Yesterday When checking the firewall logs, something scary has captured my attention.
I’ve seen a local IP adress trying to get connected with a Command and Control (CnC) server. these servers are known to deliver the encryption key to ransomware which encrypts user files and ask the user to pay for the unencryption key.
fortunatly, our firewall has banned this connection.
As you can see, in the firewall’s security log there is a connection attempt to the IP 220.127.116.11 on the TCP 80 port, every 30 minutes. The IPS module of the firewall has detected this traffic as malicius and has dropped the packet.
you had better to have a good up to date firewall to protect your network.
So now, I’ve the IP of the comprmised PC, but how to identify the process sending these packet to the CnC server? I simplly applied the Mark Russinovich formula “When in doubt… run process monitor“. I did and after a few moment of capturing, I ‘ve done a search on the 18.104.22.168 and I got this:
The culprit is rafdpklsxd.exe. it has, probably infected the computer through a mail sent to the user with an attached file like MS Word containing a macro. we have been bombed with this kind of email the past days.
So if you are in charge of managing the security in your compagny, you must educate your users to not open attached files in emails sent by unknown senders.
But a question nagging me. Why the anti-virus hasn’t detected and stopped this malware? Unfortunately the antivirus wasn’t working properly on that PC. A chance that the Firewall has done his job properly otherwise this user would have lost his files.
In conclusion, take sariously the ransomware threat by educating your users, having a good firewall and be sure your antivirus is working properly.
You can find here informations about the ransomwares and how to prevent an infection;