I've Been Hit with a Rare Form of Ransomware. I Don't Want It to Be a Complete Waste, So Any Questions Anyone Wants to Ask?

Restarted my Windows Server the other day, to discover my files locked and a message on my desktop about how they want 1 Bitcoin (~ 590 AUD) to unlock it. I don't use Anti-Virus, because I'm very careful, and haven't had any viruses in my 3 years of doing it. That changes this year.

Lost about 2TB / 8TB of my data, as it only hit one drive, and the boot SSD.

Noticed my friends were asking a tonne of questions, so curious, anyone want to ask anything about it? Just shoot.


  • and… any progress in debugging?

    Have you actually tried using any ransomware removal apps? I know you're somewhat allergic to any sort of antivirus programs but perhaps humble yourself and give Kaspersky a go:

    • Tried that exact one. No luck. Very rare form, not documented anywhere except a couple posts on Weibo, where the victims just reformated.

    • The tools remove the virus but cant do anything about the encryption except in some rare cases. In fact using removal tools can make it impossible to recover your data. Only if you arent going to pay and are prepared to lose your data you should do that.

  • I've Been with a Rare Form of Ransomware.

    How was he/she? Good kisser?

  • Your very careful huh? Obviously not careful enough! I mean seriously, you must download and install some pretty random stuff to have that happen to you.

  • +5 votes

    restore from backups
    dont bother paying for it
    id start checking all network drives etc and other pcs linked

    also run Antivirus software tsk tsk

    theres no way around it unfortunately

      1. I have to :(

      2. Hehe… about that

      3. Exactly. Refuse to cough up $600 for replaceable files.

      4. They 'provided' a list of locked stuff, only one the boot and one drive.

      Does AV pick up ransomware well?

      • No - although that is NOT a reason to not run AV.

        Criminals constantly update the files and methods used to thwart detection. A er "well run" ransomware campaign (or any well run online criminal campaign attacking online computers) will distribute files that are tested against most major AVs to ensure they are undetected. Major attack vectors used these days are driveby downloads (hacked website invisibly owns your pc) and display ads (an ad invisibly owns your pc).

        As the file/method ages security researchers find it and it is added to AV definitions so it will be detected. Very organised criminals have constantly updating files and methods meaning they are essentially somebody is always vulnerable. However many criminals are hopeless or newbs or unmotivated and they will try to target you with stuff you can stop with AV.

        I'm afraid you are required to behave as though you can be owned at any time because that is the reality - if you run an AV or not. The AV will considerably lower your chances of becoming infected and should be used.

        Two ways you can drastically lower your chances of being owned are to use a script blocker and an ad blocker. Ad blocker is pretty easy for everyone but a script blocker will need to be set (once) for many sites you visit and may be confusing for some people. If you do use a script blocker a good policy is to block all scripts until something doesn't work and then just whitelist the server that's required to have the site functionality as you want it. An easier alternative to using a script blocker is to allow Javascript only and disable any plugins, particuarly Flash and Java.

        • Thanks for the tips! :)

        • It's always hard to say exactly whether the AV has stopped ransomware.

          What I can say is I've had clients with Sophos, Bitdefender, AVG Business and Kaspersky all hit by Cryptowall / Cryptolocker variants at one time or another. All AV up to date, Windows patched etc and still.

        • @deanylev:
          and always practice safe hex

        • Heuristics based HIPs are relatively more effective against these kind of malware. Even if they don't have signatures for the malware, based on behavioural analysis, if it starts doing weird shit like hooking into other processes/pulling secondary stages from remote sites etc.

          The important thing is to have defence-in-depth. If this is purely your file server, you could actually start implementing a rudimentary form of application whitelisting, ensure there is no ancilliary software installed (or ensure they are patched).

          Lastly, backup to an internal box that has no Internet connectivity.

        • @knk: My clients using MailGuard haven't been affected…but those using AV (Kaspersky, for example), were still hit when it came out.

      • I use ESET in a corporate network with ~1000 seats and anywhere between 1-200 in a lot of other networks. ESET is the only one I've seen to successfully detect and stop ransomware. When Cryptowall 4.0 was first released I had a network hit by it and ESET managed to stop it from running in memory and removed it.. I put the file that caused it through Virustotal and ESET and Panda were the only ones that detected it. I've also found Sophos to be good at stopping them.

