If you experience any of the listed unusual system behavior, follow the corresponding recommendations.

• When encountering encrypted files
  1. Collect a sample of the encrypted file and upload to ID Ransomware.
  2. Once the malware has been identified, you may use Threat Encyclopedia to search for more information about the ransomware and the solution to completely remove it from your system.
  3. If you are not convinced that the malware has been completely removed, run ATTK on affected machines and submit the output to Trend Micro Support.
  4. Use this guide on how to file a case with the logs collected.
• When suspicious files / PowerShell scripts running in environment
  • Suspicious files:
    1. Open the Task Manager.
    2. Go to Details Tab.
    3. Search for the file’s suspicious process and click Open File Location.
    4. End the suspicious process. Collect the file, and compress it with password: virus.
    5. Use ATTK on the affected machine.
    6. Submit the ATTK log and suspicious file to Trend Micro Support.
  • Suspicious PS Scripts:

    For more information about PowerShell-based malware and how to mitigate them, visit this article.

    Visit this article on how to file a case with the logs collected.

• When machine(s) connect to unknown IP addresses
  1. Use Global Site Safety to check the reputation of the IP address.
  2. Create an Apex One / OfficeScan Firewall policy to block the connection if IPs are still untested in Global Site Safety.
  3. Use ATTK to collect for suspicious files in the machine and submit to Trend Micro Support.
  4. For detailed steps on how to stop this attack, view this KB article.
  5. Visit this article on how to file a case with the logs collected.
• When being redirected to unknown/malicious sites
  1. You can check the site's safety using Global Site Safety.
  2. Do not input any information on the redirected site if it is untested or dangerous.
  3. Try connecting to the original site using other machines.
  4. If the same issue persists, the web site may have been compromised. If only few machines are experiencing the issue, check the "hosts" file located in C:\Windows\System32\Drivers\etc for any URL redirection. Remove all suspicious or unknown URL/IP.
  5. Clear the DNS cache via the Command prompt by executing this command:

     C:\>ipconfig /flushdns

  6. If the issue persists, export detection logs in Apex One and OfficeScan and file a case to Trend Micro support.
     • Collecting logs from Apex One / Apex Central
     • Collecting logs from OfficeScan
  7. Visit this article on how to file a case with the logs collected.
• When pop-up messages are being displayed
  • For Persistent Apex One / OfficeScan detection, refer to this KB article.
  • For web page pop-ups like the image below:

    

    1. Uninstall any suspicious/unknown programs installed from Control Panel > Add/ Remove Programs.
    2. Remove unknown add-ons from browsers like Google Chrome, Internet Explorer and Mozilla Firefox.
    3. Use ATTK to resolve the issue. If it reoccurs, submit the ATTK logs to Trend Micro Support.
        

       To prevent any malware infection, make sure to apply the recommended on this KB article.

        
    4. Visit this article on ATTK log collection.
    5. Visit this article on how to file a case with the logs collected.