A customer with Sophos Endpoint 10.6 has just dropped off his laptop. He picked up a ransomware virus on some furniture website that has seemingly encrypted program files in his machine and renamed or created files with a .MERRY extension. It also leaves an HTML application file named MERRY_I_LOVE_U_BRUCE in all folders with application files. I have not seen any documents that have been touched yet. The virus came in when he tried to view a file and it claimed the classic "you need to download this font to view the document" message.
In searching the web tonight I can only see a few postings and all seem to be vague, then point to SPYHUNTER. I don't like playing around further so I will not touch that.
Has anyone seen anything on this campaign or know what can be done with it. Of course this is the one system that I don't have access to where I would normally have backups and the system restore files have been deleted.
I don't have my equipment here to image the drive so I won't play around with it quite yet.
This thread was automatically locked due to age.
