We help IT Professionals succeed at work.

How do you delete all the .cheetah extension that were added to files

Medium Priority
193 Views
Last Modified: 2019-07-04
We had a none critical server get infected with the Cheetah virus.  I have run Sophos and Malwarebytes and neither has fixed it.  I can change the extensions manually but that will take forever.

There must be a simple solution that one of you have tried.   HELP!
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Use the Bulk Rename application.  I have seen this recommended on numerous occasions.

https://www.bulkrenameutility.co.uk/Main_Intro.php
J.R. SitmanIT Director

Author

Commented:
I'm trying to figure it out.  Can you help?   I cannot figure out how to remove .cheetah from each file.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Here is the method using the application above to remove the secondary extension.

https://www.bulkrenameutility.co.uk/forum/viewtopic.php?f=4&t=3557

I hope this helps
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You might also consider the follow Powershell approach.

https://blogs.msdn.microsoft.com/dan_fay/2012/09/17/rename-file-extension-with-powershell/

Rename to .  or try blank
J.R. SitmanIT Director

Author

Commented:
Thanks.  Now I am getting a access denied error.  I am changing the security on the folders
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
I just did some looking. This is a ransomware virus.

https://www.enigmasoftware.com/cheetahfileextensionransomware-removal/

You will need to restore from the server backup
J.R. SitmanIT Director

Author

Commented:
I can rename the extension manually but not with Bulk Rename.  Could it be because I am on a server and using the free version?
Kevin StockmarSr. Network Engineer
CERTIFIED EXPERT

Commented:
It is my understanding that the .cheetah ransomware also encrypts all of your files.

If you manually remove the file extension, are you able to access the original contents of the file?  You can test this by finding a file like 'file.txt.cheetah' and renaming the file to 'file.txt' manually. Open the renamed file in notepad to see if the file is readable.

If you can't read the contents of the file, your data is likely encrypted and you will need to restore your data from a backup in order to recover the data.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I am not sure about the Free / Paid differences.

Try the Powershell approach above
CERTIFIED EXPERT

Commented:
Here is a native batch script to do the job for you.

@echo off
setlocal enabledelayedexpansion
for /f "tokens=*" %%f in ('dir /a/s/b \*.cheetah') do (
	set file=%%f
	for %%i in ("!file!") do (
		set fix=%%~nxi
		set fix=!fix:.cheetah=!
		echo ren "!file!" "!fix!"
	)
)

Open in new window


This will simply echo the rename command to the console for each file, to test and verify the script works as intended.

Once you're ready to actually rename the files, change the
echo ren "!file!" "!fix!"

Open in new window

code to
ren "!file!" "!fix!"

Open in new window


Does the malware simply rename the files or does it encrypt them as well?  Obviously if the files are encrypted, or modified in any way, simply renaming them won't resolve the issue.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
if encrypted, you may be able to rename (?) but not do anything with the files
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Best at this point to make plans for restoring from a backup. If you have all your data backed up, delete from the server and run antivirus scans to clean up the server.
J.R. SitmanIT Director

Author

Commented:
server is not backed up.  I am still testing the rename of files.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You said non-critical so you may wish to isolate the server (disconnect from the network) while you determine if you can recover files (doubtful at this point)
Kevin StockmarSr. Network Engineer
CERTIFIED EXPERT

Commented:
As John mentioned, you should completely isolate this server as Malware like this is known to spread through SMB shares and other network means.
J.R. SitmanIT Director

Author

Commented:
Since this is a Virtual server does that give me any other options for recovery?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Not on the data, no, just on the Operating System.  Before you do that, make sure you have disinfected it.
J.R. SitmanIT Director

Author

Commented:
ok
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
that is because the files have been damaged (not just renamed as originally hypothesized)
J.R. SitmanIT Director

Author

Commented:
got it
J.R. SitmanIT Director

Author

Commented:
I shut down the Virtual machine.   However, I found another VM with the Cheetah extension that is a Citrix server and user were logged onto it.  Is that a problem?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Yes because these servers need to be isolated because the ransomware is spreading.
J.R. SitmanIT Director

Author

Commented:
I shut it down.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Yes and the other server as well.  Shut it down.
J.R. SitmanIT Director

Author

Commented:
I did
Mike TLeading Engineer
CERTIFIED EXPERT

Commented:
Hi,

Do you know how the hackers got into your system? If not, then you really need to focus on that ASAP to close down their access. Sadly the average length of time hackers spend lurking is about 150 days, so they could have gained access months ago before triggering the ransomware. You also need to review your security setup even if you clean up this attack, as your business may be on the "easy target" list.
If you don't have skills to do all this in-house, then consider getting help from a specialist.

With regards the first VM, I would wipe it if there's no data you need on it. Even cleaning AV (which failed anyway) doesn't fix the underlying hole in the fence. However, you can't wipe it until you have figured out how they got in and you have evidence you need.
Do not connect it to any network at all - just remove the virtual NICs and logon locally during any investigations.

Mike
J.R. SitmanIT Director

Author

Commented:
They got in through an RDP port. We locked it down.   I was able to delete all the locked files and no permanent damage was done.
J.R. SitmanIT Director

Author

Commented:
Thanks to all
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are very welcome and I was happy to help.