Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have Ransomware


  • Please log in to reply
7 replies to this topic

#1 the-pvkid

the-pvkid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 May 2018 - 08:29 PM

I have something that is putting folders in my: c drive root, my documents, and my Users folder. It is always 2 folders and they are filled with files with .xls, .txt, .docx, .jpg, .sql, .xlsx, .rft .per suffexes. 

If I delete the folders they come back with a different name. My files are not locked but what makes me think it is Ransomware is when I delete the folders I get a pop up from Cybereason saying it has eliminated Ransomware. (Threat stopped Cybereason RansomFree has successfully prevented an attempt to encrypt your files. Please note: Ransomware may still show a ransom note, a countdown timer or other

visual effects. You will have to manually fix them.)I did install Cybereason before this started to happen.

Does anyone have any clues to what this is and how to get rid of it. I do have backups of all my file in case they get encrypted.

 

I am running windows 10 home

thank you in advance to anyone that can help me.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:19 AM

Posted 24 May 2018 - 08:41 PM

There are some ransomware protection software which deliberately create hidden dummy (trap, bait) folders containing randomly named "canary" files (.bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, .txt) in various locations and partitions on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.

Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.

See my comments in this topic for more detailed information about Cybereason RansomFree.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 the-pvkid

the-pvkid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 May 2018 - 09:03 PM

I have paused Cybereason for one hour and so far no new folders, I will report back.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:19 AM

Posted 24 May 2018 - 09:10 PM

Ok.

BTW...actual ransomware usually will have obvious indications (signs of infection)...it typically targets and encrypts data files so you cannot open them on your computer (and all connected drives at the time of infection), in most cases it appends an obvious extension to the end or beginning of encrypted filenames (although some variants do not), demands a ransom payment by dropping ransom notes in every directory or affected folder where data has been encrypted and sometimes changes Windows wallpaper. Some types of ransomware will completely rename, encrypt or even scramble file names while others do not append any extensions. Less obvious symptoms include adding or modifying registry entries and deletion of Shadow Volume Copies so that you cannot restore your files from before they had been encrypted but leaves the operating system working so the victim can pay the ransom. Further, when dealing with real ransomware, the cyber-criminals generally instruct their victims to contact them by email or website for decryption.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 the-pvkid

the-pvkid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 May 2018 - 09:21 PM

Yes I understand all of that but I was thinking because I have protection Cybereason was stopping it before it could encrypt my files. I guess I was overthinking it a bit  :bubbles: 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:19 AM

Posted 24 May 2018 - 09:36 PM

You are not alone. We have had several folks post topics about the same thing. I think it would be helpful if Cybereason explained more clearly and provided more specific details about how their program works.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 the-pvkid

the-pvkid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 May 2018 - 09:59 PM

Yes 1 hour later the folder appears, I guess this case is solved.

Thank you very much for your help  :tophat:



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:19 AM

Posted 25 May 2018 - 05:49 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users