How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?
Q - We know we are currently under attack by Crypto Ransomware. The files in our network share are being renamed and encrypted. How do I find out which workstation is responsible for this attack so I can isolate it from our system?
A - The easiest way is to find the owner of the encrypted file. The following is an example of the APCTLFIL.DAT (A/P Setup) file being encrypted. Use Windows Explorer, right click on this file and choose "Properties."
In the Properties window, choose the "Security" tab, and click on the "Advanced" button.
In the "Advanced Security Settings" window, go to the "Owner" tab. Then you will see the "Current owner" of this file.
If the "Current owner" indicates "Administrator", then it means the user is either "Administrator" or "Administrator Equivalent" users. Unfortunately, we can't tie this down further by using the owner name. Depending on the variant of Crypto Ransomware involved, this method may or may not work. It is provided as a possible solution.
Other methods to identify workstation with ransomware
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:
- The workstation that have an ransom note show up. If you see that, the it is certain you have found the workstation. Of course, by this time, the ransom ware attack is done already.
- The workstation perform the encryption will have high CPU utilization rate.
- The encryption is by the alphanumeric sequence of folders and files. If you can identify the current point of encryption and you have a suspected workstation, you can unplug that workstation from the network to see if the encryption progress stop.
EMK
Related Articles
How to Reset the Counter in *.DAT Files After Recovery from Crypto Ransom Ware Attack
Q - We were recently attacked by Crypto Ransomware. We did implement the NTFS security based on the following Knowledge Base article: https://support.netcellent.com/portal/en/kb/articles/how-to-determine-who-receives-shipping-confirmation-email ...Printer Grayed Out in an Hour Caused by Duplicate Workstation ID
Release Date: 11/22/22 Version: 7.5 & Up Q - I’m using a laser form and selecting tray 3 and Preprinted from the Paper/Quality table of the HP laserjet printer. I'm having an issue on two computers where our custom configuration for a printer is ...Can I Use a USB Scale on my Workstation with Starship Running on a Terminal Server?
Q - My organization utilizes remote desktops exclusively. All of our users run their applications on a terminal server. This includes Elliott Business Software and the integrated shipping manifest software Starship. One difficulty we are encountering ...Remote Desktop Workstation Name
Release Date: 6/19/17 Q - This is related to the Remote Desktop Configuration. I see that the system wants to set up a workstation ID for each user (local or remote). When the same user might work both from local and remote workstations, should the ...Btrieve Error 46 on S/M Activity Log File
Last Update: 06/20/2024 Q - I receive the following error message when I start up Elliott and launch a session: Btrieve Error 046 on S/M Activity Log File But this only happens to company 1. When I access another company, I do not receive this ...