Hello to all,
One of our file servers is infected and all files have been renamed with extension .EnCipHered
A brief explanation of the issue:
When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called “HOW TO DECRYPT.TXT” which contains instructions on how to proceed. The bandit is demanding 50€.
It drops a copy of itself in the system’’’’s temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.
Personally we are not worried about the encrypted files(we have backups and tools to decrypt) we are worried about not having the slightest clue of the cause and why it wasn't detected by Sophos. We narrowed down the only other pc on our network with the same problem as the server and we are keeping both under monitor. Before restoring file server we want to be sure that the actual cause of the problem is detected and blocked by antivirus. Has anybody else experienced same issue?
Thanks a million for any help you can provide.
Luca
This thread was automatically locked due to age.
