We help IT Professionals succeed at work.

Ransom Attack

I had a friend of mine with a very small company and a Windows SBS 2011 server that got hit with ransomware.     Her backup drive was also taken out by the attack.    I was able to help her get a new server up with Windows 2019; however, it would be helpful if we could get her old files back.   I see utilities from McAfee and others that may unencrypt, but I know knowing about them.   We also have the backup drive and thought about sending that off to be recovered.  Any ideas would be appreciated.  The suffix on all the files is U8E598.
Comment
Watch Question

Principal Software Engineer
CERTIFIED EXPERT
Commented:
This is why off-site and air-gapped backups are necessary.  It is a hard (and often expensive) lesson to learn, but as Ben Franklin said, "Experience is a dear teacher."

The current state of ransomware is such that there are few effective decrypters for the modern viruses.  While there were holes in the encryption for older viruses, modern ransomware uses with lengthy, randomly chosen, effectively uncrackable keys.

Whatever you do, do not pay the ransom.  The current standard in ransomware is to encrypt the files, take the ransom, and not deliver the decryption.

Note that even if the files can be decrypted, that system is still infested with who knows what and nothing in it can never be trusted again.  Having delivered one payload into that system, it is safe to assume that the ransomware is not the only thing in it. If there are no secondary backups it will be necessary to erase the drive (not just reformat it) and reload Windows and any layered products from scratch.  It's a pretty fair assumption that the ransomware is not the only thing that was loaded into that system.

If you did not erase the drive before reloading Windows, I strongly encourage you to do so.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Some known ransomware could be decrypted.

Unfortunately. The nature of ransomware .. depending on value of data, only remaining option s to see what the cost would be. Note the risk of paying and getting nothing.

On the old server are you able to determine how ransomware got in,? Email attachment,?

Author

Commented:
Because of the nature of their business, it may not be a disaster; however, for my company it would be.   I have four Windows 2019 servers and will have cloud backup setup before the week is over!   Any suggestions on which company to use for cloud backup.   We have between 1.5 and 2 tb of data on the servers.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
how much data and the issue with a cloud deals with the agent and there are some that attack the agent in infect/delete the cloud backup.

Dr.Klahn's a backup offline/rotating.......

Look at backups that provide versioning. idrive is decent, but cost for such might be..
look at s3 glaciar option.

for speed get a UDB external and backup the data then disconnect the external. ...

Author

Commented:
Thanks.   Does anyone know anything about the AKO ransom?  That appears to what have hit my friend's server/
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This one is recent, https://www.bleepingcomputer.com/news/security/ako-ransomware-another-day-another-infection-attacking-businesses/

Spyhunter is seen discussed as able to remove the also from the system.

There is a reference if you search ako ransomeware, there is a decryptor.....

Make sure to test by working on a copy, image of encrypted data
CERTIFIED EXPERT

Commented:
Load your files for identification to see if there's an identification.  Once it's identified, you can then attempt to track down the decryptor.  https://id-ransomware.malwarehunterteam.com/

If it's actually AKO ransomware, you're not going to find a decryptor, based on my searches.  It seems that it's still too new and too complex yet to be reversed.  Most of the guides show ways to "recover" the files from previous versions of shadow copy and data recovery from the disk.  You will need to be sure it's fully removed.
https://howtoremove.guide/ako-ransomware/
https://www.besttechtips.org/how-to-remove-ako-ransomware-and-decrypt-files/
https://www.bugsfighter.com/remove-ako-ransomware-and-decrypt-your-files/

Author

Commented:
I saw those links on AKO.    There was a local backup, but the backup drive which was using Microsoft Backup, was reformatted.   I'm wondering if Ontrack could get the backup back.   I may suggest that.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
reformatted deep or quick? by whom and when? You could try GETDATABACKNT or you can use ontrack free download  to scan the drive and see whether it can recover the data.