ICE Cyber Crime ransomware assistance

Hello searbet,

fortunately this is not the encrypting type. For a start, please read Information on malware known as Ransomware.

Note the following from the article:

Does Sophos Endpoint Security and Control protect my computer from ransomware?

Yes, but the malware writers are constantly updating and releasing new variants and families.

Naturally the malware writers do not submit new variants to AV vendors before releasing them on the public. V.v. AV vendors can't obtain early samples in order to have a detection in place at "release time".

the ransomware returned

Without details it's hard to say why. Please follow the advice in the article - and perhaps you should try SMaRT.

Christian

SMaRT would be nice but we cannot get into Windows at all.  We ran the Sophos Bootable anti-virus disk which did not detect anything either.  Hitman Pro can find the ransomware but then requests payment to clean it, not much difference from the ransomeware...

Hitman Pro was run from a bootable USB.  The first time we were able to get back into Windows by running a Kaspersky bootable CD.  

I’’’’m not clear on the acronyms: SEC and SBAV?

Found the acronyms... Checked for alerts and did not see anything in the Console regarding the ransomware - just some minor threats detected before this week.

The SBAV was created fresh.  We are doing a reinstall of the OS at this point but are now wondering what the course of action should be in the future when we cannot boot into Windows/Safe Mode and the SBAV does not detect anything?

Hello searbet,

if Windows now no longer boots it could be a side-effect of the removal process (no fingerpointing, but "specialized" tools, especially if they are written to deal with unknown variants, tend to be rather aggressive and might under certain circumstances overshoot) . As Sandy said it's likely necessary to repair or reinstall.

You're already reinstalling so this is for the future (and somewhat in reverse order)

If Windows no longer boots you can still slave the disk or boot from an external medium and try to obtain a sample. There are some file system locations where you might find "unexpected" files/folders with perhaps suspicious names: The user's (local and roaming) %APPDATA% and %TEMP%, %ALLUSERSPROFILE% (ProgramData), the system directories. If you spot something the creation dates might give a hint when the issue started. With this information search the user's %TEMP% and (temporary) download directories. Anything from around this time is suspicious (especially of there are two or more files with identical timestamps). Try to collect them and sen them to the Labs (don't worry if you include clean files - analysis is automated and the machine doesn't care :smileywink:, better to include extra stuff than omit something interesting)

If the machine is still running and you can access it remotely (including registry) try to identify the rogue process(es) - e.g. using pslist.exe. Inspect the common "run" locations (if you have only a vague idea where they could be have a look at Autoruns). Connect to the disk if possible and check the same as above. Files might be locked and if you can't kill the process holding the lock consider shut down the computer - you can't use it anyway and the software is designed to not harm it. Thus unless you've already started a removal process it should come up fine afterwards. Try to obtain the files you've identified, some of them might be gone though. 

If the machine is running, has malware on it, but can still be managed assign it a policy with all detection mechanisms enabled (if they aren't anyway) - HIPS, suspicious files and so on. Run a scan  (for everything and all files). As you likely want to obtain a sample do not use automatic cleanup and do not request deletion (for a scheduled scan uncheck run at lower priority).  

I've dealt with quite a number of these. It depends on whether the infection occurs when power or administrative rights are present or an exploit allows privilege escalation. In our domain, where the users are plain Users, none of these beasts (and we encounter them regularly) could infect a machine. In all but two cases we were able to immediately remove the junk remotely, in the remaining two, where active parts of the malware were in many (local and roaming) locations and finding all of them turned out to be tedious,  we waited for the detections to get updated (takes a few hours) in response to the sample I'd submitted - once the client had updated with them removal was successful (on-access took care of most items and the rest was cleaned with a scheduled scan).

Hope this helps next time

Christian

(oh, and - sorry for the acronyms, thought they are obvious :smileyvery-happy:)

Just for the sake of clarity - initially the computer would not boot into normal windows nor safe mode - only to the ICE cyber crime screen.  What I meant to ask - in the future if this occurs and the Sophos bootable SBAV does not detect anything, what should the next step be?

Thanks for all the previous suggestions.  I guess I was hoping there might be other tools available aside from Windows reinstalls or disk slaving and scavenging for files.

Was "multitasking" and missed this part:

If the machine is running, has malware on it, but can still be managed assign it a policy with all detection mechanisms enabled (if they aren't anyway) - HIPS, suspicious files and so on. Run a scan  (for everything and all files). As you likely want to obtain a sample do not use automatic cleanup and do not request deletion (for a scheduled scan uncheck run at lower priority).  

Good suggestion for future reference.

Thanks.