Hello:
Early Saturday morning, we received a notice of a possible ransomware attack originating from our 4 workstations with ProSeries installed. Sophos and our IT Company both believe this to be a false positive. However, out of an abundance of caution, we are looking for confirmation from ProSeries or the Community that these are legitimate files.
Provided below is the list of files that were detected as Ransomware:
Detection Generic.Ransom.X
1*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZNC.xml
Overwritten L0, Read T4096 H4096|^45837|^b5565, Write T5120 H4893|^55318|^b6741 #1,r2,LN
2*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZNC.xml
Opened L4893, Read T5120|100% H4893|^55406|^b6764 #2,w1,LN
3 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MSI.xml
Overwritten L0, Read T4096 H4096|^44589|^b5588, Write T4608 H4507|^49562|^b6129 #3,r4,LN
4 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MSI.xml
Opened L4507, Read T4608|100% H4507|^49697|^b6164 #4,w3,LN
5*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MNO.xml
Overwritten L0, Read T2048 H1554|^18315|^b2178, Write T2048 H1554|^18315|^b2178 #5,r6,LT
6*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MNO.xml
Opened L1554, Read T2048|100% H1554|^18304|^b2175 #6,w5,LT
7 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMN.xml
Overwritten L0, Read T4096 H4096|^46461|^b5887, Write T12800 H12661|^144551|^b18365 #7,r8,LN
8 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMN.xml
Opened L12661, Read T12800|100% H12661|^144788|^b18427 #8,w7,LN
9 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMI.xml
Overwritten L0, Read T4096 H4096|^47496|^b5623, Write T22528 H22498|^273509|^b32853 #9,r10,LN
10 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMI.xml
Opened L22498, Read T22528|100% H22498|^273578|^b32871 #10,w9,LN
11 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMD.xml
Overwritten L0, Read T4096 H4096|^48003|^b6040, Write T6144 H5707|^67048|^b8321 #11,r12,LN
12 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMD.xml
Opened L5707, Read T6144|100% H5707|^67250|^b8374 #12,w11,LN
13*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMA.xml
Overwritten L0, Read T4096 H4096|^47527|^b5927, Write T11264 H11080|^132998|^b16554 #13,r14,LN
14*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMA.xml
Opened L11080, Read T11264|100% H11080|^133028|^b16561 #14,w13,LN
15 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZIL.xml
Overwritten L0, Read T4096 H4096|^47648|^b5912, Write T8192 H7734|^91937|^b11364 #15,r16,LN
16 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZIL.xml
Opened L7734, Read T8192|100% H7734|^91953|^b11368 #16,w15,LN
19*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZHI.xml
Overwritten L0, Read T4096 H4096|^46970|^b5689, Write T7680 H7366|^85832|^b10343 #19,r20,LN
20*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZHI.xml
Opened L7366, Read T7680|100% H7366|^85947|^b10373, Write T7680|100% H7366|^85832|^b10343 #20,w19,LN
29*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZCA.xml
Overwritten L0, Read T4096 H4096|^45954|^b5620, Write T23552 H23209|^267067|^b33281 #29,r30,LN
30*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZCA.xml
Opened L23209, Read T23552|100% H23209|^267463|^b33385, Write T23552|100% H23209|^267067|^b33281 #30,w29,LN
Dropped Files
1 C:\Windows\system32\LogFiles\WMI\SUM.etl
Dropped by [4]
I don't use the Multi User version so I can't help there. But I would not mess around on here I would be calling Intuit and escalating this quickly. You don't want to mess around with potential Ransonware issues!!!
Call Intuit IMMEDIATELY!!!
Dusty
Sophos is known to have a high rate for false positive detection, if I recall.
Agree with @Dusty2 you'd want to get in touch with Intuit, who may be able to help you and if they determine that it's a false positive, they may even work with Sophos to update their database.
In the meantime, I'd also scan the file(s) identified on the VirusTotal website, which would give you consolidated results from multiple scanners: https://www.virustotal.com/gui/home/upload
Thanks @itonewbie and @Dusty2 I have been trying to contact Intuit all weekend but their support is down which is why I turned to the community. So my plan is to call them first thing tomorrow when they open after the holiday. If anyone has a live human I can contact at ProSeries before Tuesday I would love to have the number or e-mail.
Again 95% sure this is a false positive from Sophos, but I would like to be 100% certain.
I did find these older posts that suggest the presence of false positives, but nothing for 2023.
To date I have not (thankfully) had Ransomware on any of my PC's. I do run Malwarebytes regularly (free version). Checking their site it says it will find Ransomware before it actives. I don't know if it does or not.
I would suggest downloading it and running it on and PC's and Servers to make sure.
We have some VERY strict rules on E-mail (that is how most Ransomware is installed on PC's). NO ONE is allowed to access their personal e-mail on any of our equipment. All company email comes to one of 2 email accounts and both of us will not open ANYTHING if we are not expecting an email from that client. If we think it could be legitimate we will call the individual to assure that they sent it.
Dusty
@Dusty2 per cpa instructor at seminar, vast majority of viruses/malware,etc comes from emails. Also, good idea to only use business computer for business purposes only, and only go on business websites that are reliable.
You have clicked a link to a site outside of the Intuit Accountants Community. By clicking "Continue", you will leave the community and be taken to that site instead.