Jump to content

New Ransomware Hitting PCs


Recommended Posts

I've had about 10 of these in the past 24 hours on our domain. I am having to manually clean them as both Symantec and Malwarebytes are not currently catching it. The infected exe appears to be stored on the users roaming profile, under application data.

 

It is called Windows Antivirus Master.

 

Here is a screenshot that I pulled from another site. Do you guys have anything in the pipe to detect this annoyance? Thanks.

 

Windows-Antivirus-Master.jpg

Link to post
Share on other sites

In my case the .exe appears to be running directly from the users roaming profile. Which in our case is P:\Application Data

 

The exact file name for the one I am working on now is svc-xero.exe

 

Full path behing P:\Application Data\svc-xero.exe

 

I was able to active the ransomeware with its own key. This gave me back control of the task manager and allowed me to find the name and location. I was then able to delete it from that location and then scan the registry and delete entries that I found there.

 

At this poine I was able to manually scan both the C (local drive) and the users P (roaming) and Malwarebytes cleaned several things. I don't think Malwarebytes scans this extra location with its day to day scans and I can not see how to enable scanning the P drive from the Malwarebytes console. The .exe was running from the P drive, not the C drive.

 

I have another thread open asking about scanning that location with my automated scans.

Link to post
Share on other sites

Hi Averum,

 

We are looking into this particular issue and would like more information.

 

Are you using file redirection in your environment?

 

Also, can you please run a quick scan on the client, and collect a procmon log while doing so?

 

Create a new folder on your desktop called Logs
 
Please download Process Monitor from here and save it to your desktop
 
http://download.sysinternals.com/files/ProcessMonitor.zip
 
Double-click on Procmon.exe to run it
 
In Process Monitor, click on File at the top and select Backing Files...
 
Click the circle to the left of “Use file named”: and click the” ... “button
Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
 
Exit Process Monitor and open it again so that it starts creating the logs
 

Now, please run a Quick Scan and let it finish.

 
Close Process Monitor
Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
 

After this, please send me the zipped logs to our Box account.  I have PM'd you a link to a folder.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.