        • Which edition? I'm going to try now.

        • @deanylev: ESET Endpoint Antivirus. There is also Endpoint Security that includes a personal firewall and extra antispam. Both are available as a trial.

          I saw that you mentioned CryptoPrevent. This post on CryptoGuard might be of some interest. Hitman recently got bought out by Sophos too.

        • @Clear: Thanks so much for the help. Fingers crossed this fixes it.

          Thing is, I stopped the Ransomware from the get go. It's executable was in plain sight. Did ESET unencrypt the files?

        • @deanylev: Unfortunately it can't do decryption. Since Kaspersky didn't help with that you're probably out of luck. Do you happen to know what the name of the virus is yet?

        • @Clear: 'Hugeme45', nowhere on the internet - save for a weibo post, where the solution was reformat.

        • Good to hear Sophos and ESET works for you. At work, we are forced to use Mcafee which is a piece of crap it allowed any variants of crytolocker come thru peoples laptops and affected shared drives. Every time needed to be restored from backups. We don't wanna use Mcafee but corporate head office in the US do and the security team are bunch of laid back staff who don't care about Australia

        • @neonlight: I know what that's like when the IT is outsourced internationally. A company I was contracted to had theirs outsourced to India and you had to email everything to them. Was particularly difficult being out whoop whoop with no internet.

          No chance of installing MBAE or EMET? Or are the PCs all locked down?

        • @deanylev: Unfortunately that's just the name of the executable. Without an expert examing the file there is no way of knowing what family of ransomware it has come from.

        • @neonlight:

          I posted above but I can speak from experience, we have had Sophos let ransomware past multiple times. The end users are clueless though, so hey theres that.

        • @knk: Not if you use a Sophos UTM ;)

        • @Clear:

          Haven't used UTM before just endpoint security which is pretty average. Might look into it when the next one comes up for renewal.

        • @knk: Physical ones are not cheap as they're for busineses. I think they have a software version with a trial.

        • I use ESET NOD32 and have done so for the last 10 years without an issue.
          Would this be as effective as their Endpoint AV?

        • @Shout It Out: Stick with NOD32 because I just realised EEA has a mininum of 5 seats.

      • +2 votes

        I manage approx 10,000+ gov end points (including road warriors in their laptops) and since introducing Cylance (enterprise solution), we've been 99+% successful in eliminating these nasties. Alarmingly Ziltch last year (not to say thousands are being picked up and prevented).

        Keeping it out is manageable when you have all the basic precautions in place. Most important being - backups (but remember, even a poorly implemented backup strategy can be damaged by ransomware. So do it right!), Next - security suites. Next - patches, updates, computer policies. Next - Common sense (we all know the risks of pirating stuff, porn sites, rogue sites, etc). blah blah blah.

        Many consumer based Security Suites (kaspersky, bitdefender, eset, etc) have caught up and are able to eliminate most of these ransomwares. Just remember, Ransomware is network file sharing aware so protect all end points in your network.

      • Buy a spare cheap hdd from one of the deals that gets posted here frequently as a redundant backup and backup your critical data that you want to keep and then let it sit in your drawer for shit like this. I did when a hdd i had corrupted and now I never have to worry about losing anything ever again. The 4tb portable seagate ones from amazon cost me $200 aud which is fair for the security it provides.

    1. Ask any questions hey?
    2. Have you learnt your lesson yet?
    3. Do you now believe in backups & security suites?
    • Don't know how well AV would've worked though. Isn't Ransomware very hard to catch?

      If I had the funds for a backup solution, believe me I would've sorted something out. Now I'm basically forced to cough up for at least 5TB of external.

    • I don't have time to fluff about in Linux. I know Windows Server, so I use it.

      • As a Windows user who's currently fluffing around with Linux on his desktop, I can fully understand. When it works, it works well; when it doesn't work you'll spend half a day trying to fix something simple.

        • As someone at your point a few years ago, I say persist with Linux for simple SMB filesharing, so long as you don't require any domain functions. Sounds like deanylev's in that scenario if it's a family server. Once you get Samba figured out and set up your server will be almost untouchable virus-wise. Be aware that you may sit on a Typhoid Mary if you don't still run a scan through it from time to time.

