This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WIN-PROT-HMPA-MALWARE-CRYPTOGUARD

Hello Community,

This message appears on a file server, with the associated IP address that is said to have carried out the attack.

CryptoGuard detected a ransomware attack from 192.168.X.X (client ip)

The client shows the same thing, but nowhere is there any indication of which process led to this decision.

CryptoGuard hat einen Ransomware-Angriff von diesem Gerät auf server-x erkannt

The client is locked (8h or manuelly unlock) but where can I see why to solve the problem?, but where can I see why to solve the problem?

regards

Silvio

This thread was automatically locked due to age.

Top Replies

LHerzog 4 months ago +1

the hmpa log is C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log This may help you to plan your further actions: support.sophos.com/.../KB-000036287 I'd start enabling debug on Hitman on…

0 LHerzog 4 months ago

the hmpa log is C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log

This may help you to plan your further actions:

support.sophos.com/.../KB-000036287

I'd start enabling debug on Hitman on both sides.
Cancel
Vote Up +1 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to LHerzog

thank you, the log is a good hint, On the client, the file is overwritten, because I didn't find anything, I reset the device in a first "panic"-action.
On the server side, there are a few files in "Programdata\HitmanProalert\Safestore
The time matches the process, unfortunately i can't read the (encrypted) files...
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 4 months ago in reply to Silvio Bittner

do you believe this is false positive?
Cancel
Vote Up 0 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to LHerzog

not sure, sometime we have a problem with an applicatation called "Oxygen" an XML-Audit Tool. but, In the past, there was a concrete indication of the process on the client and the exception rule is still there...
in the meantime I found the corresponding log on the server:

in the meantime I found the corresponding log on the server:

[ 1804: 5924] I [Protected] PID 4, Features 08FD2E3040000000 Silent 0080000000000000, 192.168.66.XXX
2024-02-26T08:22:24.318Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
2024-02-26T08:22:24.318Z [ 1804: 5924] W IsActiveSession failed, session 1
2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 4
2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 65536
2024-02-26T08:22:24.319Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
2024-02-26T08:22:24.323Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 1
2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 4
2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 65536
2024-02-26T08:22:24.324Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
2024-02-26T08:22:24.324Z [ 1804: 5924] I [Alert] CryptoGuard V5, familyId=3ca5d37a-8ed5-7ba5-f8b2-8b632175ffa5, PID 4, 192.168.66.216
2024-02-26T08:22:24.330Z [ 1804: 5924] I [Sophos] dropped xml C:\ProgramData\Sophos\Management Communications System\Endpoint\Messages\ToManagementServer\20240226082224324505_evt_hmpa-exploit.umc
2024-02-26T08:22:24.338Z [ 1804: 5924] I [Sophos] dropped json C:\ProgramData\Sophos\Health\Event Store\Incoming\24883b2d-247b-4c47-92cc-e33863265399.json
2024-02-26T08:22:24.343Z [ 1804: 5924] I [Sophos] successfully posted request to SSP
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 4 months ago in reply to Silvio Bittner

PID4 is system and that IP 66.216 is probably the client.

System process will be triggered for SMB access. If you have XDR and Datalake you can query what the client did at that time

machines must both be online (live query)

That may be tricky as the most obvious query File Access history is uselessly limited by Sophos:

Server:

Client:

community.sophos.com/.../live-discover-query-cancelled-e-process-sophososqueryextension-exe-exceeded-30-cpu-limit
Cancel
Vote Up 0 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to LHerzog

I want to try that, this datalake thing is nice when you have nothing else to do :-)
Thank you for the suggestion.
Cancel
Vote Up +1 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to Silvio Bittner

[deleted]
Cancel
Vote Up 0 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to Silvio Bittner

[deleted]
Cancel
Vote Up 0 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to Silvio Bittner

[deleted]
Cancel
Vote Up 0 Vote Down

Cancel
0 Silvio Bittner 4 months ago in reply to Silvio Bittner

Once I have found the suspicious, legitimate process... a "java-exe" invoked by a parent program, how can I manually exclude the sha265 value...?
Cancel
Vote Up 0 Vote Down

Cancel