Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware stopped but files still on computer


  • Please log in to reply
5 replies to this topic

#1 Maddgal

Maddgal

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:58 PM

Posted 01 March 2018 - 12:19 PM

I have 2 computers, a desktop running win7 and my laptop with win10.

Both have Cybereason Ransomfree running and Eset Internet Security.

Whilst looking for some old data on my win7 PC i saw some strange folders. I opened one and Cybereason ransomfree kicked in and stopped the encryption. It never gave a name to the ransomware. The files but not directories were put into its quarantine folder, but immediately thereafter 2 new folders were created. I then found similar folders on my laptop and my husbands laptop. They are all connected via a network but not with shared drives. How do I get rid of these random folders that keep appearing. I have run RKill, Malwarebytes rootkit scan, Adwcleaner and a Trend Micro Housecall, but the folders are still there. The folder have random names such as Xconfiguration239 and Cdefinition50. The files that have been put into quarantine seem to be 1 excel, 1 word, 1 access, 1 jpg, etc ie it looks like one of each file type.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 01 March 2018 - 03:05 PM

Cybereason RansomFree is a program which deliberately creates hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.

2q9jm7a.jpg
2mqw50l.jpg
fuugba.jpg

RansomFree also deploys a “Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.
 
The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 null__

null__

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:58 AM

Posted 01 March 2018 - 04:01 PM

Thanks for that reply, quietman! I found some folders like that on my laptop and couldn't determine what the cause was. This is good info to know!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 01 March 2018 - 04:43 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Maddgal

Maddgal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:58 PM

Posted 02 March 2018 - 03:10 AM

Thank you Quietman7. I appreciate the very detailed reply. I'm glad I'm not infected. 

My concern was really around the fact that my daughter got the GandCrab ransomware on her machine and when we cam to this site, it said nothing was known about it, it was so new. Luckily it only encrypted her music which she had backed up, but we had to re-install her machine as at that stage there was no way to remove the ransom notes! All good now.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 02 March 2018 - 06:12 AM

You're welcome.

Sorry to hear about your daughter's system getting infected with GandCrab ransomware. If any of her personal data was encrypted, there is hope....
Bitdefender has Released a GandCrab Ransomware Decryption Tool in collaboration with nomoreransom.org.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users