We help IT Professionals succeed at work.

Ransomware virus

Pro Suite
Pro Suite asked
on
359 Views
Last Modified: 2017-11-29
One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org
013CCCAC1509577167

I am guessing all is lost when there is no backup?
Comment
Watch Question

AlanConsultant
CERTIFIED EXPERT

Commented:
Hi,

If you have no backups, then you are almost certainly up the creek, and the directors / board are almost certainly in for a very bad time, as it would likely be regarded as prima facie evidence of negligence, meaning they are potentially personally liable for any losses to creditors and / or shareholders.

Might be a good idea to move on quickly.

Alan.
Lasse BodilsenSystem administrator
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->I am guessing all is lost when there is no backup?
Sadly yes
Mal OsborneAlpha Geek
CERTIFIED EXPERT

Commented:
You COULD try paying the ransom.

Of course this will be encouraging criminal activity in general, and more attacks on your site specifically. The crooks may or may not send you a key.
John TsioumprisSoftware & Systems Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
When this disaster happens there 2 things you can do...
1. Search the Internet for a known decryptor...just don't click eveything and everywhere you probably have nasty experiences...use better an isolated  VM for this task.
2. Disconnect the HDD or make a complete image of it and store it...sometimes authorities manage to crack these cybercriminals and their code is forwarded to security experts to create decryptors...so not now but in a month/year maybe he/she will get lucky....
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Without backups, the only feasible options are:
1) Try to see if a decryptor can be identified.
2) Pay the ransom (definitely do not recommend doing this for obvious reasons)
3) Totally reload the system after backing up the entire system (following #2 from John T's advice)

Just as importantly, you need to figure out HOW the system got hit with ransomware, and review your entire security program. The issue could've been purely user action, or the result of a technical failure somewhere along the line. Regardless, ramp up user awareness training, and improve your technical security measures.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Suggest you identify the ransomware family , and who knows that it may have a past decryptor
Try ID Ransomware to identify what Ransomware Encrypted Your Files. Another means is to run RansomNoteCleaner
 when it is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this initial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.
 

To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.
If there is no decryptor found but ransomware is identified then I suggest you can back up those encrypted files in hope that future there may be release of decryptor tool.

Since no backup, then move on to rebuild the machine and recover any data that can make moving on easier. No point  scavenging for cure since there isnt any, bite the bullet and carry on. To play safe, change credential for online services and do harden your machine with application whitelisting (run only authorised apps) and restrict privileges as a user (not default admin) and patch up the machine to latest AV signature, and security hotfixes.

Hygiene is important to reduce attack surface as well as the user awareness portion, recallhow have the infection gotten into the machine, e.g. phishing email attachment, link to phished websites which ask install unknown appl or plugin after its visit, plug in USB and disable or remve all unnecessary services esp those SMB and RDP services which is an avenue for spreading the infection...  

In case you need some FAQ and more understanding in recovery and hardening, you may consider checking this article out

Author

Commented:
Thanks for the many tips everyone. I tried some of the decrypters. Some if them seem to recognize the encryption, but when running the software it either does not decrypt or it asks me for the original file.  And I have not got a response from that email in the last 24 hours.

So I might just declare this a total loss.
E ATech Lead
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
This is what I get when I use the website id-ransomware:

ransomware
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Well, try with a file you know is of little importance. If you're lucky, then it is decryptable. Worst case, you've at least tried and will have to wait.

Author

Commented:
Tried many files, didn't work...
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Isha RIkhiData Recovery Expert
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
We finally got a response from the person demanding some bitcoins. Our client made the payment. He is awaiting response.

It turns out someone was often logging in to the server remotely using plain Remote desktop for work purposes and the password was very easy to guess. Plus that user had full admin rights, that's just asking for it I guess...

This is a thing we often see, people logging in remotely to their server/pc with just the IP:PORTNUMBER. Is there an alternative more secure way of doing this? These are often businesses between 5-10 users. So IT budget is always on the low side.
AlanConsultant
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Recieved a file, did a test on a blank VM first, didn't seem to do any damage and recovered 2 files I put on there. It's running on the infected machine now.
AlanConsultant
CERTIFIED EXPERT

Commented:
Also, run backups at every step of the way, including after (you hope that) the files have been decrypted, and before you start the process of wiping everything.

Good luck!

Alan.

Author

Commented:
I have setup a RWW in the past, was a long time ago. I remember my client using  a self signed certificate which was often a hassle to get it working. What kind of certificate do I need to make it working correctly? I know you can get a free domainname from Microsoft with yourdomain.remotewebaccess.com, do I need a certificate for that one then too?
AlanConsultant
CERTIFIED EXPERT

Commented:
Hi,

I would not used a self-signed one - just buy one from DigiCert (for example) - the cost is not much.

If you want to have more than one domain / subdomain you can get certs with multiple SANs - maybe best to phone DigiCert or whoever, and describe your situation, so they can advise on the easiest / cheapest option.

Alan.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So several things here, now that we know what happened:
1) Implement backups.
2) Review and refine the security policies. (You may want to go back and look at this across ALL of your clients)
3) Implement improved security measures (like above, for all of your clients) including what Alan has mentioned
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Never wise to have RDP across internet. If really need to administer through internet, consider VPN and 2FA. It is a minimal as attackers are doing all scans and would brute force on these RDP weakness.
Lasse BodilsenSystem administrator
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
AlanConsultant
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Mal OsborneAlpha Geek
CERTIFIED EXPERT

Commented:
Yep, RDP directly exposed on the 'net is inviting disaster. After an hour or a week or a month, someone WILL port scan and find it. Once this occurs, a heap of script kiddies WILL try to guess your user name and password. They usually guess names based on email addresses, and try common names like "Administrator" or "guest".

If you have strong passwords, (for EVERY user), then the first thing you may notice is user accounts getting locked out, after multiple failed login attempts.

Author

Commented:
Since the decrypter kept crashing on the server, we copied the important files to an external drive and tried to decrypt them in a VM. This seemed to work, but we can not open the files. Windows does not recognize the file or when it opens, it's all funky text.

Is this normal? Do I need to decrypt the files from the machine they were encrypted?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Does anything appear different about the decrypted files, like maybe missing or incorrect file extensions?
Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
Do the files still have their extension?  

like eg. a word doc is still filename.doc or filename.docx

Author

Commented:
The files still have their extension, the .encrypt extension is gone.

Author

Commented:
I cannot select a certain folder to decrypt. I was told to put the 2 files in any folder and just run the executable, the second file is a txt file with the password inside. It always starts to decrypt from the C-drive. Which is data I don't care about.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Well, since you've already gone down the paying them, might as well get their assistance in troubleshooting. But do NOT allow them to connect to your system again. Is there a way you can maybe clone the server as a virtual, isolate it, and do the decryption from there?

Author

Commented:
I also need internet to make the decrypter run, if I don't have internet, it won't do anything.  It seems to search for all the files with the .encrypt extension first and then starts the decryption afterwards.
Consultant
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
AlanConsultant
CERTIFIED EXPERT

Commented:
Hi IT Meetjesland,

How are you going with this?

Have you gotten things back up and running?  Any more issues?

Thanks,

Alan.

Author

Commented:
We declared this issue as a total loss. We were unable to recovering the data. Thanks to everyone for helping out.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.