Link to home
Create AccountLog in
Avatar of Pro Suite
Pro SuiteFlag for Belgium

asked on

Ransomware virus

One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org
013CCCAC1509577167

I am guessing all is lost when there is no backup?
Avatar of Alan
Alan
Flag of New Zealand image

Hi,

If you have no backups, then you are almost certainly up the creek, and the directors / board are almost certainly in for a very bad time, as it would likely be regarded as prima facie evidence of negligence, meaning they are potentially personally liable for any losses to creditors and / or shareholders.

Might be a good idea to move on quickly.

Alan.
SOLUTION
Avatar of Lasse Bodilsen
Lasse Bodilsen
Flag of Denmark image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
-->I am guessing all is lost when there is no backup?
Sadly yes
You COULD try paying the ransom.

Of course this will be encouraging criminal activity in general, and more attacks on your site specifically. The crooks may or may not send you a key.
When this disaster happens there 2 things you can do...
1. Search the Internet for a known decryptor...just don't click eveything and everywhere you probably have nasty experiences...use better an isolated  VM for this task.
2. Disconnect the HDD or make a complete image of it and store it...sometimes authorities manage to crack these cybercriminals and their code is forwarded to security experts to create decryptors...so not now but in a month/year maybe he/she will get lucky....
Without backups, the only feasible options are:
1) Try to see if a decryptor can be identified.
2) Pay the ransom (definitely do not recommend doing this for obvious reasons)
3) Totally reload the system after backing up the entire system (following #2 from John T's advice)

Just as importantly, you need to figure out HOW the system got hit with ransomware, and review your entire security program. The issue could've been purely user action, or the result of a technical failure somewhere along the line. Regardless, ramp up user awareness training, and improve your technical security measures.
Avatar of btan
btan

Suggest you identify the ransomware family , and who knows that it may have a past decryptor
Try ID Ransomware to identify what Ransomware Encrypted Your Files. Another means is to run RansomNoteCleaner
 when it is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this initial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.
 

To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.
If there is no decryptor found but ransomware is identified then I suggest you can back up those encrypted files in hope that future there may be release of decryptor tool.

Since no backup, then move on to rebuild the machine and recover any data that can make moving on easier. No point  scavenging for cure since there isnt any, bite the bullet and carry on. To play safe, change credential for online services and do harden your machine with application whitelisting (run only authorised apps) and restrict privileges as a user (not default admin) and patch up the machine to latest AV signature, and security hotfixes.

Hygiene is important to reduce attack surface as well as the user awareness portion, recallhow have the infection gotten into the machine, e.g. phishing email attachment, link to phished websites which ask install unknown appl or plugin after its visit, plug in USB and disable or remve all unnecessary services esp those SMB and RDP services which is an avenue for spreading the infection...  

In case you need some FAQ and more understanding in recovery and hardening, you may consider checking this article out
Avatar of Pro Suite

ASKER

Thanks for the many tips everyone. I tried some of the decrypters. Some if them seem to recognize the encryption, but when running the software it either does not decrypt or it asks me for the original file.  And I have not got a response from that email in the last 24 hours.

So I might just declare this a total loss.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This is what I get when I use the website id-ransomware:

User generated image
Well, try with a file you know is of little importance. If you're lucky, then it is decryptable. Worst case, you've at least tried and will have to wait.
Tried many files, didn't work...
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
We finally got a response from the person demanding some bitcoins. Our client made the payment. He is awaiting response.

It turns out someone was often logging in to the server remotely using plain Remote desktop for work purposes and the password was very easy to guess. Plus that user had full admin rights, that's just asking for it I guess...

This is a thing we often see, people logging in remotely to their server/pc with just the IP:PORTNUMBER. Is there an alternative more secure way of doing this? These are often businesses between 5-10 users. So IT budget is always on the low side.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Recieved a file, did a test on a blank VM first, didn't seem to do any damage and recovered 2 files I put on there. It's running on the infected machine now.
Also, run backups at every step of the way, including after (you hope that) the files have been decrypted, and before you start the process of wiping everything.

Good luck!

Alan.
I have setup a RWW in the past, was a long time ago. I remember my client using  a self signed certificate which was often a hassle to get it working. What kind of certificate do I need to make it working correctly? I know you can get a free domainname from Microsoft with yourdomain.remotewebaccess.com, do I need a certificate for that one then too?
Hi,

I would not used a self-signed one - just buy one from DigiCert (for example) - the cost is not much.

If you want to have more than one domain / subdomain you can get certs with multiple SANs - maybe best to phone DigiCert or whoever, and describe your situation, so they can advise on the easiest / cheapest option.

Alan.
So several things here, now that we know what happened:
1) Implement backups.
2) Review and refine the security policies. (You may want to go back and look at this across ALL of your clients)
3) Implement improved security measures (like above, for all of your clients) including what Alan has mentioned
Never wise to have RDP across internet. If really need to administer through internet, consider VPN and 2FA. It is a minimal as attackers are doing all scans and would brute force on these RDP weakness.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yep, RDP directly exposed on the 'net is inviting disaster. After an hour or a week or a month, someone WILL port scan and find it. Once this occurs, a heap of script kiddies WILL try to guess your user name and password. They usually guess names based on email addresses, and try common names like "Administrator" or "guest".

If you have strong passwords, (for EVERY user), then the first thing you may notice is user accounts getting locked out, after multiple failed login attempts.
Since the decrypter kept crashing on the server, we copied the important files to an external drive and tried to decrypt them in a VM. This seemed to work, but we can not open the files. Windows does not recognize the file or when it opens, it's all funky text.

Is this normal? Do I need to decrypt the files from the machine they were encrypted?
Does anything appear different about the decrypted files, like maybe missing or incorrect file extensions?
Do the files still have their extension?  

like eg. a word doc is still filename.doc or filename.docx
The files still have their extension, the .encrypt extension is gone.
I cannot select a certain folder to decrypt. I was told to put the 2 files in any folder and just run the executable, the second file is a txt file with the password inside. It always starts to decrypt from the C-drive. Which is data I don't care about.
Well, since you've already gone down the paying them, might as well get their assistance in troubleshooting. But do NOT allow them to connect to your system again. Is there a way you can maybe clone the server as a virtual, isolate it, and do the decryption from there?
I also need internet to make the decrypter run, if I don't have internet, it won't do anything.  It seems to search for all the files with the .encrypt extension first and then starts the decryption afterwards.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi IT Meetjesland,

How are you going with this?

Have you gotten things back up and running?  Any more issues?

Thanks,

Alan.
We declared this issue as a total loss. We were unable to recovering the data. Thanks to everyone for helping out.