Jump to content

Ransom.Crysis


jmcleod83
 Share

Recommended Posts

This morning I am noticing a lot of threats that were quarantined that has to do with Ransom.Crysis. id this a false positive because they all point to a file:orgchart.exe?

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office 15\root\office15\orgchart.exe        
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office 15\Data\Updates\Apply\PackageFiles\root\Office15\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE        
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 4:46:35 AM    Quarantined    Anti-Malware    C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\16.0.6965.2076\root\Office16\ORGCHART.EXE    

Link to post
Share on other sites

  • 2 weeks later...

Hello Vinodyamala,

It's hard to say what may have actually 'triggered' that file to be be detected...  There was something within his file that matched our definition triggering the detection..  Also, despite having the same file, and perhaps the same version, but the data contained within it may be different then the one that is on your's.  This would trigger the detection only on his system, and not your's as there was something within his file matched our rule...  Also, it's possible that you may have had different database updates, or software versions, but most likely it was just a difference between the two files.  Please let us know if you should still have any questions, or need additional assistance...  

Thank you for bringing this to our prompt attention and being a forum member!

Perry

Link to post
Share on other sites

Hello Vinod!!  :)

I apologize I mis-understood, You will want to go to the system that it was detected.  

1.  Open MalwareBytes > 2.  History Tab  >  3.  Quarantine.   >  

Locate the scan occurring at  9/2/2016 4:46:35 AM  9/2/2016 5:16:25 AM 

You will then see the file that it had quarantined (if it was indeed quarantined).  If so, you would 'check mark' the files originally detected, and choose 'Restore'- (As now they should not be detected)

I noticed that you had provided the file paths when you had initially reported the false positive.  I have outlined them below.

 

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined  

  • C:\Program Files\Microsoft Office 15\root\office15\orgchart.exe        

 

Ransom.Crysis    9/2/2016 5:16:25 AM  Quarantined

  • C:\ProgramFiles\MicrosoftOffice15\Data\Updates\Apply\PackageFiles\root\Office15\ORGCHART.EXE    

 

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined  

  • C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE          

 

Ransom.Crysis  9/2/2016 4:46:35 Quarantined

  • C:\ProgramFiles(x86)\Microsoftffice\Updates\Download\PackageFiles\16.0.6965.2076\root\Office16\ORGCHART.EXE

 

 

Please let me know if you have any more questions or need additional assistance.

Perry

Edited by perryb
Link to post
Share on other sites

Thank You Perry got it, There was another ransomware alert triggering today morning for ransom.petya. for another micorsoft file C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe  i have checked with 3 av scanners the file is showing is clean, but mbam is triggering this alert. Can you let us know if this is a true positive or false positive.

Link to post
Share on other sites

Hello Vinodyamala,

Sorry to hear that, I assume you have updated your definitions?  If so, could you please provide the sample that is being detected in addition to uploading it to VirusTotal.com.

You can restore the file from Quarantine by opening MalwareBytes > History Tab > Quarantine > Check the box for the new detected file.  It will place it back in its original location of where it was when it was detected.

Then if you could please upload it to http://virustotal.com/ and provide a link to the analysis along with the file being detected.

Thank you in advance!

Perry

Link to post
Share on other sites

Hello Vinodyamala,

You will want to ensure that you have protection running, and with current definitions on all machines.  It is possible there is a machine on the network that is re-infecting the lync server upon removal, i.e. scan, quarantine it only to re-appear again...  I have included an over-view of one of the analysis of a Bitcoin-miner sample below, although there are several variations so it would be difficult to provide any more specifics without actually knowing the exact name(s) it is being detected as..  

In addition the second link I provided will outline the steps to create a new forum post in a different section of our Forum and someone will assist you with attempting to re-mediate the threat and they also will be able to provide more specifics once they have an opportunity to view the logs and see exactly what is being detected...

 

Information Regarding a variant of BitCoinMiner:

https://blog.malwarebytes.com/threats/mobile-pup/

 

Steps to create a new Forum Post for assistance with Remediation:

Quote

 

 

Please let me know if you should need additional assistance!

Perry

Link to post
Share on other sites

  • 2 years later...

Hi Malwarebytes Team,

 

I am running MalwareBytes Free 3.7.1 and its still doing a full system scan (in progress) and so far it detected a threat called Ransom.Crysis and the location of this threat is 

C:/PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.34.7\GOOPDATERS_SL.DLL

What do I do now because the scan is still running? After it has finished shall I just do nothing about this threat and once you fix this false positive I will run another full system scan? Right?

Link to post
Share on other sites

  • Staff
36 minutes ago, Staticguy said:

What do I do now because the scan is still running? After it has finished shall I just do nothing about this threat and once you fix this false positive I will run another full system scan? Right?

Ignore that detection for now as it is a false positive. We are pushing out an update to fix it now

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.