Cryptoguard detected Ransomware attack

The ransomware-like action happened. You can see that in the documents being actioned. The question is if the action was being done by a legitimate program in your environment. To know that you would need to go onto that host and see what was being done. Then you would need to investigate why these actions are being done, and make a decision at that point. 

Thanks for the quick reply! We know which program (a program often used in our business) caused the ransomware action and what was done, but we could not find info about that particular program in any log file. What we are still wondering is if ransomware can be activated via a known program? And if there is any log file that can show us which process caused the ransomware attack?

The problem you are having is that the PE is on a remote machine. The endpoint that detected the action can't know what program is trying to the do the action - all it has is an incoming connection that is executing suspicious commands. There isn't much that you can do about this. The next question I have is why are you do this type of file alterations across the network? Is this an archiving software? 

The problem you are having is that the PE is on a remote machine. The endpoint that detected the action can't know what program is trying to the do the action - all it has is an incoming connection that is executing suspicious commands. There isn't much that you can do about this. The next question I have is why are you do this type of file alterations across the network? Is this an archiving software?