Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Old files are being detected as Ransom Notes by the Trend Micro Security Agent

    • Updated:
    • 31 Dec 2021
    • Product/Version:
    • Apex One
    • Apex One All
    • OfficeScan XG
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Services 6.7
    • Worry-Free Business Security Standard 10.0
    • Platform:

This article answers the following question about the Ransom Note detections:

  • Why are old files from my machine/backups suddenly being detected as ransom note?

In some cases, old ransomnote files from previous Ransomware Infections might be accidentally restored from backups or has been sitting on the machine for a while without being scanned by Manual Scan or Scheduled Scan. However, aside from this, there are also scenarios like below:

  • Old ransom notes from older variants of ransomware doesn’t have a specific pattern for detection yet. This would usually happen if a threat actor is using Ransomware as a Service (RaaS) model to target and infect their victims. Indicators of Compromise (IOC) for these types of attacks should of course be detected by Security Vendors upon discovery, however, contents of a RaaS ransom note may not always be consistent with the one created by the Threat Author. Since it is used by an entirely different entity who purchased/is subscribed to the tool, they can create their own ransom note with their own contact information. In the event that these notes have NOT been submitted as samples to Security Vendors, pattern specific for detections of these customized ransom note might not be created until later when a sample has been collected.
  • This also leads to panic and confusion with some of the customers that previously were victims of ransomware infection. If they have been infected 2 years ago and suddenly get detections of ransom note for the same variant of ransomware, it’s natural for them to be alarmed. However, some very quick ways to identify if you’re infected is to;
    1. Check the path of the detection, this would let you know if this directory has been recently restored from previous backups and you can also;
    2. Confirm if encrypted files are present on the same folder as the ransom note.
    3. Check the ‘Date Created’ property of the file to verify when this was generated.
Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.