Solved

Funa@india.com

Posted on 2016-10-10
6
395 Views
Last Modified: 2016-10-14
Hello security experts out there.  It seems that we've been hit a ransomware that adds an extension of {funa@india.com}.lock which has propagated to our servers and possibly workstations.   Has anyone encountered this issue. If so, what have you done to fix it other than restoring from backup which is what we are doing.

Please advise. You response would be greatly appreciated.
0
Comment
Question by:narriola2
  • 2
  • 2
  • 2
6 Comments
 
LVL 20

Expert Comment

by:Russ Suter
ID: 41837032
There are a handful of ransomware programs who's encryption has been cracked. You can find out about those here: https://noransom.kaspersky.com/

Other than that you have exactly two options:
1. Pay the ransom and hope it works
2. Restore from backups

It seems like you're already doing the 2nd which is definitely the better choice. Your focus now needs to be on prevention of future infections. There are a couple of things you can do that have proven largely (though not 100%) effective.

1. Create a group policy or local policy that prevents applications from running in unprotected spaces. CryptoPrevent uses this approach. Cryptolocker Prevention Kit is another.
2. If you have control over your mail server you can add filtering rules to automatically block attachments with .exe files in them.
3. If you have control over your firewall you can block IP ranges. Some ransomware programs use TOR but not all. This will work for those that don't.
4. This one is probably the hardest to implement and the most important. Educate your users!

I'm glad to hear you have backups. Too many of these stories end badly due to lack of advanced preparation.
0
 
LVL 61

Expert Comment

by:btan
ID: 41837068
First off, do isolate the machine (remove from internet and network) and change the login credential and those account using the same password. You can check out the owner of those files stored in network shares by looking at its file properties as this is likely the account used to further infect other file in the network shares.

will be good to identify hat ransomware family it belongs to e.g. by uploading to cyber sheriff (https://www.nomoreransom.org/crypto-sheriff.php) or ID Ransom (https://id-ransomware.malwarehunterteam.com/).

But from the name shared, it seem very similar to a past known crypto malware ransomware that encrypts all kind of documents (e.g. (doc, xls, xlsx, ...), database files (db, ...), .pst, .zip, .bak, .txt, ..) and rename it as <filename>.<id>-<10 digit random number>__fud@india.com e.g. testfile.pdf.id-1234567890_fud@india.com. An antivirus program may not recognized it if this Funa@india is a new variant. Most likely it didnt just encrypted the files but also erased all the shadow copies. The netokr mapped drive's files would also be encrypted.

I recommend not to pay ransom as there is no guarantee that you can get back the decryption key to restore your encrypted files or re-infection will not recur. Also payment just feed and advocate the attacker doing - this may be also have some legal implication.

Instead you should check back your existing backup source store to get the back those files. Also do rebuild into a clean slate instead of attempting to clean the machine - the ransomware is likely dropped from other malware that came in from user browsing (or clicked a URL in phished email) a compromised website, or opening an infected email attachment files or open from an unknown thumbdrives etc. The cleaning may come to a void as the reinfection may recur.

For long term preventive measures,
-remove user from having administer right and from administrator group,
-employ application whitelisting to run only trusted and authorised appls (check out applocker)
-employ anti-ransomware tool to augment the existing AV e.g. Malwarebytes Anti-Ransomware or WinPatrol WinRansom
-exercise diligent to have regular backup, verify the backup and keep it off the machine and network mapped drive in separate system, have a copy offsite if possible
-employ other measures to prevent exploit as AV may not be effective e.g. use Malware Bytes anti-malware and anti-exploit, Microsoft EMET or Sophos Intercept X (has a feature called CryptoGuard)
0
 

Author Comment

by:narriola2
ID: 41839584
Thanks for your contributions.  I just wanted to add that we've had several Ransomware attacks almost one every month.  We have instituted a system from Symantec called Advanced Threat Protection which is mainly focused in monitoring systems for any ransomware variants.  However, this last one was not even  caught at all.   We had one this month and attacks each for the past 2 months.  The interesting part is that we don't even get a ransom note either.  We have already been educating our users through another service so we've got that covered too but obviously we have not been successful so just need to keep educating our users.  The other thing is that I know that this is also coming from users who are accessing our remote desktop.  Is there a better way for them to access remote desktop then ?

Thank you for your assistance.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Expert Comment

by:btan
ID: 41839686
There are Ransomware without notes and they just named the encrypted files with the email for the victim to emaul rhem for further instructions. There are instance of using disposable email account which will not be easily traceable. The criminal is just trying to lessen their footprint and make sure a true victim engage in ransom payment instead of any LE spoofing identity

As for RDP, the spread is due to the use of weak password that allows brute force attempt to succeed. So you will need to review your RDP and password policy to make sure authentication can be levelled up for stronger password and consider having 2FA authentication instead of simple username and password. Also consider not to have RDP over Internet esp exposing server unnecessary to the external threat.

Choosing a strong passphrase is preferred as compared to password. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
0
 
LVL 20

Accepted Solution

by:
Russ Suter earned 500 total points
ID: 41840415
A few thoughts...

* Never rely on commercial products, especially Symantec, for detection and prevention of viruses. They're just not good at it. The only reason they're still around is that they once were useful and have a good marketing department.
* If you're getting ransomware as often as you say then you should definitely implement the preventative measures I listed in my first post. They aren't a 100% fix but they will certainly reduce your attack surface.
* Your users are in desperate need of training and education. Social engineering is by far the number one source of ransomware infection.
* You may not be seeing ransom notes because you're catching the ransomware before it gets a chance to finish. Most of the time ransomware programs won't make themselves known until they've done maximum damage or can no longer phone home.
* The 2FA idea that btan suggested is a good one. Look into Duo Security as an option. It's free for up to 10 users and cheap for more than that (as little as $1 per user per month) and it integrates well with RDP services.
0
 

Author Comment

by:narriola2
ID: 41840870
OK Thanks.  Much appreaciated.  I am already in communication with Duo Security.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now