Solved

Malware: Affected all pdf files (CTB Locker?)

Posted on 2015-02-05
14
586 Views
Last Modified: 2015-03-05
A client with a Win XP machine has problems with their accounts system (a UK software called Pegasus Opera). However when my colleague who supports it looked more closely at the accounts system and the machine realised that all PDFs had been compromised with an added set of random characters on the file extension. e.g. filename.pdf.ajajnhe (the same set of characters on all PDFs).

However don't know what state the accounts system is in.  Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?

So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.

All suggestions welcomed.
0
Comment
Question by:gerlis
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40592567
the pdf's are history unless you pay the ransom and since you cleaned out the stuff then these files can't be unencrypted so you have to restore from a backup or a shadow copy..
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40592630
That is so if they are indeed encrypted. Have you tried making a copy of one and renaming?

Bulk renaming software is free and easy to use.
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
ID: 40593044
This is typical behaviour of the current generation of CTB-Locker ransomware where file extensions are normally affected while the infection is active.  Do you have a sandbox environment you could place one of the .pdfs into to examine it outside of that machine's active partition?

Generally ransomware will target all data files, common Office extensions, JPGs and PDFs but encrypt them sequentially, ignoring the file type, so with a typical infection all files of this type will be affected.  If the infection is active (you'll probably need to boot to an AV scan disk such as Kapersky's Rescue disk to detect the active elements as they are stealthed) then decryption of the files happens "on the fly" so the end user remains unaware that encryption is happening.  If you move a file that will open OK on the affected to another machine and it appears encrypted there this is a good indication of active ransomware infection.  If the file still opens on a different machine then this is not ransomware or at least not a known variant.

CBT-Locker is a trojan so the individual files are not an infection risk

It's likely you will find the ransom demand in a My Documents folder
Displayed when encryption is complete

There is currently no means of recovering encrypted files short of brute force decryption which because of the key used is not practical or paying the ransom which is not advised.  If you have shadow copy enabled you may be able to recover undamaged files from that but usually the only practical solution is to restore from backup.

Because of the nature of ransomware infections (i.e. Trojans) it is user behaviour that needs modification more than physical changes to security but there are some steps you can take to reduce the risk of infection.

See: http://www.foolishit.com/cryptolocker-prevention/

This will also account for your users issues with Pegasus as some of its data files will also be affected :(
0
 
LVL 1

Author Comment

by:gerlis
ID: 40593115
Thanks, all. This has helped me to better understand the situation. I will try making a copy of one and renaming, as suggested. On a different machine.

I will also take a closer look at the Accounts software files.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40593239
Found a file on the system called "Decrypt-All-Files-ajajnhe.txt"

Contains instructions, but they're a honey trap, surely?

------------------------------------------------------------------------------------

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.
RWQURWM-S7AMEV7-42YABP3-L3ES4RT-GX4BDFW-IIDBWDO-KBMDYY2-3DE4MJR
YOWLANT-CTCEGYX-LXNNNSK-XHYWWOZ-VOZEH7J-K2CFD6M-S7ECSSH-246KU6X
OKMO4UC-WXGHOQC-LG63FBY-EIMXIBU-EN67TOT-F3RU6ZI-LB3SUBK-7ZYJOVY


Follow the instructions on the server.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40593305
I copied one of the infected PDFs to another machine (in effect sandboxed it as suggested), renamed it to remove the dodgy extension and tried to open it in Acrobat, no joy.

Been checking it out and all of the .DBF (database) files which relate to the accounts system have also been infected, plus Word files and I suspect most, if not all, Office files on the system.

I think this machine is beyond repair and is well-ransom-wared!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40593401
Yes, pretty much as in the screenshot above.  Each infection generates a different key
Hopefully you have backups

As far as Honey Trap goes - not really just a means to anonymously extract Bitcoin ransoms You enter the public key and a bot server somewhere gives you a chance to transfer ฿ and then provides a private key to decrypt (you need to put the Trojan back on the machine to do this) - bizarrely it's in the criminal's interest to ensure that the decryption works to "encourage" other victims to pay up.  (And no I'm not recommending this as a solution!)
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40593780
Yes, if you are encrypted then your only choices are pay or restore from backup.  Be careful with the pay option.  For instance is your data worth what they are asking?  Last I heard it was 10 bitcoins, which according to todays calculations is 222.91 USD/bitcoin or 2229.10 USD.  If it has gone up feel free to use the bitcoin calculator to figure your damage:

http://preev.com/
0
 
LVL 1

Author Comment

by:gerlis
ID: 40601436
He has a backup (hard drive) albeit dating from October last year. So we're going to take a look at that. Also upgrade his Win Xp machine to Win 7 or persuade him to buy a new PC. We'll then see what we can restore.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40645618
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40645168
Will wait to hear from asker but think there's enough here to accept comments.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40645596
Apologies for not responding. In the end he purchased a new PC and we restored as much as we could from his 4 month old backup.

No attempt was made to repair the orginal infected machine, far too much risk and no certainly 1. it would work and 2. we wouldn't lose money.

Thanks to all who offered help.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40645619
There are 2 answers that are applicable. Restore from backup is the only one that works. Suggest MASQ's answer be accepted ID: 40593044
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now