Link to home
Start Free TrialLog in
Avatar of Go-Bruins
Go-Bruins

asked on

Ransomware virus

Hi all,

I got hit with a variant of Ransomware. We were able to restore from offsite backup (thankfully), and we've run scans using Microsoft Security Essentials and Malwarebytes.

I think the malware is gone, but my computer still starts up with this screen:

User generated image
How do I remedy this? Thanks in advance.
SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Go-Bruins
Go-Bruins

ASKER

Hi,

I think the malware is gone, but something is telling my Windows 7 machine to display the .html and .png pages upon startup. I've looked into the "Starup" tab in Msconfig, but I'm not seeing anything.
SOLUTION
Avatar of CompProbSolv
CompProbSolv
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks everyone. It was definitely not the wallpaper, and I traced the document(s) on the browser url bar ad deleted the files. The computer started up normally. I'm just curious as to what the "trigger" mechanism was to display those two files, as Msconfig didn't show anything in the Startup tab.

But, I'm going to take Rindi's advice and re-image. Best peace of mind that way.

This malware was particularly nasty. It encrypted everything, including stuff on the network drive (including the backup images!). If we did not have an offsite backup, we would have been in a world of hurt, for sure.

I think I remember reading that Hollywood Presbyterian Hospital was hit with a similar virus, and they actually paid the ransom, I believe.
Agreed with everyone here that re-imaging is the best bet.

But to more fully answer your question:

The ransomware drops those "DECRYPT_INSTRUCTION" / "HELPDECRYPT" / etc. files all over the computer - specifically it puts it in the Startup folder in the start menu:

C:\Users\[yourusername]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Anything you put in this folder is launched automatically at startup, and since it is an HTML file that the ransomware dropped in there, it launches your web browser and shows that page.

MSCONFIG.EXE might have missed it. If you use a more sophisticated tool like SysInternals Autoruns it probably would have caught it and shown it to you.

These "ransom notes" are usually not actually malicious in and of itself, but it's one example of the crap left behind by the malware. Who knows what else it has changed on the system, what files it has encrypted, and how much it has borked up in the process. Even if you remove the malicious code, you need to clean up the mess it made. Easiest thing is to re-install Windows to ensure you have undone all of the damage.
Thanks for all the responses.

The M.O. was similar, but this strain of ransomware didn't change the file extensions. They remained as-is, but couldn't be opened.

It is interesting to note that there are ways to decrypt the files, although the article above suggests that the most recent strains cannot be decrypted.

The lesson to be learned here is that you have to have off-site backups, or at the very least, have a rotating backup system where one set isn't attached. Again - the code will encrypt even the *backup* files, so they become useless as well.
I'll not argue against off-site backups for a number of reasons, but this can be managed onsite, too.  If the folder with the data files is shared, you can use a separate computer to back them up.  If the backup computer keeps multiple copies of the files (journaling) and if you catch the infection before all of the old copies have been replaced, then you should have a good backup.

The assumption here is that the backup computer is not used for anything other than this backup process so the system will not get infected.  It may back up infected files but they won't spread if they are just stored on the backup computer.

The other important point is that nothing is shared on the backup computer.  You don't want any other computers accessing the backup computer.  It "pulls" the files from other computers.

Of course, it would be even better to have an offsite backup from the backup computer.
Yes, all good points.
No doubts about the different MO and we would expect more of such variants coming up. The point of decryption and paying ransomware are not worthy to even think or act on by victim.

Backup recovery is the way out. The point of backup, at least to me is minimally those backup should not be stored in the same target backup machine. Also you can consider the 3-2-1 strategy means e.g. having at least 3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite. Thanks for sharing
About backups.  I too will never argue against off-site backups.  My work uses Druva's inSync product currently with backup to our internal data center.   The backup versioning goes back several months, where the restoration process is like this:

within the  past 24 hours - backups every 15 minutes
within the past 7 days - backups every hour
After 2 weeks - once per month

There are 4 months worth of backups.

Before that we used Crashplan, which worked almost as well.