Removing Ransomware Files from Windows

Recently we got some ransomware infections to our Windows machines (Servers, PCs & Thin Clients) which tries to make lot of connections to outside public IP addresses aggressively. This infection looks like infected from SMBv1 port 445 which is used for file sharing by Windows operating systems. I guess it relates to the WannaCry ransomware which spread across Windows platforms last year.

In a firewall (ASA) log viewer you will see something like the following..

Workaround:-

Go to C >Windows and sort the files by Date Modified

You will need to manually delete the following 3 files.

tasksche.exe
qeriuwjhrf
mssecsvc.exe

You will need to stop the current running process for mssecsvc.exe in Task Manager prior to delete the exe file. There may be another file like the above one named mssecsvr.exe too and if so you will have to delete it too. I have seen it on a Windows Server 2008 R2.

After just deleting these files, session creation will be stopped but you will need to disable SMBv1 and use SMBv2 only as a best practice. Following guide will show you how to do it according to your OS version.

https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

I haven't seen the actual ransom request after a successful attack may be because of the firewalls in our network could fight against the session creation. As I have researched on internet, the ransome request will be something like the following..