Jump to content
jmcleod83

Ransom.Crysis

Recommended Posts

This morning I am noticing a lot of threats that were quarantined that has to do with Ransom.Crysis. id this a false positive because they all point to a file:orgchart.exe?

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office 15\root\office15\orgchart.exe        
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office 15\Data\Updates\Apply\PackageFiles\root\Office15\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE        
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined    Anti-Malware    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE    
Ransom.Crysis    9/2/2016 4:46:35 AM    Quarantined    Anti-Malware    C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\16.0.6965.2076\root\Office16\ORGCHART.EXE    

Share this post


Link to post
Share on other sites

Hi, :welcome:This was a false positive. It has been fixed already. Please update your definitions and restore the files if quarantined.

Thanks for reporting.

Share this post


Link to post
Share on other sites

Hi, 

I have observed same kind of ransomware (same file as mentioned above) alerts but not seen in my computer, though the file was present on my computer. Can you tell me why is it? what application usage triggered this alert in my friends laptop but not mine? 

 

Thanks,

Vinod

Share this post


Link to post
Share on other sites

Hello Vinodyamala,

It's hard to say what may have actually 'triggered' that file to be be detected...  There was something within his file that matched our definition triggering the detection..  Also, despite having the same file, and perhaps the same version, but the data contained within it may be different then the one that is on your's.  This would trigger the detection only on his system, and not your's as there was something within his file matched our rule...  Also, it's possible that you may have had different database updates, or software versions, but most likely it was just a difference between the two files.  Please let us know if you should still have any questions, or need additional assistance...  

Thank you for bringing this to our prompt attention and being a forum member!

Perry

Share this post


Link to post
Share on other sites

Hello,

Thanks for your reply Perry, i appreciate it. I was just trying to dig out what could be the file that matched with rule. Happy was it was a false positive. Thank you for the help again.

Thanks,

Vinod

Share this post


Link to post
Share on other sites

Hello Vinod!!  :)

I apologize I mis-understood, You will want to go to the system that it was detected.  

1.  Open MalwareBytes > 2.  History Tab  >  3.  Quarantine.   >  

Locate the scan occurring at  9/2/2016 4:46:35 AM  9/2/2016 5:16:25 AM 

You will then see the file that it had quarantined (if it was indeed quarantined).  If so, you would 'check mark' the files originally detected, and choose 'Restore'- (As now they should not be detected)

I noticed that you had provided the file paths when you had initially reported the false positive.  I have outlined them below.

 

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined  

  • C:\Program Files\Microsoft Office 15\root\office15\orgchart.exe        

 

Ransom.Crysis    9/2/2016 5:16:25 AM  Quarantined

  • C:\ProgramFiles\MicrosoftOffice15\Data\Updates\Apply\PackageFiles\root\Office15\ORGCHART.EXE    

 

Ransom.Crysis    9/2/2016 5:16:25 AM    Quarantined  

  • C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE          

 

Ransom.Crysis  9/2/2016 4:46:35 Quarantined

  • C:\ProgramFiles(x86)\Microsoftffice\Updates\Download\PackageFiles\16.0.6965.2076\root\Office16\ORGCHART.EXE

 

 

Please let me know if you have any more questions or need additional assistance.

Perry

Edited by perryb

Share this post


Link to post
Share on other sites

Thank You Perry got it, There was another ransomware alert triggering today morning for ransom.petya. for another micorsoft file C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe  i have checked with 3 av scanners the file is showing is clean, but mbam is triggering this alert. Can you let us know if this is a true positive or false positive.

Share this post


Link to post
Share on other sites

Hello Vinodyamala,

Sorry to hear that, I assume you have updated your definitions?  If so, could you please provide the sample that is being detected in addition to uploading it to VirusTotal.com.

You can restore the file from Quarantine by opening MalwareBytes > History Tab > Quarantine > Check the box for the new detected file.  It will place it back in its original location of where it was when it was detected.

Then if you could please upload it to http://virustotal.com/ and provide a link to the analysis along with the file being detected.

Thank you in advance!

Perry

Share this post


Link to post
Share on other sites

Hello Vinodyamala,

I am happy to hear that you was able to resolve the problem...  Its always important to ensure to update prior to running a scan...   Please let us know if you have any other issues.

Have a great day, sorry for the inconvenience...

Perry

Share this post


Link to post
Share on other sites

Hi Perry,

Can you explain me bitcoin miner Trojan? we have affected by bitcoinminer Trojan to our lync servers and we are not able to find root cause why and how it is affecting our lync server? can you tell me what information is it mining (ant specific syntax that it is searching)

Share this post


Link to post
Share on other sites

Hello Vinodyamala,

You will want to ensure that you have protection running, and with current definitions on all machines.  It is possible there is a machine on the network that is re-infecting the lync server upon removal, i.e. scan, quarantine it only to re-appear again...  I have included an over-view of one of the analysis of a Bitcoin-miner sample below, although there are several variations so it would be difficult to provide any more specifics without actually knowing the exact name(s) it is being detected as..  

In addition the second link I provided will outline the steps to create a new forum post in a different section of our Forum and someone will assist you with attempting to re-mediate the threat and they also will be able to provide more specifics once they have an opportunity to view the logs and see exactly what is being detected...

 

Information Regarding a variant of BitCoinMiner:

https://blog.malwarebytes.com/threats/mobile-pup/

 

Steps to create a new Forum Post for assistance with Remediation:

Quote

 

 

Please let me know if you should need additional assistance!

Perry

Share this post


Link to post
Share on other sites

Hi Malwarebytes Team,

 

I am running MalwareBytes Free 3.7.1 and its still doing a full system scan (in progress) and so far it detected a threat called Ransom.Crysis and the location of this threat is 

C:/PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.34.7\GOOPDATERS_SL.DLL

What do I do now because the scan is still running? After it has finished shall I just do nothing about this threat and once you fix this false positive I will run another full system scan? Right?

Share this post


Link to post
Share on other sites
36 minutes ago, Staticguy said:

What do I do now because the scan is still running? After it has finished shall I just do nothing about this threat and once you fix this false positive I will run another full system scan? Right?

Ignore that detection for now as it is a false positive. We are pushing out an update to fix it now

Share this post


Link to post
Share on other sites
1 minute ago, thisisu said:

Ignore that detection for now as it is a false positive. We are pushing out an update to fix it now

Ok thanks. Please let me know when an update has been pushed out so I can update my MalwareBytes

Share this post


Link to post
Share on other sites
22 minutes ago, Staticguy said:

Ok thanks. Please let me know when an update has been pushed out so I can update my MalwareBytes

Done. Here are the database versions:

MBAM2 Version: v2019.04.28.01
MBAM3 Version: 1.0.10370

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.