Solved

Yet another Ransome ware

Posted on 2016-09-21
13
145 Views
1 Endorsement
Last Modified: 2016-10-01
client got the message below.

How can I be getting this issue with Sophos installed.

is there a fix for us

Cjoego


ATTENTION!

All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.51076 BTC (bitcoins).
Please follow this manual:

1. Create Bitcoin wallet here:

      https://blockchain.info/wallet/new

2. Buy 0.51076 BTC with cash, using search here:

      https://localbitcoins.com/buy_bitcoins

3. Send 0.51076 BTC to this Bitcoin address:

      1CRudcpAotySaypEw3WziApYuqYR6KXrjQ

4. Open one of the following links in your browser to download decryptor:

      http://blender.com.br/counter/?a=1CRudcpAotySaypEw3WziApYuqYR6KXrjQ
      http://www.haixiajinrong.com/counter/?a=1CRudcpAotySaypEw3WziApYuqYR6KXrjQ
      http://sictindia.org/counter/?a=1CRudcpAotySaypEw3WziApYuqYR6KXrjQ
      http://www.hotelfiordaliso.it/counter/?a=1CRudcpAotySaypEw3WziApYuqYR6KXrjQ
      http://moevenpickchef.mydigitallapps.com/counter/?a=1CRudcpAotySaypEw3WziApYuqYR6KXrjQ

5. Run decryptor to restore your files.

PLEASE REMEMBER:

      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
      - Nobody can help you except us.
      - It`s useless to reinstall Windows, update antivirus software, etc.
      - Your files can be decrypted only after you make payment.
      - You can find this manual on your desktop (DECRYPT.txt).
1
Comment
Question by:Joseph Salazar
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809548
If the information is encrypted like the messages specify... if that is true... the solution is restore that data from a backup. It is not feasible to fight against such strong encryption if it has been aplied.

How can it happened if Sophos was installed? Maybe a user was surfing the web and accepted a malicious code somehow, or opened an email with something malicious on it. In conclusion it usually happens with some user interaction and 'approval' of the bad process. :(
0
 

Author Comment

by:Joseph Salazar
ID: 41809552
Just Logged into the Computer and Sophos has been completely Grayed out....

I cannot even turn it on....

running NPE and malware bytes now
0
 

Author Comment

by:Joseph Salazar
ID: 41809556
Found C:\users\Username\AppData\Local\Envtion\a2.exe
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809557
Maybe for making it even easier for the malware... it is possible that Sophos was not working at the moment of the encryption. Or maybe there was something that made Sophos stop working and then the second attack was conducted.

Just some ideas.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809569
It is good to quite the ransome-ware before making anything else, indeed. :). To make it less likely that it happens again. However, in my case I would prefer to backup the remaining valuable data and then just blow up anything there and refresh that system from scratch.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 41809640
How can I be getting this issue with Sophos installed.

First, you do realize the Ransomware creators WANT to infect you so they almost certainly have the same tools you use to block them.  That way, they can figure out how to get around the protection!  But your antivirus company generally has to SEE the virus before it can issue an update that can protect against it so you got hit with a new version... and they'll be another new version tomorrow.  You think Microsoft is issuing updates fast?  Malware creators issue them FAR faster to evade detection.

So how do you avoid them?  EDUCATE YOUR USERS.  That is the single most important thing.  If you can't they probably shouldn't be doing the job their doing because these days, being able to learn about the technology you use in a minimal way to ensure you don't cripple the company should be a job requirement.

Second thing to do is to use a business class router/firewall/unified threat management (UTM) device that can scan incoming and outgoing data and catch things before they even get into the network.  MAKE NO MISTAKE, things will still get through, but it should reduce those that do.

Use web filtering capabilities in the UTM and a DNS filtering service like OpenDNS to help ensure the bad software can't reach you or the things it needs to reach to work.

Use a GOOD anti-spam solution as a lot of these things come in as "UPS Delivery Notifications" or "Invoices", or "Faxes", among other things... use a good spam filter can keep MOST of these away from your end users.  

