folders keep reappearing on C drive. ransomeware program triggered

luckydriver

Distinguished
Aug 6, 2010
16
0
18,570
On my home machine yesterday just happened to notice on C drive 2 strange folders. they reappear even though you delete them.

norton/malwarebytes paid and cyberfree ransomeware are on the machine

tdsskiller shows nothing.

the ransomware program I have keeps saying something is found and it is stopping it. but then the files come back. here's an example in the attachments

kaspersky security scan i just downloaded says
Displaying drives in Windows Explorer is limitedDisk absence in Windows Explorer seriously hampers the ability of the user to work with their applications and data. This problem is usually due to active malware. Failure to correct the problem does not allow the running of applications or opening of files with data that the user needs for work.

Autorun from network drives is enabledThere are types of malware that reproduce by copying network drives using the autorun.inf file. This allows an attacker to gain control over the system and user data

aside from all this the machine runs perfectly. just when i delete the 2 folders in C they come back right away . and then the ransomeware program gets triggered and says another process may be trying to conceal its activity by abusing explorer.exe
 
Solution


the company wrote back. sure would be nice if this was in the FAQ!!!!!

The drive and folders that you're seeing are expected behavior of RansomFree. They are bait files (like honeypots if you're familiar with this technology) that lure ransomware toward them first. This enables RansomFree to detect and stop ransomware before it's able to encrypt your valuable files. These are designed to be hidden so if you wish, you can enable hidden files and folders in your system settings and they won't clutter your directory. Let us know if you...

luckydriver

Distinguished
Aug 6, 2010
16
0
18,570
what do you mean? i have paid norton but since it showed clear i downloaded the kaspersky quick scan or whatever its called since i know nothing is perfect.

also i have paid malwarebytes and that has continually showed 'pup no drives' for a while but it appears every time i reboot. and malwarebytes cleans it every time.

 

RARRAF

Distinguished
Jul 22, 2007
154
0
18,710
they hog system resources make your machine run terrible I would expect leave malwarebytes paid and cyberfree ransomeware and download the removal tools for norton/ and kaspersky they will not properly uninstall without them
 

luckydriver

Distinguished
Aug 6, 2010
16
0
18,570
actually i may have found the answer but never heard of a honeypot. i believe the program creates directories and is a trigger if you get ransomeware. i guess i can turn off the program and try to delete the files and see what happens.

https://www.wilderssecurity.com/threads/ransomfree-by-cybereason.390786/page-2

The folders the product creates will be randomly named and usually at the top of the C drive. They are the Honeypots- too bad some ransomware do not have a sweet tooth.

also found this

https://groups.google.com/a/cybereason.com/forum/#!topic/ransomfree-support/74u75F35Cy4

and this one

https://www.bleepingcomputer.com/forums/t/637573/virus-creating-randomly-named-folders-not-windows-update/
 

luckydriver

Distinguished
Aug 6, 2010
16
0
18,570
and finally this seems conclusive so i think we are done here. i hope.. ill go home and test it for sure tonight

https://www.bleepingcomputer.com/forums/t/638875/rogue-folder-and-file-on-hardisk/
 

JoshRoss

Estimable
Jul 11, 2017
228
0
5,260
Some antivirus solutions would create fake/honey pot folders to help with ransomware issue. If ransomware encrypts and files in the folder antivirus/anti-malware solutions can react faster. Cyberfree was known to do just that.
 

luckydriver

Distinguished
Aug 6, 2010
16
0
18,570


the company wrote back. sure would be nice if this was in the FAQ!!!!!

The drive and folders that you're seeing are expected behavior of RansomFree. They are bait files (like honeypots if you're familiar with this technology) that lure ransomware toward them first. This enables RansomFree to detect and stop ransomware before it's able to encrypt your valuable files. These are designed to be hidden so if you wish, you can enable hidden files and folders in your system settings and they won't clutter your directory. Let us know if you have any other questions.

Canary files video
https://cybereason-1.wistia.com/medias/pmtln8pwwe
 
Solution