Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Who/what made folder "0K, this directory is for Ransomware detection"?


  • Please log in to reply
5 replies to this topic

#1 babylon_nl

babylon_nl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 March 2018 - 03:21 PM

Hi all,

 

Today I came across a harddrive that had a folder in the desktop folder named '0K, this directory is for Ransomware detection (just leave it here)'. 

 

Inside the folder were a bunch of bogus files that struck me as bait files for ransomware. It had a .jpg, a .txt, a docx, basically some odd 10 files there contained seemingly random data (e.g. the .jpg was a picture of static, like analog tv static, the txt file was filled with characters again seemingly random.

I had never before seen any of such files, and google gave me nothing but some polish or russian hits, but the same folder does appear in quite a bit of pc's, if I were to believe the logfiles posted on various sites (amongst which bleepingcomputer.com) in the process of removing their infection of all kinds.

 

At the time I didnt put mucht thought in it, i just wanted to know if this particular drive was infected and no program started crying so I was satisfied, but now the thought doesnt leave me alone, for I think it may be a smart way to catch the encryption key of a ransomware infection. If the files in that folder are in a way random, yet it's original content is well known in a secure place, it would make sense that calculating the encryption key could be 'easy'.

 

Thing is I cant find any information on that folder, does anybody know if some antivirus program or something made these files and are they by chance effective in case of ransomware removal? Since the folder for everybody is in the same place (the /desktop folder) and seems to have the same name (the first character is a zero, rather than an Oh) in case it occurs,i would also think it would not be hard for a payload to discriminate this folder and skip it, so I'd be happy to read any comment about this matter..

 

Anybody? Thanks for reading and your input!



BC AdBot (Login to Remove)

 


#2 MasterNe0

MasterNe0

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 02 March 2018 - 03:48 PM

Check to see if the machine has ransomfree on it. If so, it creates a bunch of dumbly files used to lure ransomware to. The files are randomly generated with extensions and names.


Edited by MasterNe0, 02 March 2018 - 03:48 PM.


#3 babylon_nl

babylon_nl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 March 2018 - 03:58 PM

@MasterNe0 - I dont have the harddrive anymore, the guys computer broke so there's no way I can tell.. I'll look into ransomfree, is it proven to be effective against ransomware? If so, everybody should have that, no?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:38 AM

Posted 02 March 2018 - 04:10 PM

You may want to read my comments about Cybereason RansomFree in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 babylon_nl

babylon_nl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 March 2018 - 04:23 PM

@Quietman7 - Thanks, yes, the files mentioned in your topic i recognize, i'll try the program tomorrow... didnt read it all yet, but did notice it will not help in decrypting the encrypted files, somehow I dont understand that, i dont know my encryption techniques, but it would make sense to me that if you have an encrypted file and a smart original file designed for decryption purpose, at some point it would be relatively easy to find the decryption key.. 

But as they say, any way to prevent an infection to do it's thing is a valuable plus! Thanks for your input!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:38 AM

Posted 02 March 2018 - 04:35 PM

You're welcome. :)


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users