Solved

Is this the result of ransomware?

Posted on 2015-02-23
8
1,990 Views
1 Endorsement
Last Modified: 2015-02-24
A client contacted me today with what I suspect is an infection with ransomware.  Most of the documents (doc, xls, and pdf for example) on the server have ".ecc" added to the file name and they cannot be opened by the standard program.  For example, I renamed a file named abc.doc.ecc to abc.doc and Word says it cannot recognize the format of the file.  The time stamp on all of the files span about  half hour from this afternoon.

An interesting quirk is that the outlook.pst files were not hit while the archive.pst files were.  I'm suspecting that it is the large size of the outlook.pst files that caused them to be skipped.  I did notice a smaller (75k) outlook.pst file that was hit.

No one has reported getting a screen about what was done and how to pay the ransom, but that could be for a variety of reasons.  I'm expecting that it will be seen tomorrow.

The server has Trend Micro Worry-Free Business running on it and all computers on the network should have the client for it.  Nearly all workstations are running Windows 7 though there may be one or two on XP.  The server is running Windows Server 2003.  Initial scans on the server don't show any sign of infection on it.

The good news is that it appears that we have a good backup.  I had the server disconnect from the external backup drive to ensure that nothing more happens to it.

My plan is as follows:
1)  Look at each computer (there are about a dozen of them), check the local Documents folder for .ECC files.  If I find them, that computer is the likely source of the infection.  As originally set up, there was no sharing of local folders.
2)  Scan all of the computers and clean up anything that i find.
3)  After the source is found and cleaned, restore the backup.
4)  Educate the users about how this may have happened.

I didn't find anything online about any virus specifically adding ".ECC" to the file name, but everything else fits with what I have seen with a ransomware infection.

I have two questions here:
1)  Do you agree that this is a virus/ransomware?
2)  Would you recommend anything different in my approach to resolving it?
1
Comment
Question by:CompProbSolv
8 Comments
 
LVL 13

Accepted Solution

by:
akb earned 100 total points
ID: 40627351
It is almost certainly a virus. It only needs to be on one PC with mapped drives to the server. You need to locate the infected PC and remove the virus. That PC will almost certainly have popups on it telling you to pay a ransom.
The reason the Outlook files aren't infected is because they are open and locked in Outlook so the virus can't delete them.
You may find additional files in the infected folders telling you haw to pay the ransom.
Your strategy for dealing with this is appropriate.
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 100 total points
ID: 40627365
The extension generated by the virus appears to be random so that explains why you cannot find any reference to it. It typically takes some time for it to finish encrypting discovered files before it will let its presence known. Your approach is appropriate.
0
 
LVL 13

Expert Comment

by:akb
ID: 40627369
It may be worth looking at your network switch and see if one PC is generating a lot of traffic. That could be the culprit PC.
Also, if the virus hasn't finished doing its job you may want to consider turning off the network switch so it can't continue to encrypt more files.
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 100 total points
ID: 40627393
Your approach is sound.    This is likely a CryptoLocker infection, which is very difficult to recover from without backups ... fortunately you have good backups, so if you get the infection removed you should be fine.

If it's a less severe form of Ransomware, you may be able to restore the files with Panda's Ransomware Decrypter [ http://www.pandasecurity.com/usa/homeusers/support/card/?id=1675&IdIdioma=1 ] => but from your description of the altered file names I don't think your infection is this simple.

The suggestions above to isolate all of your computers from each other until you identify the infected computer(s) is a good one.    The quicker you stop additional spreading of the infection, the less time it will take you to recover.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 20

Author Comment

by:CompProbSolv
ID: 40627398
Thanks to all of you for your input.  I will be visiting this first thing in the morning.
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 100 total points
ID: 40627467
Random file extensions are added by CBT-Locker not Cryptolocker and are a characteristic of the former. Although they are variants of each other, operate much the same way and the distinction is almost academic if you are infected, it is important as many Cryptolocker infections can now be recovered by reverse engineering in much the same way as the Panda tool garycase describes works.

Having good back-ups as you describe is the best solution here once the systems are disinfected.  The important issue which may have been overlooked is that all Cryptolocker variants pose a network-wide risk as they index and encrypt any data file which is visible to the infection as a network share with read/write access - so there is a possibility that files on network shares on uninfected machines can also be at risk.

As a trojan, the infection itself is unable to spread from machine-to-machine.

The ransom note for CBT-Locker is created as a graphic within a My Documents file on the affected machine - usually (but not always) in infected profile.  It contains the unique public key for decryption and it is this image that is displayed once the Trojan has completed indexing and encrypting files.

As akb points out only unmounted .pst files can be encrypted as they are locked for read/write access. There isn't a files size limit on encryption but the code in some variants skips larger files, returning to them later, probably to ensure maximum damage.

Some more details on the CBT in my post here
http:Q_28611326.html#a40593044

Including a link to some of the preventative measures that can be put in place to reduce future risk but as this is caused by a trojan infection a lot of prevention is based on improving safe behaviour of users.

So yes, yours is a good approach. Also check locations that infected machines have access to and incorporate simple preventative measures to reduce reinfection risk including end user education.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 100 total points
ID: 40627686
It is also possible that the encryption process hasn't finished yet. It can take a long time, and the ransom note is only shown when everything has been finished. That could also be the reason your pst isn't encrypted yet (but that could also be because the file was open and in use by outlook).

As long as the process isn't finished, chances are good that you can recover the unencrypted files. Most ransomeware copies the unencrypted files to a temporary location, and deletes that after it has finished the encryption, so you can search for the original files in other locations. Besides that, you can probably look for previous versions via file properties. Those previous versions and shadowcopies get deleted before the ransom note is shown, so once the encryption has finished, and the note is shown, you can't use previous versions or look for the files in the temporary location anymore.
0
 
LVL 20

Author Comment

by:CompProbSolv
ID: 40629452
Thanks to all for the input.

I visited today and the situation was pretty clear.  Only one computer had the ransom note displayed and local files encrypted.  I isolated that computer and restored the files from the backup so only a day's work was lost.  I used robocopy to move the encrypted files to a separate folder just in case they were needed.  I expect to delete them shortly.

The virus had created Software Policies to prevent running programs in McAfee, Symantec, or TrendMicro folders.  I corrected that and was able to reinstall the TrendMicro agent.

I'm not sure how the initial infection occurred.  I didn't see any recent emails that looked suspicious.  The user didn't have any suggestions as to what he may have done to invite the infection.

I had looked at the machine earlier yesterday because the user reported that it was very sluggish.  I noted that it had a couple of files in startup that looked suspicious (semi-random names, location in Application Files) and I removed them from startup.  I installed and scanned with SuperAntiSpyware, rebooted, and left it with Malwarebytes scanning.  It was a few hours later that the encryption (based on file dates and times) occurred.

Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now