Ransomware virus

One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org

I am guessing all is lost when there is no backup?
IT MeetjeslandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


If you have no backups, then you are almost certainly up the creek, and the directors / board are almost certainly in for a very bad time, as it would likely be regarded as prima facie evidence of negligence, meaning they are potentially personally liable for any losses to creditors and / or shareholders.

Might be a good idea to move on quickly.

Lasse BodilsenSystem AdministratorCommented:
With no back, it's all gone.  

unless they are hit by a know encryption, then you might be lucky to find a decrypter:

se here:

if none of that work, and the files are very important. Paying the ransom might be worth considering.  and if it works, take a backup and reinstall the system from scratch.

and of course what Alan mentioned is very much relevant.
MASEE Solution Guide - Technical Dept HeadCommented:
-->I am guessing all is lost when there is no backup?
Sadly yes
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Mal OsborneAlpha GeekCommented:
You COULD try paying the ransom.

Of course this will be encouraging criminal activity in general, and more attacks on your site specifically. The crooks may or may not send you a key.
John TsioumprisSoftware & Systems EngineerCommented:
When this disaster happens there 2 things you can do...
1. Search the Internet for a known decryptor...just don't click eveything and everywhere you probably have nasty experiences...use better an isolated  VM for this task.
2. Disconnect the HDD or make a complete image of it and store it...sometimes authorities manage to crack these cybercriminals and their code is forwarded to security experts to create decryptors...so not now but in a month/year maybe he/she will get lucky....
Without backups, the only feasible options are:
1) Try to see if a decryptor can be identified.
2) Pay the ransom (definitely do not recommend doing this for obvious reasons)
3) Totally reload the system after backing up the entire system (following #2 from John T's advice)

Just as importantly, you need to figure out HOW the system got hit with ransomware, and review your entire security program. The issue could've been purely user action, or the result of a technical failure somewhere along the line. Regardless, ramp up user awareness training, and improve your technical security measures.
btanExec ConsultantCommented:
Suggest you identify the ransomware family , and who knows that it may have a past decryptor
Try ID Ransomware to identify what Ransomware Encrypted Your Files. Another means is to run RansomNoteCleaner
 when it is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this initial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.

To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.
If there is no decryptor found but ransomware is identified then I suggest you can back up those encrypted files in hope that future there may be release of decryptor tool.

Since no backup, then move on to rebuild the machine and recover any data that can make moving on easier. No point  scavenging for cure since there isnt any, bite the bullet and carry on. To play safe, change credential for online services and do harden your machine with application whitelisting (run only authorised apps) and restrict privileges as a user (not default admin) and patch up the machine to latest AV signature, and security hotfixes.

Hygiene is important to reduce attack surface as well as the user awareness portion, recallhow have the infection gotten into the machine, e.g. phishing email attachment, link to phished websites which ask install unknown appl or plugin after its visit, plug in USB and disable or remve all unnecessary services esp those SMB and RDP services which is an avenue for spreading the infection...  

In case you need some FAQ and more understanding in recovery and hardening, you may consider checking this article out
IT MeetjeslandAuthor Commented:
Thanks for the many tips everyone. I tried some of the decrypters. Some if them seem to recognize the encryption, but when running the software it either does not decrypt or it asks me for the original file.  And I have not got a response from that email in the last 24 hours.

So I might just declare this a total loss.
E ATech LeadCommented:
What to do after a Ransomware attack on your Windows computer:

Boot system in the Safe Mode plus launch a deep scan mode of the antivirus software
Check for Ransomware Decrypt tool
Use Windows Unlocker to clean up ransomware infected Registry
Try to access Shadow Volume Copy Service feature to restore older file versions
Also, you can report the ransomware case to the local cyber-crime cell


Hope this helps!
btanExec ConsultantCommented:
Do you know the ransomware family identified when runnung through IDRansomware online as that may give some sensing any close decryptor tools if any.
IT MeetjeslandAuthor Commented:
This is what I get when I use the website id-ransomware:

Well, try with a file you know is of little importance. If you're lucky, then it is decryptable. Worst case, you've at least tried and will have to wait.
IT MeetjeslandAuthor Commented:
Tried many files, didn't work...
btanExec ConsultantCommented:
so it is based on extension of ".encrypt" then. Here is another good list but seems already exhausted as you tested out. If it is not either these two, then it would probably be a some other close variant. Better to move on then since no decryptor and backup. https://www.barkly.com/ransomware-recovery-decryption-tools-search
Isha RIkhiData Recovery ExpertCommented:
You can recover the files and folders with the help of data recovery software also.Here is a blog guiding you about recovering your data if you face the ransomware crisis-https://www.stellarinfo.com/blog/recover-files-infected-by-wannacry-ransomware-attack-stellar-phoenix/
IT MeetjeslandAuthor Commented:
We finally got a response from the person demanding some bitcoins. Our client made the payment. He is awaiting response.

It turns out someone was often logging in to the server remotely using plain Remote desktop for work purposes and the password was very easy to guess. Plus that user had full admin rights, that's just asking for it I guess...

