Example:

An unexpected process with odd name (cjkvy-bc.exe) is observed on a workstation. Soon after the process launch, communication is observed to a known botnet C&C IP address registered in Germany.

The MD5 hash of the process identifies it as ransomware; the signature matches TeslaCrypt. Closer examination shows that the EXE has been added to the Start group in the Windows workstation. This means the program is launched each time a user logs in to the workstation, thereby being persistent.

Quarantine the workstation, disinfect the machine by re-imaging and restoring company image. Scan all mapped drives for possible contamination.

 

Tagged:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.