Hello again,   Now I can summarize:  1. Attack came from rough open non standard RDP port forwarded to  a local mashine. Ransomware was stated thee for sure. It succeded to encrypt first all the local drives and mapped network drives. Unfortunatelly attacked user had administrative access to other machines defined by the group policy in local network.  2. Further attacker or Ransomware itself succesed to take control on several mashines from the same user group. On the each machine it succeded to take control on Ransomware was installed and run. 3. On some other mashines it succeeded only to inject the Ransomware executable in "c:\users\anyvaliduser\appdata\roaming\system.exe" and to modify registers of the user :"Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"  to point to the executable above so as Ransomware to start on login. 4. I succeded to take a copy of the executable and sent it to the F-Secure support together with some encrypted files and the corresponding Ransom note. I did send a copy to "https://www.nomoreransom.org/bg/index.html" as well. 5. We took care with some improvements tgo avoid  further problems of this kind. We implemented some steps to get better protected /like change of all passwords; improvement of the group policy; disable direct RDP; implementation of network firewall; windows and AVP updates./    6. Recent versions of AVR and Windows Definer are able to detect and remove it. Windows defender is recognizing it as "Ransom:Win32/Pulobe.A" blocking and removing it as well. 7. "https://id-ransomware.malwarehunterteam.com/index.php" is recognizing it as aversion of Scarab and says that a decryptor may be found ... 8.We yet need /we are looking for/ a possible file decryption. We have some unique files encrypted.   ... View more

it seems to be combined attack.   For sure I found ransomware executable detected from F-Secure log but somhow 2 minutes later system was rebooted and then  ransomware executable took control before F-Secure and sicceded to block it. Than later real encoding started after my login.   I saw something wrong and swithed the power off. Then I reboted is safe mode and sicceede to find ransomware executable agent. It succeded to ecode some 2/3 of the system disk but fortunately    On some other mashines encoding proces was finished without a human login.  They are 100% encoded excluding the  Windows folders which are not affected. On these mashines we did not find a copy of any ransomware executable agent.   May be attackers were enterer trouh RDP then injected a ransomware executable and did restarted  machines.    We revised our policy for remote access but we cannot avoid it completely. Firewall system is good enough but may be improved I hope.   For sure we should look for any internal network monitoring/blocking  solution. ... View more