Go-Bruins
asked on
Ransomware virus
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone. It was definitely not the wallpaper, and I traced the document(s) on the browser url bar ad deleted the files. The computer started up normally. I'm just curious as to what the "trigger" mechanism was to display those two files, as Msconfig didn't show anything in the Startup tab.
But, I'm going to take Rindi's advice and re-image. Best peace of mind that way.
This malware was particularly nasty. It encrypted everything, including stuff on the network drive (including the backup images!). If we did not have an offsite backup, we would have been in a world of hurt, for sure.
I think I remember reading that Hollywood Presbyterian Hospital was hit with a similar virus, and they actually paid the ransom, I believe.
But, I'm going to take Rindi's advice and re-image. Best peace of mind that way.
This malware was particularly nasty. It encrypted everything, including stuff on the network drive (including the backup images!). If we did not have an offsite backup, we would have been in a world of hurt, for sure.
I think I remember reading that Hollywood Presbyterian Hospital was hit with a similar virus, and they actually paid the ransom, I believe.
I agree with Rindi - reimage is the best course of action. I would also suggst reading these articles (the first 2 are mine)
https://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
https://www.experts-exchange.com//articles/21199/Ransomware-Beware.html
And this will take you to my bibliography of ransomware links:
http://thomaszuckerscharff.com/ransomware-citation-library-from-zotero/
https://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
https://www.experts-exchange.com//articles/21199/Ransomware-Beware.html
And this will take you to my bibliography of ransomware links:
http://thomaszuckerscharff.com/ransomware-citation-library-from-zotero/
Agreed with everyone here that re-imaging is the best bet.
But to more fully answer your question:
The ransomware drops those "DECRYPT_INSTRUCTION" / "HELPDECRYPT" / etc. files all over the computer - specifically it puts it in the Startup folder in the start menu:
C:\Users\[yourusername]\Ap pData\Roam ing\Micros oft\Window s\Start Menu\Programs\Startup
Anything you put in this folder is launched automatically at startup, and since it is an HTML file that the ransomware dropped in there, it launches your web browser and shows that page.
MSCONFIG.EXE might have missed it. If you use a more sophisticated tool like SysInternals Autoruns it probably would have caught it and shown it to you.
These "ransom notes" are usually not actually malicious in and of itself, but it's one example of the crap left behind by the malware. Who knows what else it has changed on the system, what files it has encrypted, and how much it has borked up in the process. Even if you remove the malicious code, you need to clean up the mess it made. Easiest thing is to re-install Windows to ensure you have undone all of the damage.
But to more fully answer your question:
The ransomware drops those "DECRYPT_INSTRUCTION" / "HELPDECRYPT" / etc. files all over the computer - specifically it puts it in the Startup folder in the start menu:
C:\Users\[yourusername]\Ap
Anything you put in this folder is launched automatically at startup, and since it is an HTML file that the ransomware dropped in there, it launches your web browser and shows that page.
MSCONFIG.EXE might have missed it. If you use a more sophisticated tool like SysInternals Autoruns it probably would have caught it and shown it to you.
These "ransom notes" are usually not actually malicious in and of itself, but it's one example of the crap left behind by the malware. Who knows what else it has changed on the system, what files it has encrypted, and how much it has borked up in the process. Even if you remove the malicious code, you need to clean up the mess it made. Easiest thing is to re-install Windows to ensure you have undone all of the damage.
It is likely the RSA-4096 ransomware
http://www.bleepingcomputer.com/forums/t/599121/my-files-were-protected-by-a-strong-encryption-with-rsa-4096/
http://www.bleepingcomputer.com/forums/t/599121/my-files-were-protected-by-a-strong-encryption-with-rsa-4096/
ASKER
Thanks for all the responses.
The M.O. was similar, but this strain of ransomware didn't change the file extensions. They remained as-is, but couldn't be opened.
It is interesting to note that there are ways to decrypt the files, although the article above suggests that the most recent strains cannot be decrypted.
The lesson to be learned here is that you have to have off-site backups, or at the very least, have a rotating backup system where one set isn't attached. Again - the code will encrypt even the *backup* files, so they become useless as well.
The M.O. was similar, but this strain of ransomware didn't change the file extensions. They remained as-is, but couldn't be opened.
It is interesting to note that there are ways to decrypt the files, although the article above suggests that the most recent strains cannot be decrypted.
The lesson to be learned here is that you have to have off-site backups, or at the very least, have a rotating backup system where one set isn't attached. Again - the code will encrypt even the *backup* files, so they become useless as well.
I'll not argue against off-site backups for a number of reasons, but this can be managed onsite, too. If the folder with the data files is shared, you can use a separate computer to back them up. If the backup computer keeps multiple copies of the files (journaling) and if you catch the infection before all of the old copies have been replaced, then you should have a good backup.
The assumption here is that the backup computer is not used for anything other than this backup process so the system will not get infected. It may back up infected files but they won't spread if they are just stored on the backup computer.
The other important point is that nothing is shared on the backup computer. You don't want any other computers accessing the backup computer. It "pulls" the files from other computers.
Of course, it would be even better to have an offsite backup from the backup computer.
The assumption here is that the backup computer is not used for anything other than this backup process so the system will not get infected. It may back up infected files but they won't spread if they are just stored on the backup computer.
The other important point is that nothing is shared on the backup computer. You don't want any other computers accessing the backup computer. It "pulls" the files from other computers.
Of course, it would be even better to have an offsite backup from the backup computer.
ASKER
Yes, all good points.
No doubts about the different MO and we would expect more of such variants coming up. The point of decryption and paying ransomware are not worthy to even think or act on by victim.
Backup recovery is the way out. The point of backup, at least to me is minimally those backup should not be stored in the same target backup machine. Also you can consider the 3-2-1 strategy means e.g. having at least 3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite. Thanks for sharing
Backup recovery is the way out. The point of backup, at least to me is minimally those backup should not be stored in the same target backup machine. Also you can consider the 3-2-1 strategy means e.g. having at least 3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite. Thanks for sharing
About backups. I too will never argue against off-site backups. My work uses Druva's inSync product currently with backup to our internal data center. The backup versioning goes back several months, where the restoration process is like this:
within the past 24 hours - backups every 15 minutes
within the past 7 days - backups every hour
After 2 weeks - once per month
There are 4 months worth of backups.
Before that we used Crashplan, which worked almost as well.
within the past 24 hours - backups every 15 minutes
within the past 7 days - backups every hour
After 2 weeks - once per month
There are 4 months worth of backups.
Before that we used Crashplan, which worked almost as well.
ASKER
I think the malware is gone, but something is telling my Windows 7 machine to display the .html and .png pages upon startup. I've looked into the "Starup" tab in Msconfig, but I'm not seeing anything.