I've Been Hit with a Rare Form of Ransomware. I Don't Want It to Be a Complete Waste, So Any Questions Anyone Wants to Ask?

Restarted my Windows Server the other day, to discover my files locked and a message on my desktop about how they want 1 Bitcoin (~ 590 AUD) to unlock it. I don't use Anti-Virus, because I'm very careful, and haven't had any viruses in my 3 years of doing it. That changes this year.

Lost about 2TB / 8TB of my data, as it only hit one drive, and the boot SSD.

Noticed my friends were asking a tonne of questions, so curious, anyone want to ask anything about it? Just shoot.

Comments

      •  

        did it changed your default homepage or left a notepad file on your desktop? In that should able to tell what ransomware it is.
        One of my clients got hit with cryptolocker last year and only way to restore their files was from 4 weeks old backup and shadow copy. Shadow copy doesn't work on XP or before Server 2008.

      •  

        Just read this after my post. I had exactly the same exe. Infected my PC right before Christmas

        •  

          Then I'm so confused how it could've infected me. Someone else just commented they had it too. Weird.

  • +1 vote

    We have Antivirus on all our PCs and we have a completely separate "sacrificial" machine for torrents. Backup early, backup often. Even so had all sorts of trouble when my laptop crashed and itunes turned to crap.

    • +2 votes

      This is our torrent machine. It's also our media server. This took our shows/movies hostage.

      •  

        We have a really old machine that is purely torrent. We capture and virus check before it goes anywhere else.

        • +1 vote

          Maybe I'll look into that, provided I can make a super, super low power machine with old parts I have lying around. I'd probably just chuck Linux on there too.

        •  

          @deanylev: I saw this guy dumpster diving at the local council e-waste when we were throwing out some old stuff we had. Not sure of the legality of it but it was at night :) (Reminds me to make sure we do a good wipe of any old drives we have before we throw them).

          Our torrent machine is in its own subnet and has no access to anything else in our network.

        • +1 vote

          @deanylev:
          Use your Windows server to make a Hyper-V VM :) no need for extra hardware and you still get isolation from your host system.

        •  

          @dewso: Good idea :)

      • -1 vote

        So it's just pirated torrented shows and movies you've lost? Sounds like karma to me.

        • +5 votes

          Don't know why you negged that comment. Don't appreciate it, when all I've stated is a fact. No, don't jump to conclusions. If you must know, most of the media is legally owned stuff. My family torrents a fair amount of music, which is not the stuff I've lost.

          And what? Karma that I have to deal with this bullshit, because of some torrenting my family did? Hm. Karma seems strange.

        •  

          @deanylev:

          you're a bad person man. Sucked in.

        • +1 vote

          @Gimli: :'( y u say dis

        •  

          @deanylev:

          sorry bad sarcasm.

          clearly some people are over reacting. I've been in your shoes. It sucks.
          You'll learn to be careful for a while…
          …until next time lol.

        •  

          @Gimli: Hahahaha no I got the sarcasm, my reply was a joke :)

          Thanks, yeah some people get super angry. We all have bad habits, computer security was one of mine. My 2016 resolution is - Not Ignoring Computer Security :P

        •  

          @deanylev:

          damn you

          you trolled me back.

          you have made a powerful enemy so early in the new year. Beware!

        •  

          @Gimli: Watch yourself. I got konnectionz son :3

      • -3 votes

        So they just encrypted what you stole. Sounds fair enough to me.

        •  

          Have you read my reply? Don't give me that karma bullshit, the type of people who accuse do it themselves. The media it encrypted is legally owned. Don't spring to conclusions.

  • -1 vote

    On another computer, create a Ubuntu live USB, boot from USB on server, copy files over to another pc via your home network or go and buy external drives to copy files to.

    Once done, re-install Windows Server, install Kaspersky Internet Security, copy files back.

  •  

    Why not pay them less?

    •  

      The 0.5BTC? I honestly can't afford to splash $300 on crap like this.

      •  

        Have you been talking to them a lot?

        Or not been able to?

        •  

          Yep. I write broken english emails to them claiming they stole files from my business and they'll put my family out on the streets and crap like that. The guy claims to feel sorry for the false persona I created, but says the system will only produce a key when 0.5BTC or more is payed into the wallet, which I refuse to believe.

  •  

    don't pay them, if you google ransomeware you can see even after you paid you may not get the correct key and no guarantee that they know what key you may need .

