Hello again, Now I can summarize: 1. Attack came from rough open non standard RDP port forwarded to a local mashine. Ransomware was stated thee for sure. It succeded to encrypt first all the local drives and mapped network drives. Unfortunatelly attacked user had administrative access to other machines defined by the group policy in local network. 2. Further attacker or Ransomware itself succesed to take control on several mashines from the same user group. On the each machine it succeded to take control on Ransomware was installed and run. 3. On some other mashines it succeeded only to inject the Ransomware executable in "c:\users\anyvaliduser\appdata\roaming\system.exe" and to modify registers of the user :"Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" to point to the executable above so as Ransomware to start on login. 4. I succeded to take a copy of the executable and sent it to the F-Secure support together with some encrypted files and the corresponding Ransom note. I did send a copy to "https://www.nomoreransom.org/bg/index.html" as well. 5. We took care with some improvements tgo avoid further problems of this kind. We implemented some steps to get better protected /like change of all passwords; improvement of the group policy; disable direct RDP; implementation of network firewall; windows and AVP updates./ 6. Recent versions of AVR and Windows Definer are able to detect and remove it. Windows defender is recognizing it as "Ransom:Win32/Pulobe.A" blocking and removing it as well. 7. "https://id-ransomware.malwarehunterteam.com/index.php" is recognizing it as aversion of Scarab and says that a decryptor may be found ... 8.We yet need /we are looking for/ a possible file decryption. We have some unique files encrypted.
... View more