ICE Cyber Crime ransomware assistance

Hello searbet,

if Windows now no longer boots it could be a side-effect of the removal process (no fingerpointing, but "specialized" tools, especially if they are written to deal with unknown variants, tend to be rather aggressive and might under certain circumstances overshoot) . As Sandy said it's likely necessary to repair or reinstall.

You're already reinstalling so this is for the future (and somewhat in reverse order)

If Windows no longer boots you can still slave the disk or boot from an external medium and try to obtain a sample. There are some file system locations where you might find "unexpected" files/folders with perhaps suspicious names: The user's (local and roaming) %APPDATA% and %TEMP%, %ALLUSERSPROFILE% (ProgramData), the system directories. If you spot something the creation dates might give a hint when the issue started. With this information search the user's %TEMP% and (temporary) download directories. Anything from around this time is suspicious (especially of there are two or more files with identical timestamps). Try to collect them and sen them to the Labs (don't worry if you include clean files - analysis is automated and the machine doesn't care :smileywink:, better to include extra stuff than omit something interesting)

If the machine is still running and you can access it remotely (including registry) try to identify the rogue process(es) - e.g. using pslist.exe. Inspect the common "run" locations (if you have only a vague idea where they could be have a look at Autoruns). Connect to the disk if possible and check the same as above. Files might be locked and if you can't kill the process holding the lock consider shut down the computer - you can't use it anyway and the software is designed to not harm it. Thus unless you've already started a removal process it should come up fine afterwards. Try to obtain the files you've identified, some of them might be gone though. 

If the machine is running, has malware on it, but can still be managed assign it a policy with all detection mechanisms enabled (if they aren't anyway) - HIPS, suspicious files and so on. Run a scan  (for everything and all files). As you likely want to obtain a sample do not use automatic cleanup and do not request deletion (for a scheduled scan uncheck run at lower priority).  

I've dealt with quite a number of these. It depends on whether the infection occurs when power or administrative rights are present or an exploit allows privilege escalation. In our domain, where the users are plain Users, none of these beasts (and we encounter them regularly) could infect a machine. In all but two cases we were able to immediately remove the junk remotely, in the remaining two, where active parts of the malware were in many (local and roaming) locations and finding all of them turned out to be tedious,  we waited for the detections to get updated (takes a few hours) in response to the sample I'd submitted - once the client had updated with them removal was successful (on-access took care of most items and the rest was cleaned with a scheduled scan).

Hope this helps next time

Christian

(oh, and - sorry for the acronyms, thought they are obvious :smileyvery-happy:)

Hello searbet,

if Windows now no longer boots it could be a side-effect of the removal process (no fingerpointing, but "specialized" tools, especially if they are written to deal with unknown variants, tend to be rather aggressive and might under certain circumstances overshoot) . As Sandy said it's likely necessary to repair or reinstall.

You're already reinstalling so this is for the future (and somewhat in reverse order)

If Windows no longer boots you can still slave the disk or boot from an external medium and try to obtain a sample. There are some file system locations where you might find "unexpected" files/folders with perhaps suspicious names: The user's (local and roaming) %APPDATA% and %TEMP%, %ALLUSERSPROFILE% (ProgramData), the system directories. If you spot something the creation dates might give a hint when the issue started. With this information search the user's %TEMP% and (temporary) download directories. Anything from around this time is suspicious (especially of there are two or more files with identical timestamps). Try to collect them and sen them to the Labs (don't worry if you include clean files - analysis is automated and the machine doesn't care :smileywink:, better to include extra stuff than omit something interesting)

If the machine is still running and you can access it remotely (including registry) try to identify the rogue process(es) - e.g. using pslist.exe. Inspect the common "run" locations (if you have only a vague idea where they could be have a look at Autoruns). Connect to the disk if possible and check the same as above. Files might be locked and if you can't kill the process holding the lock consider shut down the computer - you can't use it anyway and the software is designed to not harm it. Thus unless you've already started a removal process it should come up fine afterwards. Try to obtain the files you've identified, some of them might be gone though. 

If the machine is running, has malware on it, but can still be managed assign it a policy with all detection mechanisms enabled (if they aren't anyway) - HIPS, suspicious files and so on. Run a scan  (for everything and all files). As you likely want to obtain a sample do not use automatic cleanup and do not request deletion (for a scheduled scan uncheck run at lower priority).  

I've dealt with quite a number of these. It depends on whether the infection occurs when power or administrative rights are present or an exploit allows privilege escalation. In our domain, where the users are plain Users, none of these beasts (and we encounter them regularly) could infect a machine. In all but two cases we were able to immediately remove the junk remotely, in the remaining two, where active parts of the malware were in many (local and roaming) locations and finding all of them turned out to be tedious,  we waited for the detections to get updated (takes a few hours) in response to the sample I'd submitted - once the client had updated with them removal was successful (on-access took care of most items and the rest was cleaned with a scheduled scan).

Hope this helps next time

Christian

(oh, and - sorry for the acronyms, thought they are obvious :smileyvery-happy:)