    • +1 vote

      Yeah, if it was a guarantee, I might consider, but to take a gamble on replaceable media with $300, just isn't worth it.

      What I thank god for, is that their ransomware only hit drives C, D and E. Drive F has absolutely irreplaceable stuff on their that I NEED. I wouldn't think twice about handing out $600 for it. My F drive was my D drive just a couple weeks ago, but I was having issues with a certain program, so I changed it. I thank god that program had issues.

  • +10 votes

    Some need to go easy. He could have just not mentioned it happened rather than open himself to eating crow. The only reason I use antivirus is because I don't pay for it. And I can't help but wonder how many going tsk, tsk, would openly admit their mistakes here.

    My system disinfected a trojan just this morning. I wasn't doing anything differently to what I've done a hundred times before. Yet Bidfender Total Security popped up a window I'd never seen, told me to wait because disinfection was in progress.

    Don't pay - they take the money and don't help anyway. They got what they wanted. In fact, I'd search and find out if you can use their payment details to somehow cancel their bitcoin credit - if that's possible. Just to return the favour.

    Since you've researched it, you know what it's called. What I would probably do is, disconnect that/those drives, use a different computer - and keep checking online until it becomes more widespread and there's a fix. read up on whatever that fix is, make sure everything on the safe system is backed up - and/or disconnected - then plug the original affected drive back in and try to fix/download what you can. Then try some undelete software. Finally reformat everything to make sure it's gone.

    i.e. I'd rather wait for a chance to get my files back, than rush in, reformat and lose them.

    There's also no guarantee it doesn't do the same thing somehow. Another reason to wait a while. You could reformat, reinstall, reconnect, and find it's back, only now deleted the other drives too - or whatever - who knows.

    • +3 votes

      Thank you for an helpful and genuinely great reply. It's nice to get some genuinely useful advice, then be ridiculed for my security or torrenting practices.

      I will take all your advice. Thank you very much :)

      •  

        That's fine. I couldn't help but think the last time I reformatted this computer… Thought I had everything - and I do go through the drives one folder and file at a time - and delete them manually, to be sure I've backed up everything. But because emails and addresses aren't in a program or file, I forgot - and lost a lot of important saved stuff.

        I also have an old computer here I was going to use for my first try of Linux. But it must have some kind of virus. It was working fine. Fdisk'd the HDD, removed sector, create sector, reformat, turned it off, inserted a diskette, turned it on (something like that - forget the exact order now). Now it won't recognise the HDD. Claims one isn't connected or something (I forget now - it's been sitting for months because I'm disgusted with it).

        It won't recognise the diskette drive either; nor the USB port; and Windows XP CD-ROM setup keeps locking up at the same point every time. Been right through the BIOS 15 times… Every possible avenue into the thing is closed! I even swapped the 1.44" drive, thinking that might be busted - nope - the good one from this computer doesn't work on it either.

        Then I plugged its HDD into this computer via an adapter - it reads it fine - formats fine. So it's something in the other computer - but what!? I'm think it has to be some kind of virus, because not all of those avenues could become closed at the exact same time. (All were working before I fdisk'd and reformatted the drive.)

    •  

      It's not possible to close a bitcoin account, unless the criminals were incredibly stupid and posted an address at an exchange. Perhaps the only thing the victim can do is visit bitcointalk.org, explain the situation on a suitable forum and try to get someone interested enough to research and track transactions to/from the address.

  •  

    Oh.

    •  

      How'd you find that?

      •  

        Just googled some keywords. Didn't even realise it was the same thing til you said. "Ransomeware unlock encypted files"… something like that.

  •  

    Maybe this… Search for where it says: "Threat Cleaner for GOZ and CryptoLocker" and go from there depending on your system type.

    Sorry… forgot the link… Hang on.

    Edit: Not the same page, but same two files: http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/we... - my reasoning is, criminals are lazy - it's probably not 'new' as such - just rebadged from something else that they know works. So maybe removal tools for other ransomeware will treat it the same.

  •  

    crypt0l0cker? most recently come around in email attachments spoofed from Australia Post?

    I've done some reading before and apparently Dr. Web (russian antivirus company) can decrypt it for people if you subscribe to them ~$60(?) e.g. upload your file samples and buy a subscription from them, sounds kinda dodgy though

    the instance of crypt0l0cker I removed, I had to do it manually : as per the random named folder per http://www.bleepingcomputer.com/forums/t/574686/torrentlocke...

