How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?
Q - We know we are currently under attack by Crypto Ransomware. The files in our network share are being renamed and encrypted. How do I find out which workstation is responsible for this attack so I can isolate it from our system?
A - The easiest way is to find the owner of the encrypted file. The following is an example of the APCTLFIL.DAT (A/P Setup) file being encrypted. Use Windows Explorer, right click on this file and choose "Properties."
In the Properties window, choose the "Security" tab, and click on the "Advanced" button.
In the "Advanced Security Settings" window, go to the "Owner" tab. Then you will see the "Current owner" of this file.
If the "Current owner" indicates "Administrator", then it means the user is either "Administrator" or "Administrator Equivalent" users. Unfortunately, we can't tie this down further by using the owner name. Depending on the variant of Crypto Ransomware involved, this method may or may not work. It is provided as a possible solution.
Other methods to identify workstation with ransomware
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:
- The workstation that have an ransom note show up. If you see that, the it is certain you have found the workstation. Of course, by this time, the ransom ware attack is done already.
- The workstation perform the encryption will have high CPU utilization rate.
- The encryption is by the alphanumeric sequence of folders and files. If you can identify the current point of encryption and you have a suspected workstation, you can unplug that workstation from the network to see if the encryption progress stop.
EMK
Related Articles
How to Reset the Counter in *.DAT Files After Recovery from Crypto Ransom Ware Attack
Q - We were recently attacked by Crypto Ransomware. We did implement the NTFS security based on the following Knowledge Base article: https://support.netcellent.com/portal/en/kb/articles/how-to-determine-who-receives-shipping-confirmation-email ...How to Restore Elliott from CryptoWall Ransomware Attack
In recent years, many Elliott users have been infected by CryptoWall ransomware, or its derivatives like Locky virus. Sometime is also call CryptoLocker virus, or Crypto Locker. This kind of virus usually comes into your system through emails with ...Elliott 8 Directory Structure and NTFS Rights
Revised: 04/19/2022 Version: 8.0 & Above In recent years, we have noticed many outbreaks of "ransomware," which first attacks one of the workstations on your LAN through e-mails. Once the workstation is affected, the ransomware will encrypt various ...WannaCry Ransomware Security Recommendation
Release Date: 05/15/2017 In light of the recent WannaCrypt, or WannaCry, ransomware issues, we would like to share a couple recommendations: Recommendations: 1. If anyone is running the following OS from your local workstations, please install the ...Printer Grayed Out in an Hour Caused by Duplicate Workstation ID
Release Date: 11/22/22 Version: 7.5 & Up Q - I’m using a laser form and selecting tray 3 and Preprinted from the Paper/Quality table of the HP laserjet printer. I'm having an issue on two computers where our custom configuration for a printer is ...