This is a thing we often see, people logging in remotely to their server/pc with just the IP:PORTNUMBER. Is there an alternative more secure way of doing this? These are often businesses between 5-10 users. So IT budget is always on the low side.

You need to close Port 3389 immediately - RDP is NOT a secure protocol to be using across the internet.

Depending on your setup, you may have RWW available.  If so, that is safe, subject to username / password strength (like anything else).

However, the entire network has to be considered to be compromised at this point, regardless of whether they get a valid decryption key.  If they do get a key, they'll probably get re-encrypted quickly thereafter.

You need to take down the entire network, wipe all the machines, including all the servers, and re-install from known clean media (not ISOs that were stored on the network).

All other devices need to be reset to factory defaults (printers, scanners, NAS, routers, switches, smartphones etc etc).

All users need to have new passwords, and make sure they are string (I would suggest an absolute minimum of 15 characters - 20 would be better).

Get paid in advance!

IT MeetjeslandAuthor Commented:
Recieved a file, did a test on a blank VM first, didn't seem to do any damage and recovered 2 files I put on there. It's running on the infected machine now.
Also, run backups at every step of the way, including after (you hope that) the files have been decrypted, and before you start the process of wiping everything.

Good luck!

IT MeetjeslandAuthor Commented:
I have setup a RWW in the past, was a long time ago. I remember my client using  a self signed certificate which was often a hassle to get it working. What kind of certificate do I need to make it working correctly? I know you can get a free domainname from Microsoft with yourdomain.remotewebaccess.com, do I need a certificate for that one then too?

I would not used a self-signed one - just buy one from DigiCert (for example) - the cost is not much.

If you want to have more than one domain / subdomain you can get certs with multiple SANs - maybe best to phone DigiCert or whoever, and describe your situation, so they can advise on the easiest / cheapest option.

So several things here, now that we know what happened:
1) Implement backups.
2) Review and refine the security policies. (You may want to go back and look at this across ALL of your clients)
3) Implement improved security measures (like above, for all of your clients) including what Alan has mentioned
btanExec ConsultantCommented:
Never wise to have RDP across internet. If really need to administer through internet, consider VPN and 2FA. It is a minimal as attackers are doing all scans and would brute force on these RDP weakness.
Lasse BodilsenSystem AdministratorCommented:
as btan mention.

Use VPN to access the network, and then RPD through the VPN connection.

and as Alan said:  Never have RDP open to the internet.
Thanks Lasse - I don't mean to be contradictory, but I am always a little concerned about VPNs as it means that a 'foreign' network becomes connected to mine.  Call me Paranoid Al!

I prefer RWW if possible.

However, VPN beats raw RDP any day :-)

Mal OsborneAlpha GeekCommented:
Yep, RDP directly exposed on the 'net is inviting disaster. After an hour or a week or a month, someone WILL port scan and find it. Once this occurs, a heap of script kiddies WILL try to guess your user name and password. They usually guess names based on email addresses, and try common names like "Administrator" or "guest".

If you have strong passwords, (for EVERY user), then the first thing you may notice is user accounts getting locked out, after multiple failed login attempts.
IT MeetjeslandAuthor Commented:
Since the decrypter kept crashing on the server, we copied the important files to an external drive and tried to decrypt them in a VM. This seemed to work, but we can not open the files. Windows does not recognize the file or when it opens, it's all funky text.

Is this normal? Do I need to decrypt the files from the machine they were encrypted?
Does anything appear different about the decrypted files, like maybe missing or incorrect file extensions?
Lasse BodilsenSystem AdministratorCommented:
Do the files still have their extension?  

like eg. a word doc is still filename.doc or filename.docx
IT MeetjeslandAuthor Commented:
The files still have their extension, the .encrypt extension is gone.
IT MeetjeslandAuthor Commented:
I cannot select a certain folder to decrypt. I was told to put the 2 files in any folder and just run the executable, the second file is a txt file with the password inside. It always starts to decrypt from the C-drive. Which is data I don't care about.
Well, since you've already gone down the paying them, might as well get their assistance in troubleshooting. But do NOT allow them to connect to your system again. Is there a way you can maybe clone the server as a virtual, isolate it, and do the decryption from there?
IT MeetjeslandAuthor Commented:
I also need internet to make the decrypter run, if I don't have internet, it won't do anything.  It seems to search for all the files with the .encrypt extension first and then starts the decryption afterwards.
Hi IT Meetjesland,

This *sounds* like it is just another scam to see how much further they can hijack your systems.

I really think the best option is to give up, accept the lessons learned, wipe everything, reinstall from scratch, and move on (or just move on!)

Anything else is probably just throwing good money (and time) after bad.

I really feel for you mate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi IT Meetjesland,

How are you going with this?

Have you gotten things back up and running?  Any more issues?


IT MeetjeslandAuthor Commented:
We declared this issue as a total loss. We were unable to recovering the data. Thanks to everyone for helping out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.