Infected by Ransomware TWICE under Protection by Kaspersky

This is what puzzles me. Does it suggest that the threat persisted somehow, even after the disk was reformatted and Windows was reinstalled? Or did they get attacked a second, separate time?

 

@networm
Have you tried the following two sites to identify and decrypt the files (if possible at all!).
If identifying and decrypting was possible, it doesn't mean that the computer will not be infected the next time!

1.
The No More Ransom project site:
https://www.nomoreransom.org/en/index.html
Follow the guidelines and upload some file(s).
We had a long thread here:
https://www.wilderssecurity.com/thr...anies-join-forces-to-fight-ransomware.387365/

2.
ID Ransomware
https://id-ransomware.malwarehunterteam.com/
Follow the guidelines and upload some file(s).
We had a thread here:
https://www.wilderssecurity.com/threads/before-you-pay-that-ransomware-demand.390879/

3.
You may also try to ask for help here:
https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

 

I would say this was the case.

The real question is why you were subjected to a ransomware attack at all. These attackers go after high valued commercial targets as a rule. This is because they have the resources to pay their ever increasing exorbitant ransom amounts.

This does bring up the advisability of running an endpoint security product on a consumer use device. All malware attacks involve recon activities. One of those is device mapping in regards to installed hardware and software. You could have been a target by simply using an endpoint security product. This would make the attacker think this PC makes connections to a corporate network and the like.

 

This is a very good point.

 

Good point. But in order to inventory the system the malware must first connect out to Command; so if this was the case the Firewall also was at fault by the failure to prevent (or at least alert) to this process..

 

Another possibility is Snatch ransomware which has been around for a while but has reached such proportions that the CISA and FBI has issued an advisory on it;

https://www.darkreading.com/attacks...int-warning-on-snatch-ransomware-as-a-service

This is accomplished by;

https://news.sophos.com/en-us/2019/...oots-pcs-into-safe-mode-to-bypass-protection/

It should be noted that most AV's do not run in Win Safe mode.

 

Malwearbytes does run in safe mode, but not truly an AV.

 

I'm surprised that nobody mentioned SUA+SRP as a prevention mechanism which should stop most or even all of such attacks. Much better than 3rd-party tools wich often fail and even increase the attack surface or introduce new vulnerabilities as often happend in the past.

 

I IMAGE my C Drives once a month. Got it once and restored image, No Problem

 

Yes good points, nowadays they often try to simply terminate the AV. And it might indeed make you a target if you run enterprise AV's on your consumer device.