Posted on 2016-10-10
Last Modified: 2016-10-14
Hello security experts out there.  It seems that we've been hit a ransomware that adds an extension of {}.lock which has propagated to our servers and possibly workstations.   Has anyone encountered this issue. If so, what have you done to fix it other than restoring from backup which is what we are doing.

Please advise. You response would be greatly appreciated.
Question by:narriola2
  • 2
  • 2
  • 2
LVL 20

Expert Comment

by:Russ Suter
ID: 41837032
There are a handful of ransomware programs who's encryption has been cracked. You can find out about those here:

Other than that you have exactly two options:
1. Pay the ransom and hope it works
2. Restore from backups

It seems like you're already doing the 2nd which is definitely the better choice. Your focus now needs to be on prevention of future infections. There are a couple of things you can do that have proven largely (though not 100%) effective.

1. Create a group policy or local policy that prevents applications from running in unprotected spaces. CryptoPrevent uses this approach. Cryptolocker Prevention Kit is another.
2. If you have control over your mail server you can add filtering rules to automatically block attachments with .exe files in them.
3. If you have control over your firewall you can block IP ranges. Some ransomware programs use TOR but not all. This will work for those that don't.
4. This one is probably the hardest to implement and the most important. Educate your users!

I'm glad to hear you have backups. Too many of these stories end badly due to lack of advanced preparation.
LVL 62

Expert Comment

ID: 41837068
First off, do isolate the machine (remove from internet and network) and change the login credential and those account using the same password. You can check out the owner of those files stored in network shares by looking at its file properties as this is likely the account used to further infect other file in the network shares.

will be good to identify hat ransomware family it belongs to e.g. by uploading to cyber sheriff ( or ID Ransom (

But from the name shared, it seem very similar to a past known crypto malware ransomware that encrypts all kind of documents (e.g. (doc, xls, xlsx, ...), database files (db, ...), .pst, .zip, .bak, .txt, ..) and rename it as <filename>.<id>-<10 digit random number> e.g. An antivirus program may not recognized it if this Funa@india is a new variant. Most likely it didnt just encrypted the files but also erased all the shadow copies. The netokr mapped drive's files would also be encrypted.

I recommend not to pay ransom as there is no guarantee that you can get back the decryption key to restore your encrypted files or re-infection will not recur. Also payment just feed and advocate the attacker doing - this may be also have some legal implication.

Instead you should check back your existing backup source store to get the back those files. Also do rebuild into a clean slate instead of attempting to clean the machine - the ransomware is likely dropped from other malware that came in from user browsing (or clicked a URL in phished email) a compromised website, or opening an infected email attachment files or open from an unknown thumbdrives etc. The cleaning may come to a void as the reinfection may recur.

For long term preventive measures,
-remove user from having administer right and from administrator group,
-employ application whitelisting to run only trusted and authorised appls (check out applocker)
-employ anti-ransomware tool to augment the existing AV e.g. Malwarebytes Anti-Ransomware or WinPatrol WinRansom
-exercise diligent to have regular backup, verify the backup and keep it off the machine and network mapped drive in separate system, have a copy offsite if possible
-employ other measures to prevent exploit as AV may not be effective e.g. use Malware Bytes anti-malware and anti-exploit, Microsoft EMET or Sophos Intercept X (has a feature called CryptoGuard)

Author Comment

ID: 41839584
Thanks for your contributions.  I just wanted to add that we've had several Ransomware attacks almost one every month.  We have instituted a system from Symantec called Advanced Threat Protection which is mainly focused in monitoring systems for any ransomware variants.  However, this last one was not even  caught at all.   We had one this month and attacks each for the past 2 months.  The interesting part is that we don't even get a ransom note either.  We have already been educating our users through another service so we've got that covered too but obviously we have not been successful so just need to keep educating our users.  The other thing is that I know that this is also coming from users who are accessing our remote desktop.  Is there a better way for them to access remote desktop then ?

Thank you for your assistance.
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 62

Expert Comment

ID: 41839686
There are Ransomware without notes and they just named the encrypted files with the email for the victim to emaul rhem for further instructions. There are instance of using disposable email account which will not be easily traceable. The criminal is just trying to lessen their footprint and make sure a true victim engage in ransom payment instead of any LE spoofing identity

As for RDP, the spread is due to the use of weak password that allows brute force attempt to succeed. So you will need to review your RDP and password policy to make sure authentication can be levelled up for stronger password and consider having 2FA authentication instead of simple username and password. Also consider not to have RDP over Internet esp exposing server unnecessary to the external threat.

Choosing a strong passphrase is preferred as compared to password. See
LVL 20

Accepted Solution

Russ Suter earned 500 total points
ID: 41840415
A few thoughts...

* Never rely on commercial products, especially Symantec, for detection and prevention of viruses. They're just not good at it. The only reason they're still around is that they once were useful and have a good marketing department.
* If you're getting ransomware as often as you say then you should definitely implement the preventative measures I listed in my first post. They aren't a 100% fix but they will certainly reduce your attack surface.
* Your users are in desperate need of training and education. Social engineering is by far the number one source of ransomware infection.
* You may not be seeing ransom notes because you're catching the ransomware before it gets a chance to finish. Most of the time ransomware programs won't make themselves known until they've done maximum damage or can no longer phone home.
* The 2FA idea that btan suggested is a good one. Look into Duo Security as an option. It's free for up to 10 users and cheap for more than that (as little as $1 per user per month) and it integrates well with RDP services.

Author Comment

ID: 41840870
OK Thanks.  Much appreaciated.  I am already in communication with Duo Security.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question