Ransomware

[neoman]

Someone I had a shared dropbox folder with was infected with ransomware. As of now, I do not beleive I am infected. i went ahead and left the shares. I scanned with malwarebytes, hitmanpro, and windows defender and it says my machine is clean. Is there anything else I should look for?

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

11 minutes ago, neoman said:

As of now, I do not beleive I am infected. i went ahead and left the shares. I scanned with malwarebytes, hitmanpro, and windows defender and it says my machine is clean. Is there anything else I should look for?

if you want to be certain that the system is clean, we do offer free assistance by trained and vetted malware removal specialists.  If you wish they can analyze your system for you and guide you in removing any threats that might be present as well as help to troubleshoot the issues you're experiencing.  To work with them, simply read and follow the instructions in this topic, skipping any steps you are unable to complete, then creating a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you as soon as one is available.

[Maurice Naggar]

Hello @neoman   Does your pc have installed on it the Malwarebytes for Windows Premium ?    The Malwarebytes Premium includes anti-ransomware protection.

The Premium has multiple real-time protections.

[neoman]

Yes it does.  Also Windows Defender on Win 10 ver 2004 build 19041.572.  I have the setting in Malwarebytes to not register in windows security center and all Malwarebytes protect are on.

[Maurice Naggar]

Bravo on having the Premium with all protections on.   Bravo on having the latest Windows OS version.

Keeping the OS current with all security updates, as well as keeping up with security updates for all applications is always a best practice.

Beyond that, just standard best practices will serve you best.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

.

Scan any file that you get from the outside before you do anything with it.  To that end, you can use the File Explorer right-click context option to Scan a file  (1) with Microsoft Windows Defender AV   (2) scan with Malwarebytes.

[neoman]

I have not had a chance to follow porthos directions in the earlier reply yet. I had done a complete scan of all files with both malwarebytes and windows defender.  Nothing found. Is that a good sign that the Ransomware did not hit my machine? 

[exile360]

The fact that your documents and files are not encrypted is the strongest sign that the ransomware didn't infect your machine.  Most ransomware doesn't really try to hide or conceal its presence; it generally goes straight to work attempting to encrypt your data to hold it for ransom (activities which will set off the Ransomware Protection in Malwarebytes) so at least as far as ransomware is concerned, it doesn't seem likely that your system is infected.

You may also find the information here helpful to aid in security your systems and data in the future: Tips to help protect from infection

It's a lot of info so take your time going through it; you don't need to get to it all at once.  It's a good general guide on safe practices and tools that can help protect against infection and data theft.

Edited October 19, 2020 by exile360

[neoman]

There was another page of the note that had EGREGOR followed by random characters in it.  I googled Egregor and found very few pages on it.  Is that a new form of ransomware?

The also sent me a photo of files they believe are encrypted and the files are renamed like "WFX02.DOT.ijawr"

[Maurice Naggar]

Howdy.  Is that all at your friends / associate machine?  or yours ?

 

[exile360]

4 hours ago, neoman said:

There was another page of the note that had EGREGOR followed by random characters in it.  I googled Egregor and found very few pages on it.  Is that a new form of ransomware?

The also sent me a photo of files they believe are encrypted and the files are renamed like "WFX02.DOT.ijawr"

It may be a new form of ransomware or just a new/random variant of an existing ransomware infection.  Threats will often use random/semi-random naming schemes to attempt to avoid identification.  If you want to do research to try and track down more info on the threat, the following resources should prove helpful:

https://id-ransomware.malwarehunterteam.com/
https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/

Bleeping Computer also has a dedicated forum specifically for ransomware: https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

 

Edited October 22, 2020 by exile360

[neoman]

2 hours ago, Maurice Naggar said:

Howdy.  Is that all at your friends / associate machine?  or yours ?

 

not might but the other person we had some shared DB folders.  I removed those shares so I never inspected them.  I do not see anything like that on my machine.