    Windows defender/MS Security Essentials did stop it after 2-3 mins of running on the infected computer

    •  

      Not $60, that's via some Italian bloke who is talking on Bleeping Computer. Go direct to the Dr.Web site. I got an 18 month license for about $14 (can't remember how, but even the normal price is cheap) and they unlocked a clients Cryptolocked files (I'm a computer tech in Tassie). They can't unlock all varieties but some.

  • -2 votes

    get a pro with linux.
    I rescue my files easily by switching, as I got both OSes on my PC.
    Mount hdd. check contents, and what can be rescued. check if encrypted or just access blocked via windows.
    without the name of virus, it can get hard to suggest.

  • +1 vote

    You will need to restore the files from backup (if you have a recent backup), otherwise you will need to pay and hopefully they will unlock the files for you. You can't unlock the files yourself as you don't have the decryption key nor anyone else, only the crooks have.

    •  

      Well, one of the links I found in the search I mentioned above (on the first page of google results), a guy in a company was explaining how he discovered the password. It didn't sound all that difficult. The problem is you'd have to learn the programming he's talking about first.

      I just wonder if there's a way to pay them with something like paypal, or another payment type - that you can claim a refund from? Personally I don't think they'd unlock it. But if you could get your money back via paypal - then why not. They deserve zero honesty.

  •  

    This may come off as being really random but…are you in love with Gabe ?

  • +2 votes

    deanylev, your situation is suprisingly similar to mine. For the past few years I have been malware free, but about 5 weeks ago my Steam account was hacked and 3 weeks ago I got infected by Cryptowall 4. My security regime had been sucessful for many years but seems to be inadequate to deal with the most recent malwares. Randsomware is the most evil malware on the planet, and the people distributing or creating it ought to be doused in petrol and set alive for their crimes. Instead they live in mansions with multiple sports cars. There is a word for this: capitalism. Under capitalism you become rich by implementing schemes designed to steal money from your fellow human beings. Capitalism is theft.

    Ideology aside, my protection strategy consisted of Comodo Firewall (popups everytime an unknown exe tried to phone home) + AdBlock + running almost all executables first in a Sandbox(using SandBoxIE, a wonderful program that is also good for testing out new software without it leaving any traces on your OS partition) + uploading suspicious files to virusTotal. This has been quite successful until Cryptowall struck. I had avoided a dedicated, always on antivirus because they slow down your system and worst of all are prone to false positives (plus generally cost ~$70/year).

    On the day I got infected with Cryptowall, I had not run any new executables on my computer, but I had visited a lot of websites, some of them new to me. My firewall didn't trigger just before the malware executed, meaning it entered my system through a trusted program such as a browser. Can you get malware merely from browsing web sites??? In my file manager (TotalCommander) I saw all of these files appearing with strange names in one of my main download directories. At first i had no idea what was going on, but 10 mins later I set my Firewall to 'block all' and this seems to have terminated Cryptowall. Apparently it infects your systemem through an executable that modified explorer.exe in memory to encrypt files, and svchost to phone home. These are trusted windows OS files and thus do not trigger a firewall. Only a small portion of my files were encrypted, and I am able to recover 75% of them from backups, but lost many hours of unbacked up recent work as well:(

    Interestingly, I scanned my infected SSD drive from another computer with up to date Eset Nod, but the only traces it was able to find of Cryptowall was the PNG files it leaves behind it every infected directory demanding the Bitcoin randsom. Somehow Cryptowall 4 magically vanished from my system. I could not detect any Rootkits either, which was initially how I assumed it had infected my system.

    Now I have installed Eset Nod antivirus (since it has a relatively low rate of False positives) and NoScript in Palemoon (a Firefox based browser with a statusbar and without the lame chrome wannabe 'Australis' interface). People, be extremely scrupulous in backing up anything of value, since not only do we have to worry about HDD failure but always the extremely profitable Randsomeware industry.

    Is it worth lodging a complaint with the cops? Perhaps if enough people complain, they might work if other international crime enforcement agencies to take down thee Randsomeware industry.

    •  

      I'm going to follow what you did. Thanks for the advice.

      Don't know about the cops thing though, even the FBI just recommend paying the ransom.

    • -1 vote

      Block svchost. Yes I know Windows likes to use it a lot but you will find that you can get almost everything you need to work without it. Windows update being the exception. Enable when updating then disable when finished.

