Solved

Malware: Affected all pdf files (CTB Locker?)

Posted on 2015-02-05
14
651 Views
Last Modified: 2015-03-05
A client with a Win XP machine has problems with their accounts system (a UK software called Pegasus Opera). However when my colleague who supports it looked more closely at the accounts system and the machine realised that all PDFs had been compromised with an added set of random characters on the file extension. e.g. filename.pdf.ajajnhe (the same set of characters on all PDFs).

However don't know what state the accounts system is in.  Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?

So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.

All suggestions welcomed.
0
Comment
Question by:gerlis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40592567
the pdf's are history unless you pay the ransom and since you cleaned out the stuff then these files can't be unencrypted so you have to restore from a backup or a shadow copy..
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40592630
That is so if they are indeed encrypted. Have you tried making a copy of one and renaming?

Bulk renaming software is free and easy to use.
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
ID: 40593044
This is typical behaviour of the current generation of CTB-Locker ransomware where file extensions are normally affected while the infection is active.  Do you have a sandbox environment you could place one of the .pdfs into to examine it outside of that machine's active partition?

Generally ransomware will target all data files, common Office extensions, JPGs and PDFs but encrypt them sequentially, ignoring the file type, so with a typical infection all files of this type will be affected.  If the infection is active (you'll probably need to boot to an AV scan disk such as Kapersky's Rescue disk to detect the active elements as they are stealthed) then decryption of the files happens "on the fly" so the end user remains unaware that encryption is happening.  If you move a file that will open OK on the affected to another machine and it appears encrypted there this is a good indication of active ransomware infection.  If the file still opens on a different machine then this is not ransomware or at least not a known variant.

CBT-Locker is a trojan so the individual files are not an infection risk

It's likely you will find the ransom demand in a My Documents folder
Displayed when encryption is complete

There is currently no means of recovering encrypted files short of brute force decryption which because of the key used is not practical or paying the ransom which is not advised.  If you have shadow copy enabled you may be able to recover undamaged files from that but usually the only practical solution is to restore from backup.

Because of the nature of ransomware infections (i.e. Trojans) it is user behaviour that needs modification more than physical changes to security but there are some steps you can take to reduce the risk of infection.

See: http://www.foolishit.com/cryptolocker-prevention/

This will also account for your users issues with Pegasus as some of its data files will also be affected :(
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:gerlis
ID: 40593115
Thanks, all. This has helped me to better understand the situation. I will try making a copy of one and renaming, as suggested. On a different machine.

I will also take a closer look at the Accounts software files.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40593239
Found a file on the system called "Decrypt-All-Files-ajajnhe.txt"

Contains instructions, but they're a honey trap, surely?

------------------------------------------------------------------------------------

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org 
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.
RWQURWM-S7AMEV7-42YABP3-L3ES4RT-GX4BDFW-IIDBWDO-KBMDYY2-3DE4MJR
YOWLANT-CTCEGYX-LXNNNSK-XHYWWOZ-VOZEH7J-K2CFD6M-S7ECSSH-246KU6X
OKMO4UC-WXGHOQC-LG63FBY-EIMXIBU-EN67TOT-F3RU6ZI-LB3SUBK-7ZYJOVY


Follow the instructions on the server.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40593305
I copied one of the infected PDFs to another machine (in effect sandboxed it as suggested), renamed it to remove the dodgy extension and tried to open it in Acrobat, no joy.

Been checking it out and all of the .DBF (database) files which relate to the accounts system have also been infected, plus Word files and I suspect most, if not all, Office files on the system.

I think this machine is beyond repair and is well-ransom-wared!
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40593401
Yes, pretty much as in the screenshot above.  Each infection generates a different key
Hopefully you have backups

As far as Honey Trap goes - not really just a means to anonymously extract Bitcoin ransoms You enter the public key and a bot server somewhere gives you a chance to transfer ฿ and then provides a private key to decrypt (you need to put the Trojan back on the machine to do this) - bizarrely it's in the criminal's interest to ensure that the decryption works to "encourage" other victims to pay up.  (And no I'm not recommending this as a solution!)
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40593780
Yes, if you are encrypted then your only choices are pay or restore from backup.  Be careful with the pay option.  For instance is your data worth what they are asking?  Last I heard it was 10 bitcoins, which according to todays calculations is 222.91 USD/bitcoin or 2229.10 USD.  If it has gone up feel free to use the bitcoin calculator to figure your damage:

http://preev.com/
0
 
LVL 1

Author Comment

by:gerlis
ID: 40601436
He has a backup (hard drive) albeit dating from October last year. So we're going to take a look at that. Also upgrade his Win Xp machine to Win 7 or persuade him to buy a new PC. We'll then see what we can restore.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40645618
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40645168
Will wait to hear from asker but think there's enough here to accept comments.
0
 
LVL 1

Author Comment

by:gerlis
ID: 40645596
Apologies for not responding. In the end he purchased a new PC and we restored as much as we could from his 4 month old backup.

No attempt was made to repair the orginal infected machine, far too much risk and no certainly 1. it would work and 2. we wouldn't lose money.

Thanks to all who offered help.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40645619
There are 2 answers that are applicable. Restore from backup is the only one that works. Suggest MASQ's answer be accepted ID: 40593044
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question