A ransomware note detection has been added to Trend Micro’s pattern file and it may trigger ransomware alerts. However, customers do need to be aware these were remnants of old ransomware.
What we know:
- Trend Micro released Smart Scan Pattern version 16.283.00 on 14th October 2020
- The ransomware note detection were added specifically: Ransom.Win32.RANMSGHP.SMT2.note
- The behaviour of the ransomware detected as Ransom.Win32.RANMSGHP.SMT2.note is described on this KB:
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/RANSOM_CRYPTESLA.CBQ1635/, however, this article pertains to a ransomware detection from 2016.
Actions to be taken:
- Make sure that the latest pattern is installed on all endpoints.
- We encourage administrators to trigger a manual scan / scheduled scan across all their endpoints (Note: For organizations with 4000+ endpoints, it is recommended to schedule the scanning to avoid performance issues.)
- For any endpoint that has this ransomware detection, check the timestamps of the files that may have been quarantined under C:\Program Files(x86)\Trend Micro\Security Agent (or OfficeScan Client)\Suspect\Backup\. If any files quarantined have a timestamp that is recent (October 2020), please check if there are any other files in their original location. These remaining files need to be submitted to Trend Micro for further analysis.
If you need assistance checking your endpoint estate and whether clean-up has been performed, please raise a ticket with our Support Team by sending an email to email@example.com