Then use a GOOD antivirus.  Sophos is supposedly good - I haven't used them in years.

Then properly secure your network's files.  Users should access to only the things they NEED access - Leaving everything open to everyone is a GREAT WAY to CRIPPLE your company (you may have just found that out).  If you limit access to those who need access, it limits the damage that can be done which can DECREASE your restore time and DECREASE your productivity lost, and in some cases increase the chances that something like Shadow Copy can restore the infected files with less data loss than last night's backup.

THEN BACKUP.  INTELLIGENTLY.  Off site.  Regularly.

FINALLY, rely on the end user's TRAINING not to do things that will cause problems like this.

Security - and avoiding problems like this - is a multi-layered approach.  If you just want one or two layers, this will happen again.  And again. And again...

Your options now are to restore from backup... or pay the ransom.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points
ID: 41809651
All AV software will be at least a step behind new malware. So particularly when something new comes out they won't be able to catch it. No AV software is foolproof. So in such a situation your only option is to remove all your PC's from the LAN so they can't encrypt further files on the LAN.

After that, the best thing is to re-image those PC's. Although a lot of ransomeware removes itself automatically from the PC once it has finished it's job, it is still likely that other malware is still active. After all, if someone falls for ransomware, it is also very likely that he will also fall for all sorts of other threats.

Once the probably infected PC's have been re-imaged, just restore your data from your backups.

For the future make sure to make it harder for malware to get to your systems. Always make sure you only use a standard user account when you use the PC. Educate your users on how to use the emails and how to browse the web as safely as possible. Use application whitelisting so that only programs can be executed which you have given the OK for. Disable macro's for Office m$ Office documents, as that is how many of those viruses start. Or don't use m$ Office at all.
0
 
LVL 61

Expert Comment

by:btan
ID: 41809855
I suspect you are in the same situation as in this and the file encrypted should be having the extension .crypted added to the filename.
http://www.bleepingcomputer.com/forums/t/608358/ransomware-infection/

Suggest you identify the ransomware in idransomware or Crypto Sheriff, if the Ransomware identified to be with a decryptor that can bypass the encryption without payibg ransom, then you may like to give it a try.
https://id-ransomware.malwarehunterteam.com
https://www.nomoreransom.org/crypto-sheriff.php

Make a clone of the files before uploading and disconnect your machine as well as advice customer to change their password to online Web and social sites esp those using the same common password.

Augment your AV with anti ransomware with application whitelisting such as Windows Applocker or Cryptoprevent or SecureAPlus. There are anti ransomware program such as Winpatrol Winantiransom and MalwareBytes anti ransomware as preventive suggested as preventive measures for consideration.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41810548
I agree id-ransomware is an excellent way to go. Also check Nomoreransom.org.

Without backups you're pretty much up the creek. Definitely make a backup just in case a key becomes available.
0
 

Author Comment

by:Joseph Salazar
ID: 41819943
Thanks Everyone,  We ended up formatting and re-installing Desktop

We Deployed Sophos router and Sophos on the Desktop and will be getting the Intercept X, anti-Ransom ware module when it comes out soon.

Cjoego
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 250 total points
ID: 41820263
Intercept X looks to be an excellent piece of software.  I have been using HitmanPro.Alert/Cyberguard since before Sophos bought out SurfRight.  The Intercept X module is based on the HitmanPro.Alert software.  If you are a Sophos shop, this is the best way to go.  Others, like Cylance, claim 100% block rate when it comes to ransomware with few if any false positives.  Cryptodrop was also an excellent academic solution to the problem of ransomware (some companies have started to adopt the cryptodrop schema, which stops encryption malware after an average of 10 files have been encrypted).
0
 
LVL 61

Expert Comment

by:btan
ID: 41820934
There is also CryptoTrap from TrapX forbsetting decoys to allow time for detection mechanism to alert users..
https://trapx.com/trapx-combats-ransomware-attacks-with-new-cryptotrap-tool/
0
 

Author Closing Comment

by:Joseph Salazar
ID: 41825019
Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now