          Also - and this sounds nerdy - ignore the GUI while learning. Don't even load a GUI on boot, just boot to runlevel 3. Learn how it works from the ground-up in the terminal, and do your configuration there. GUIs have gotten better and better since I started Linux, but terminal work is much better for learning, easier to find support for, and doesn't care what GUI you're using.

        • @Pinchie:
          I have to agree here.

          My 'server' back in the day was a trusty asus wl-500gp router, running DD-WRT with a custom image I'd packed together and a 250gb USB hdd plugged into it. Learning how to set everything up on this, from samba to rtorrent and actually building the firmware with the appropriate drivers taught me an amazing and made me so much more comfortable in a shell.

        • @knk:

          Also, If you're wanting this experience you're going to want debian's netinst image or ubuntu's minimal network installer (think it's around the 10mb mark).

  • Do you have good back-ups?
    Did your back-up regime work, or perhaps overwrite good back-ups with encrypted files?
    What was the infection vector? Clicking an email link perhaps?

  • Even the free versions of AVG, Avira, Avast, Bit-defender are better than nothing.

    The obvious question is why would you not want to run anti-virus?

    • I found them all super obnoxious, and in the past, they would never catch the viruses that infected my PCs. Bought a Kaspersky license, as they have their shit together when it comes to Ransomware. It's actually really great so far.

      • So the timeline looks like this?

        1. You used to use AV but found them super obnoxious (although I doubt that would be the case with bit-defender free)

        2. You still got infected with viruses
          2a. Did you investigate why you were still getting infected?
          2b. Did you take appropriate steps to remove the viruses?

        3. You thought well these AV programs must be crap! So I better just uninstall them and be careful??? (which seems to fly in the face of previous experience where you have had AV but still getting infected).

        4. It seems you have multiple people using this computer which means you cannot control their behaviour.

        5. You now have ransomware and who knows what else on your computer.

        • Yep.

          a. It caught a lot of viruses, but it let a couple slip through.
          b. Yes, every time. Once it was bad enough that the PC wouldn't boot and no amount of troubleshooting could fix that.

          No. I just didn't think the trouble I had with them was worth it. I also made a system where I could get all the programs/settings I needed back in around 15 minutes, in the case that I needed a reformat.

          That's not going to change, but I'm making everyone chip in for a backup drive.

          Just ransomware. Done multiple checks with multiple AVs.

        • @deanylev:

          Thanks for the honest answers, I'll be honest too.

          Viruses, Malware, Ransomware, Rootkits all rely heavily on user behaviour to download/execute the payload.

          I'm guessing you are the most technical person and have taken on the role of configuring and maintaining the media/torrent server. It's concerning that you believe no AV is better than annoying AV (although that has now changed).

          Based on your history and attitude towards security in general e.g. prioritising a 15 min cure over minimising infection by using AV, there is a VERY high probability this will happen again. Maybe not ransomware, but malware, viruses etc.

          I guess you've already accepted that?

        • @h4lcyon: You're 100% correct. But 2016 is a new year, and the first where I really take a strong stance on computer security. I've been extremely lucky for 3 years.

          Kaspersky and CryptoPrevent will be a requirement for new Windows installs in my household. Nightly backups of every computer will also be done onto a RAID-1 array. Malwarebytes will be on every Chrome browser for quick and painless scans for everyone.

          Torrenting will be done in a VM, and the needed files will be transferred after automatic scans.

          I think this should keep me safe.


        • @deanylev: it won't matter, the infected machine will still encrypt network mounted drives. Not just locally.

          How many nights of backups do you intend on keeping as a backlog? You may have also backed up files that are manipulated days ago where you may not have noticed.

        • @supnigs: Only network drives that are 'mounted' as drive letters? Because if so, doesn't matter, my server's drives are network mounted elsewhere, not the other way around.

        • @deanylev: it's smarter than you think. They are not created by script kiddies.

        • @supnigs: This one seems to be. It only infected a percentage of files on 3/6 drives on the system and the file was hiding in plain sight on my desktop. The warning was in a Notepad file on my desktop, and the decryption program they emailed me is so poorly coded.

