How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?

Q - We know we are currently under attack by Crypto Ransomware.  The files in our network share are being renamed and encrypted.  How do I find out which workstation is responsible for this attack so I can isolate it from our system?

A - The easiest way is to find the owner of the encrypted file.  The following is an example of the APCTLFIL.DAT (A/P Setup) file being encrypted.  Use Windows Explorer, right click on this file and choose "Properties."



In the Properties window, choose the "Security" tab, and click on the "Advanced" button.



In the "Advanced Security Settings" window, go to the "Owner" tab. Then you will see the "Current owner" of this file.



If the "Current owner" indicates "Administrator", then it means the user is either "Administrator" or "Administrator Equivalent" users.  Unfortunately, we can't tie this down further by using the owner name.  Depending on the variant of Crypto Ransomware involved, this method may or may not work. It is provided as a possible solution.

Other methods to identify workstation with ransomware
If above method does not work, you may identify the workstation that cause the ransomware attack by using the following knowledge:

  • The workstation that have an ransom note show up.  If you see that, the it is certain you have found the workstation.  Of course, by this time, the ransom ware attack is done already.
  • The workstation perform the encryption will have high CPU utilization rate.
  • The encryption is by the alphanumeric sequence of folders and files.  If you can identify the current point of encryption and you have a suspected workstation, you can unplug that workstation from the network to see if the encryption progress stop.
EMK

Feedback and Knowledge Base