You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
      • View Profile
.Cesar Files Virus - Information and Support Thread
« on: August 21, 2017, 11:41:50 am »
The .cesar files virus is a type of ransomware virus that encrypts files.
It will lock them, while appending the .cesar extension to all of them.

The .cesar virus is spreading fast and if you have your PC infected,
you can at least learn more about the malware from this article:
.cesar Files Virus (Dharma Ransomware) - Remove and Restore Data

If a solution is found, that article will be duly updated.
You can ask questions about the threat under this post.

*

Hyperbolic

  • *
  • 1
  • +1/-0
      • View Profile
Re: .Cesar Files Virus - Information and Support Thread
« Reply #1 on: August 21, 2017, 11:09:42 pm »
We had 2 clients hit with this.

I uploaded the injector file we found to VirusTotal, this was the output
https://virustotal.com/#/file/1c50e5eead58322784b7849235577a7a18299a22c59fcf185c63d56aa919d559/detection

The file was executed on a single workstation. This is a client with port redirection setup to allow outside RDP onto workstations, Someone connected to the workstation via RDP (logging in as a generic domain user account 'scans') and executed the malware from the desktop (file was named 1blk.exe). From there it encrypted shares that were mapped on that computer, as well as open shares on other computers and servers. Checking Event viewer audits, it looks like whomever had remoted onto the individual workstation, then attempted to RDP into other local computers, so slightly different then ransomware I normally see originating from email or downloaded files.

If anyone wants a copy of the file for analysis, let me know.

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: .Cesar Files Virus - Information and Support Thread
« Reply #2 on: August 22, 2017, 05:07:45 pm »
That is very unfortunate. But not unheard of - many ransomware developers also initiate targeted attacks and the targets are usually firms and corporations which have PCs tied to a network...

I am hoping you have backups, as that is a standard procedure (or at least it should be)?