Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried to erase "A:"\ drive ? Cybereason says it blocked an attempt


  • Please log in to reply
5 replies to this topic

#1 poopyputer

poopyputer

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 01 January 2018 - 07:36 PM

Hello all. it has been awhile.2014 ish. 

 

Anywho... 

 

About 20 minutes ago,  I happened to notice in NETWORK LOCATION that  Drive "A:" was disconnected.The only drive I should have is a C: drive. So I erased the files contained within this 'A drive' and a Cybereason pop-up message says that an attempt to encrypt files was discovered and thwarted. However, the A drive is still there and states it is disconnected. The deleted files continue to regenerate. 

 

  Is Cybereason a free legit ransomware removal tool?

 

How the heck do i remove this A: drive and its regenerating contents?

 

Thank you for stopping by and please advise when possible. 


Edited by poopyputer, 01 January 2018 - 07:54 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 02 January 2018 - 06:53 AM

Cybereason RansomFree is a program which deliberately creates hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
2q9jm7a.jpg
2mqw50l.jpg
fuugba.jpg

If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.
 
If you're having unexpected issues, you can contact Cybereason Support or send an email to rf-su...@cybereason.com. You can also ask questions at the Ransomfree Support forum.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Platypus

Platypus

  • Global Moderator
  • 15,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:17 PM

Posted 02 January 2018 - 07:06 AM

Also see:

 

https://answers.microsoft.com/en-us/windows/forum/windows_7-security/disconnected-network-drive-a-virus/0996b7bd-828c-46a6-ae9a-3de5d45220e6?auth=1


Top 5 things that never get done:

1.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 02 January 2018 - 07:25 AM

This Ransomfree Support forum topic mentions the Disconnected Network Drive (A) which is related to additional protection but they do not provide details. The developers do not recommend you tamper with the drive.

It is not uncommon for security developers and representatives not to provide specific details about how their product works in order to protect the integrity of the program from malware authors who also read public forums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 poopyputer

poopyputer
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 02 January 2018 - 11:21 PM

You peeps are the best !!!   I feel really lazy after seeing that with some research I should have found out my own answers...  lol
 
nevertheless,  the now disconnected A drive has disapeared but the 2 visible honeypot folders are still located in the C:/ 
 
 I am following what you both have posted and linked up to...  so it doesn't sound like an infection just baits for ransomware? 
 
For my own sake of mind, My question is this: why would cyber reason say that 2 infections have been found and cleaned when i delete the same folders over and over again?  are these false positives ?  is my repeated action of deleting the files triggering the response? 
 
 
Quietman -your screenshot almost mirrors my folders and its gibberish. i feel a little better. how do i post a screen shot????
 
Thank you Platypus as well!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 03 January 2018 - 05:43 AM

Not knowing the specific inner workings of Cybereason RansomFree, I would suspect any action taken to delete (modify) it's features, files and folders most likely is interpreted as possible ransomware activity and triggers a warning alert.

How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users