPPDATA% for any suspicious-looking files, usually random in name.
How many computers are connected, and were they mapped to each other? You should be able to see the owner of the modified files to see who got hit with the actual malware.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 15 January 2016 - 06:10 PM
Well, what got hit was a file share on a server. That server is a VM and I currently have it shut down. I am copying all of the VM files off of the host server. I want to protect the ones that aren't encrypted yet. Once I get those copied off I will fire up that file server again and look around and see if I can find any of the things you mentioned above. I scanned that files server with Malwarebytes hoping to find and infected file or something but it came back clean after the scan. I also scanned the Hyper-V host server but it came back clean too. Hopefully, I will find something that I can submit.
Posted 15 January 2016 - 06:17 PM
Posted 15 January 2016 - 06:21 PM
I would mount the virtual hard disk (.vhd file) to safely inspect the files without booting the VM. You should be able to use Disk Management and attach a VHD, and it'll show up as any regular drive in Explorer. It will be totally harmless as long as you don't double-click any executable files.
Thanks quietman7. I was confused when I was denied permission to the topic, then saw it disappear. I saw you looking at the topic and figured you were doing your magic.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 18 January 2016 - 11:04 AM
a client got hit with this over the weekend. seems like it was able to find other shared folders on other servers that were not mapped. running malwarebytes now on it.
Posted 18 January 2016 - 12:14 PM
They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.
Posted 18 January 2016 - 12:49 PM
They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.
Same issue here. Had an old Windows Server 2003 (I know I know) get infected. Few client machines have a mapped drive from that server. Oddly, it only infected ONE FOLDER within that entire share. I've ran all types of scans on the server itself but haven't found anything. I've restored the files from a backup and deleted the infected folder.
Anyone got additional information on this? Really hope I'm not going thru this effort of restoring the files if it's going to happen again. Having a hard time finding the originating party.
Posted 18 January 2016 - 12:50 PM
no malware was found on pc. working on restoring files
0 members, 0 guests, 0 anonymous users