  •  

    moral of the story, run linux. i've never had any malware problems since forever

    •  

      ^This
      If you have the knowledge to set up Windows Server, you most definitely have the capability to set up a Linux Server.
      The time and money you will spend to reinstall and set up a Windows Server again plus an annual AV fee, is going to cost the same as the time to set up a Linux Server with no ongoing annual AV fee.
      I can set up a Linux Server, and my knowledge is only sufficient to put me at the very bottom of the Dunning-Kruger curve. (I know enough to know that I know nothing at all)

      •  

        Are you sure? I've been using Windows my whole life, which meant Windows Server was a piece of cake. I'm not sure how to share the drives across a network that Windows PCs will recognize, but maybe it's easy. I'm going to use Linux if possible.

        •  

          SAMBA.
          My "server" which doubles as my HTPC is just running Desktop Ubuntu.

        •  

          @scubacoles: Wow, so maybe Linux is the way to go. Thanks for the advice scuba, I was getting Windows Server 2016 TP4 ready, but maybe I'll just run Linux instead, and do the one or two Windows-required things in a VM.

          AV necessary if I'm running Linux?

        •  

          @deanylev:

          I don't run AV..
          But I never ran it on Windows either.

          I switched cause I realised my uses were Video/Audio, Browsing, emailing and a very occasional document. I knew I could do all that in Linux for free, no more licence fees but at the expense of a bit of time to learn things..
          Security was an added bonus.
          I wrote off the time "cost" as an investment in my computing education.

        •  

          @scubacoles: No AV for me then. So few Linux viruses, and such a small install-base. I should be fine. All I run is Plex Media Server, uTorrent, Splashtop, and some VMs, so Linux is perfect.

        •  

          @deanylev: linux is unlikely to get infected by any viruses on there because they'll be windows viruses most likely. but run an AV on that linux box anyway. Because when a windows computer then access those files, they'll get infected. But if you've caught them while on linux and cleaned/deleted them, then the infection won't move over to your windows boxes. Linux AV programs can scan files for windows viruses. I use ClamAV.

        •  

          @salem: Will do. Thanks for the tip!

        •  

          @deanylev: Hey there, check my reply to the top post of this thread (https://www.ozbargain.com.au/node/228888?page=1#comment-3353...), but just be mindful that choosing Linux doesn't solve this entirely, it just reduces the likelihood (due to Linux being lesser of a target for user/ransomware attacks).

          I sympathize with your issue of not having space to backup TB's of data. For my personal use, I separate stuff I can afford to lose (typically TB's of media) from that which I consider critical, and implement a frequent, efficient incremental backup of the few GB of data in this category. Then if I fall victim to this kind of threat, I don't care about media if it got crypto-locked and am confident I have a backup of my critical stuff.

        •  

          @cgb: Thanks for the super useful advice, yeah I realize Linux isn't the total solution to this, and is just a big help.

          And thanks, some people with an unlimited pool of money seem to think it's easy. I didn't just go out and buy TBs worth of drives either, these are all from PCs and used parts I've collected over the years. I'm definitely setting money aside for a proper backup solution though. And I've looked and you're right, a lot of stuff can be separated, like my 1TB+ of downloads.

        •  

          @salem: All this is interesting, but… I always thought the point of running a Linux server was that all the garbage 'bounced off' the server, and thus couldn't affect other computers connected to it. Therefore how does someone doing this for the first time know they're doing it right? And if you have to install Linux A/V, then why not just stay with what you know and get Windows A/V?

          I'm not criticising - I'd love to dump Windows. But whilst Linux may well be easy to setup and safer - it's what you DON'T know that makes it unsafe. How/where do you learn this extra unknown info - otherwise you're just as - or more - unsafe?

        •  

          Just be aware that recent versions of Cryptolocker can enumerate network shares, even if they are not mapped. I have seen this happen first hand.

          If a Windows computer can access and modify files on the network, and it runs the ransomware your files can still be hosed.

          The prevention for ransomware is Software Restriction Policy to whitelist applications and OFFLINE backups.

          Most of the ransomeware events I have dealt with have come in through Flash/Java exploits. The tip here, uninstall Java and Flash. Only use Chrome if you need Flash.

