Hello all, ran into a new situation for someone with ransomware.
The extension is .cesar and at first glance it appeared to be a Dharma Variant, however later
it was reported as crysis.6 ( by EmsiSoft AntiMalware (which was installed after the fact).
AVG Free Anti Virus (SMH, I know... I know...) Completely missed it, even after it was located
and pointed right at it....
Anyhow, it was a little different in the sense that there was no RansomWare exchange page,
where you can visit, enter your code, discover the payment amount and wallet address, they are
only using an AOL based email address to communicate.
I don't want to disclose the address at this time, as I don't want AOL to interrupt the flow of emails
to/from that address.
The infection did NOT come from the email address, the email address is included int he INFECTED FILES/Ransom Note.
This was a new contact for me, and of course 'they thought they had a backup' and the fact is they did... but of course no one
has checked it, and no it wasn't working, so they are in some trouble right now.
Shadow Copies were blitzed, on a Windows 7 Pro Box, and it was setup for 'file sharing' to other computers.
The computer seems to have been infected, by unauthorized access over RDP.... In doing some research on RansomWare,
i've been seeing notes about RDP being targeted or compromised in someway, but haven't seen the details of that yet.
to the best of my knowledge this was purely due to 'poor user name/password' strength, and 'they got in' and downloaded/ran
the RansomWare in that way.
The trigger was a file called bars.exe and then a info.hta file is created, placed into the startup/desktop folders with the Ransom Note.
Another difference, in my direct experience with this RansomWare is they targeted more than document/object based files, and they
actually fouled up program executable and other objects causing a little more drama.
I've tried a few Decrypters, Eset, Kapersky, and EmisSoft thus far, no dice, they were the Dharma and Crysis based ones.
I've done what needs to be done POST Infection, there is communication going on with the Bad Guys, they came right out and asked
for 2 BitCoins, which the Infected user does not have, so it's going to be bad.....
Yes, it's the End User's fault, shoulda-coulda-done' better, and actually DID knew better, which makes this so much worse.
Please advise of any suggestions or thoughts,
Many thanks in advance!