        • @deanylev: encryption takes time to do, it is done by stealth, such that a normal user will not notice. It mayb continue to destroy files too. No such thing as a portly coded decryption program. It's not something you would be able to tell anyway unless you can disassemble. Turn off the server and physically remove any network routes to stop further damage. Salvage data on drives using a clean system.

        • @deanylev: Any particular reason you're backing up onto a RAID-1 array? You're better off just making a longer history of backups (so rather than wiping your backups every night wipe them every other night, or if you're keeping 5 days of backups on a raid-1 array, make 10 days on a JBOD).
          The fact of the matter is RAID (by itself) =/= backup. RAID = uptime in the event of single mechanical HDD failure. If it turns out the ransomware/virus was lying dormant you could just reinfect yourself by restoring the most recent backup and may require going back into your library of backups.

        • @serrin: I'm not yet, but I was going to, for redundancy's sake. But what you said is all true, I'm going to need to keep a good few days of backups.

        • @deanylev:

          Ideally stop using Windows Server, if all you are using it for it a file server instead look at moving to something like FreeNAS. Also forget RAID 1 and look at either RAID-6 or if you are using FreeNAS you can use the ZFS filesystem and have RAIDZ2 (ZFS implementation of RAID 6) that would give you distributed parity and tolerance for 2 disk failures, you get increased read speeds because all drives can contribute at the cost of slower write speeds.

          Side note copying files to a RAID array is not really a backup more so a redundancy, true backups of important files (photos, docs) should ideally be offsite even something like Dropbox or Google Drive would do. If you are really keen you can get some Amazon S3 or even Amazon S3 storage for not a lot of money, the initial upload may take a long time but it's worth it. Alternatively copy stuff to a external hard drive every month or so and leave it at your parents/friends place.

          Since it is a shared server all users should have their own accounts and their own folders on the server, they should only allowed to write to their own folder and be given read access to other peoples that way if this happens again only 1 person's data would be affected.

          Kaspersky, Malwarebytes and Cryptoprevent will possibly cause more issues then they prevent if the other users are tech literate and instead of nightly backups why not just sign them up to Dropbox or some other cloud service then if their computer gets infected just nuke it and sync it up with the cloud to restore files.

          As for torrenting there isn't much you can do except maybe try and get on to a private tracker or in lieu of that start using usenet.

          None of this will keep you safe, merely reduce the likelihood of something bad happening and giving you options to recover.

        • @serideth: Wow you covered all bases. Thanks for the super detailed answer. Would you mind if I PM'd you to ask a couple questions about my drive config?

      • Avast is super lightweight and can run in silent mode so no annoying pop ups

  • Do you know exactly how did you get it?

  • +2 votes

    Restore from a backup.
    You have a backup right?

    • Hehe… about that.

      Nope. The amount of backup storage we'd need is expensive, and I'm an idiot. I deserve this.

      • +1 vote

        I was reading a site this morning that talked about the failure rate of HDDs. Some place that runs drives 24/7 and documents when they fail. The failure rate does, of course, go up exponentially as time goes on. I think it said after 4 years, the drives that didn't fail in the first 12 months, 12% will fail every year. (I think it was!?)

        I have no backups either. I'm going to do something about that real soon.

        • 2016 is the year of security and backups for me.

          No more bad practices.

        • When you think about it, there are probably not many things you can't stand to lose: Photos and documents are all I really care about - everything else is replaceable.

          Upload your photos to google photos (unlimited storage for files up to 16mp and will downscale for you), and put your documents into a free drive (google, mega, dropbox, whatever).

        • @macrocephalic: Yes there are a few free options that allow you to have an offsite copy of your data.

          And if you're concerned about other people seeing your files then look at something like: https://spideroak.com

          It's cloud backup that encrypts your files locally before transferring them. It's not too expensive considering what it's protecting…

      • +1 vote

        If you have the bandwidth, NBN if you're lucky? Crashplan is unlimited, business offering is only $11pm.

        • I have the download, just not the upload. 100/2. Waiting for NBN in a few months, then I'll have 100/40.

  • you didn't tell us what is the name of ransomware is it? or what version of windows server you have. Have you got backup or tried shadow copy to restore your files?
    We need more info so we can help you, this is not an AMA and I don't think we have to ask all these basic questions.

  • Top