Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware caught and stopped, but I can't remove or ID


  • Please log in to reply
4 replies to this topic

#1 Mako1138

Mako1138

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northwest Chicago Suburbs
  • Local time:09:40 AM

Posted 18 September 2017 - 07:38 AM

I need some help here to ID and remove some ransomware that has been stopped by Cybereason.

 

I was cleaning up my Windows 10 Pro computer and ran Temp File Cleaner.  I noticed that TFC had cleaned up 2 user profiles that I didn't recognize and when I went to investigate those accounts, I found that there were hidden.  Upon, getting into these account folders each has 10 items in them, 1 file with each extension: .doc, .docx, .xls, .xlsx, .jpg, .sql, txt, .mdb, .rtf and .pem.

 

When I went to delete these directories, Cybereason caught and stopped the Ransomware Infection.  However, it didn't tell me what the Ransomware is or how to remove it.  The user folders then changed their names and the files in each changed their names.

 

I also found 2 more hidden, randomly named folders in my "Documents" directory.

 

I have run Malware bytes, Eset Online Scanner, Kapersky TDSS Killer and Trendmicro.  My computer is running Trend Micro's Worry Free Business Security and none of these have caught or identified the mystery directories or files.

 

Update.  I ran Spy Hunter and it didn't find anything.  I booted it into a Linux OS, went and deleted the 4 mystery folders.  When I booted back into Windows 10 all 4 folders were back with different names.

 

 

Thanks in Advance.


Edited by Mako1138, 18 September 2017 - 10:03 AM.


BC AdBot (Login to Remove)

 


#2 Mako1138

Mako1138
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northwest Chicago Suburbs
  • Local time:09:40 AM

Posted 18 September 2017 - 09:51 AM

I have now located 6 folders that contain the Ransomware files.

 

2 are at the root of the C:\ drive, these are not hidden

2 are in the C:\Users folder, these are hidden

2 are in my personal profile in the "Docmements" folder, these are hidden.

 

All of the folders and files are named differently, and all of the folders contain 10 files with the extension: .doc, .docx, .xls, .xlsx, .jpg, .sql, txt, .mdb, .rtf and .pem.


Edited by Mako1138, 18 September 2017 - 11:02 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 18 September 2017 - 04:07 PM

Cybereason RansomFree deliberately creates hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.
 
Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
2q9jm7a.jpg
2mqw50l.jpg
fuugba.jpg

RansomFree also deploys a “Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.

If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.
 
The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Mako1138

Mako1138
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northwest Chicago Suburbs
  • Local time:09:40 AM

Posted 19 September 2017 - 07:19 AM

quietman7,

 

Thank you for this more detailed description. It has saved me a lot of time as I was going to rebuild my computer today.

 

Mark



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 19 September 2017 - 04:14 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users