Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.


*

Execute

  • *****
  • 227
  • +38/-0
  • Your friendly neighbourhood IT guy
      • View Profile
  • Publish
  • .Cesar Files Virus - Information and Support Thread
    « on: August 21, 2017, 11:41:50 am »
    The .cesar files virus is a type of ransomware virus that encrypts files.
    It will lock them, while appending the .cesar extension to all of them.

    The .cesar virus is spreading fast and if you have your PC infected,
    you can at least learn more about the malware from this article:
    .cesar Files Virus (Dharma Ransomware) - Remove and Restore Data

    If a solution is found, that article will be duly updated.
    You can ask questions about the threat under this post.
    There is no place like 127.0.0.1

    *

    Hyperbolic

    • *
    • 1
    • +1/-0
        • View Profile
  • Publish
  • Re: .Cesar Files Virus - Information and Support Thread
    « Reply #1 on: August 21, 2017, 11:09:42 pm »
    We had 2 clients hit with this.

    I uploaded the injector file we found to VirusTotal, this was the output
    https://virustotal.com/#/file/1c50e5eead58322784b7849235577a7a18299a22c59fcf185c63d56aa919d559/detection

    The file was executed on a single workstation. This is a client with port redirection setup to allow outside RDP onto workstations, Someone connected to the workstation via RDP (logging in as a generic domain user account 'scans') and executed the malware from the desktop (file was named 1blk.exe). From there it encrypted shares that were mapped on that computer, as well as open shares on other computers and servers. Checking Event viewer audits, it looks like whomever had remoted onto the individual workstation, then attempted to RDP into other local computers, so slightly different then ransomware I normally see originating from email or downloaded files.

    If anyone wants a copy of the file for analysis, let me know.

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: .Cesar Files Virus - Information and Support Thread
    « Reply #2 on: August 22, 2017, 05:07:45 pm »
    That is very unfortunate. But not unheard of - many ransomware developers also initiate targeted attacks and the targets are usually firms and corporations which have PCs tied to a network...

    I am hoping you have backups, as that is a standard procedure (or at least it should be)?
    There is no place like 127.0.0.1

     


    Facebook Comments