Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue folder and file on hardisk


  • Please log in to reply
8 replies to this topic

#1 -jiman

-jiman

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 02 February 2017 - 01:24 AM

HI Guys, 

 

I have 3 partition on my PC, each of this partition is showing 2 rouge folder with different names on each partation. ( total 6 folder) .

 

Files in each of this folder has different names but same number of file types. 

 

I run my bit defender gravityzone with aggressive option on one of the partition and the result comes out clean. 

 

Is this normal ?

 

Attached is the screenshot from one of the partition.

 

2q9jm7a.jpg

fuugba.jpg

 

2mqw50l.jpg


Edited by -jiman, 02 February 2017 - 01:28 AM.


BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 02 February 2017 - 01:17 PM

Hello,
 
Do you have RansomFree or any other Anti-Ransomware software installed on your computer?
https://ransomfree.cybereason.com/


Posted Image

#3 -jiman

-jiman
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 02 February 2017 - 03:14 PM

Hello,
 
Do you have RansomFree or any other Anti-Ransomware software installed on your computer?
https://ransomfree.cybereason.com/



Yes, I have ransonfree on my PC but nothing detected

#4 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 02 February 2017 - 03:35 PM

Hello,

 

The folders are created by Cybereason RansomFree as one of the methods used by the product to detect the presence of file encrypting ransomware.

 

You can therefore safely ignore the folders or uninstall Cybereason RansomFree.


Edited by LiquidTension, 25 July 2017 - 01:06 PM.

Posted Image

#5 -jiman

-jiman
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 02 February 2017 - 03:48 PM

Hello,
 
The folders are created by RansomFree as one of the methods use by the product to detect the presence of file encrypting ransomware.
 
You can therefore safely ignore the folders or uninstall RansomFree.


Ah really! Good to know that it is a clean folder by ransomfree.

Did not come to me that the file created by the application.

Thanks for helping

#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 02 February 2017 - 09:04 PM

You're welcome!


Posted Image

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 PM

Posted 03 February 2017 - 05:14 PM

FYI -jiman and others making their way to this topic.

There are some ransomware protection software which deliberately create hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap folders and files...patterns of files and hidden virtual files that ransomware is attracted to and the feature is more commonly referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.
 
Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.

The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 -jiman

-jiman
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 06 February 2017 - 09:44 PM

Thank you quietman7 for the clarification. 



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 PM

Posted 06 February 2017 - 09:49 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users