How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?

How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?

Q - We know we are currently under attack by Crypto Ransomware.  The files in our network share are being renamed and encrypted.  How do I find out which workstation is responsible for this attack so I can isolate it from our system?

A - The easiest way is to find the owner of the encrypted file.  The following is an example of the APCTLFIL.DAT (A/P Setup) file being encrypted.  Use Windows Explorer, right click on this file and choose "Properties."


In the Properties window, choose the "Security" tab, and click on the "Advanced" button.



In the "Advanced Security Settings" window, go to the "Owner" tab. Then you will see the "Current owner" of this file.



If the "Current owner" indicates "Administrator", then it means the user is either "Administrator" or "Administrator Equivalent" users.  Unfortunately, we can't tie this down further by using the owner name.  Depending on the variant of Crypto Ransomware involved, this method may or may not work. It is provided as a possible solution.

Other methods to identify workstation with ransomware
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:
  • The workstation that have an ransom note show up.  If you see that, the it is certain you have found the workstation.  Of course, by this time, the ransom ware attack is done already.
  • The workstation perform the encryption will have high CPU utilization rate.
  • The encryption is by the alphanumeric sequence of folders and files.  If you can identify the current point of encryption and you have a suspected workstation, you can unplug that workstation from the network to see if the encryption progress stop.
EMK




    • Related Articles

    • How to Reset the Counter in *.DAT Files After Recovery from Crypto Ransom Ware Attack

      Q - We were recently attacked by Crypto Ransomware. We did implement the NTFS security based on the following Knowledge Base article: https://support.netcellent.com/portal/en/kb/articles/how-to-determine-who-receives-shipping-confirmation-email ...
    • How to Restore Elliott from CryptoWall Ransomware Attack

      In recent years, many Elliott users have been infected by CryptoWall ransomware, or its derivatives like Locky virus. Sometime is also call CryptoLocker virus, or Crypto Locker. This kind of virus usually comes into your system through emails with ...
    • Elliott 8 Directory Structure and NTFS Rights

      Revised: 04/19/2022 Version: 8.0 & Above In recent years, we have noticed many outbreaks of "ransomware," which first attacks one of the workstations on your LAN through e-mails. Once the workstation is affected, the ransomware will encrypt various ...
    • How to Find Out All Closed or Canceled Line Items from a Customer

      Release Date: 05/16/2023 Version: 8.x & Up Q - How does a user run a report of all closed or cancelled line items for a specific customer for a specific date range? For example, closed/cancelled line items for customer 005950 from 1/1/22 to 12/31/22 ...
    • How Do I Find Out My Elliott Version?

      Release Date: 12/10/2023 Version: 8.0 & Up Q - How do I find out the Elliott version number I am running? A - In the Elliott Control Center, on the top, find menu "About" -> "About Control Center." See sample screen below: In the popup window "About ...