This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Undetected ransomware

I apologize if this is the wrong forum for this. One of our users got infected with some ransomware.  We run Endpoint and it did not detect it, the quarantine is empty. Files on the local hard drive started getting encrypted in the .crypz format. The user also had several network shares where files started getting encrypted. We isolated the PC from the network and restored backups on our file server. I opened a case with support and they installed Hitman Pro on the file server and started a scan. Support tech instructed me to submit whatever the Hitman pro scanner finds as a sample, then he hung up. The scan came up clean so I had nothing to submit. I attempted to call back, but after 30+ minutes on hold, someone picked up the phone and hung right up. It was near the end of the day so I decided to not wait around again. 

So far I have ran the following on the user's PC:

  • Hitman Pro
  • Sophos Endpoint full system scan
  • Sophos Clean
  • Malwarebytes

All scans from these programs came up clean - no detected threats.

I updated the case online asking support to log in and take a look at the infected PC. The last response I received from Support was 4 business days ago.  I don't have any samples to submit because nothing I run will detect the malware. I assume that Sophos could have someone do a screen sharing session on it and try to detect the ransomware. What steps can I take from here? Should I try some other AV software to see if I can detect something?



This thread was automatically locked due to age.
Parents
  • Hello jlboan,

    [first of all - I'm not Sophos, merely a customer]
    nothing I run will detect the malware
    I've (unfortunately) seen a few cases of Ransomware over time. In recent cases the malware of cleaning up (including the downloader and dropper components) after itself. Depending on the sequence of actions there might be nothing left to detect. Normally all the interesting stuff resides on the infected machine (except when roaming profiles or remote home directories are used - but then however the cleanup might have removed the evidence).

    What steps can I take from here?
    The malware and its helpers apparently managed to fly under the radar and as it has done its work you know that you've been hit. As said, it's very unlikely that the malware is still there and thus that you can send a sample (so that Sophos update their definitions) if some other scanner detects it. Some other AV software might or might not find some malicious or suspicious files - but then you'll likely find them in the user's %APPDATA% and the normally user-writeable locations (%ProgramData% and %windir%\TEMP\) so you could as well sample the files with an appropriate timestamp from there (but don't expect to hit the jackpot).

    The IMO best chance to catch the actual malware is to literally immediately pull the plug (or remove the battery and without cutting the network first) if the encryption is still in progress.

    Christian   

Reply
  • Hello jlboan,

    [first of all - I'm not Sophos, merely a customer]
    nothing I run will detect the malware
    I've (unfortunately) seen a few cases of Ransomware over time. In recent cases the malware of cleaning up (including the downloader and dropper components) after itself. Depending on the sequence of actions there might be nothing left to detect. Normally all the interesting stuff resides on the infected machine (except when roaming profiles or remote home directories are used - but then however the cleanup might have removed the evidence).

    What steps can I take from here?
    The malware and its helpers apparently managed to fly under the radar and as it has done its work you know that you've been hit. As said, it's very unlikely that the malware is still there and thus that you can send a sample (so that Sophos update their definitions) if some other scanner detects it. Some other AV software might or might not find some malicious or suspicious files - but then you'll likely find them in the user's %APPDATA% and the normally user-writeable locations (%ProgramData% and %windir%\TEMP\) so you could as well sample the files with an appropriate timestamp from there (but don't expect to hit the jackpot).

    The IMO best chance to catch the actual malware is to literally immediately pull the plug (or remove the battery and without cutting the network first) if the encryption is still in progress.

    Christian   

Children
No Data