        • +1 vote

          @realfamilyman:

          In my understanding, what salem is talking about is sort of performing a kindness for Windows users. If it's a Linux file server and someone puts an infected file on there that will damage Windows users, it will have no effect on the Linux server. If the Linux server is running AV, it will delete the file and no Windows users will be able to infect themselves. In this scenario the Linux server hasn't been compromised in any way and the Linux server is definitely not actively compromising other computers. It's just storing a file which to the server is harmless, but to other users may not be. In my opinion, the AV is optional and is really a case of the Linux admin protecting Windows users from other users who have access to the server. But in many cases, the Linux admin wants happy Windows users that don't have infected computers so that's why they'd choose to run an antivirus.

        • +2 votes

          @dazweeja:
          Linux is still susceptible to these attacks, but the vector needs to be different to that of a Windows attack.

          Give the Windows machines Read Only Access by default then no Windows Cryptobug can encrypt anything on the Linux server's networked drives (unless it comes armed with appropriate abilities to compromise the Linux server).

          Transfer files from Windows Machines to the server with FTP.
          For backups, get the Linux machine to pull the files from the Windows Machines, rather than allow Windows to push them to the Linux Machine.
          Once again, any Windows specific cryptoware wont propagate on the Linux Server.

        •  

          @realfamilyman:

          It's not that Linux is '+100 Securitaah!', it more the fact that a significantly large portion of the malware being meted out through drive-by downloads or embedded within torrents are intended to target windows.

          Sure you could make your linux installation virtually impregnable (hardened kernal, chroot jails etc). The point is, one would need to learn a fair bit to get this working.

          That said, just the switch from Windows to *nix will make things a lot more secure. This is probably quite an overkill for a normal user, but one can pick a fair few to further strengthen the security posture of their server:
          https://www.sans.org/media/score/checklists/linuxchecklist.p...

      •  

        Also it would be good to set up snapshots on the server. That way, if the client encrypts all the files you can roll back the server to the last good state. The easiest way is with btrfs snapshots.

        BTW, since it only encrypted files, you might still be able to recover some data remaining in the free space on the server using a tool like photorec

    • +1 vote

      Careful. Nothing in this story and others like it is OS-specific aside from the higher probability of being a victim.

      Ultimately, running arbitrary code on any OS as a logged in user puts every single file writable by that user at risk of a crypto-lock-esque event (ignoring privilege escalation).

      The only reasonable protection measure for this regardless of OS is a tested backup strategy, ideally something that efficiently performs incremental at frequent intervals, ideally to something remote. If your only backup is directly attached & is writable by the exploited user, then ransomware can lock that up too.

      •  

        So how do you do that? What I mean is, if you get infected - and have to connect the backup (physically or wireless) at some stage… How to make the backup safe - it could copy over once connected, do nothing for weeks because you rarely connect that drive - then finally is long enough to execute?

        • +1 vote

          That's a good question. A couple of scenarios could occur - a variant of the crypto-locker virus could encrypt files on local PC (or network shares in a corporate environment, where I mostly deal with), and IT admins don't detect it or aren't informed by the user. In a corporate environment, you've typically got daily backups, weeklys, monthlys, quarterlys etc. If the encrypted files aren't detected immediately, then the tiered backup policy slowly captures the encrypted files and you'll slowly begin to lose points in time to restore from. Hence in the above I wrote 'tested backup strategy' because many organisations don't regularly test their backups thoroughly and get caught out when they need a month or longer ago.

          In a home user environment, what you describe might occur (the infection occurs but does nothing till sometime later, when your backup media is attached). It's plausible but unlikely - cryptolocker is ransomware, designed to get the users attention and demand money. The longer it sits idly, the more likely antivirus software will have a signature to detect it & remove the threat.

          The best advice for a single-user (at home or in a corporate environment) is to immediately turn off the computer to minimise the damage to local or network file locations. You would not turn your computer on again until you had appropriately skilled people examining the situation (and if the person is really skilled, the'll treat it forensically by booting from alternative media and assess the situation). Booting back into the original OS may re-activate the cryptolocker process, causing more damage.

          You would typically only attach & restore your files once the infection has been removed (or OS reinstalled, which is often recommended for these kind of threats but usually isn't strictly necessary).

          Hope that helps.

  • +4 votes

    Dont worry OP I am totally with you on the no anti virus. Waste of resources. I haven't had a virus in 5+ years on my 3 machines and im downloading something new just about every day. If your careful, not stupid, read comments on what your downloading, check for additional software in installer prompts and check your running services and startup services every month or so you should be fine. This is stuff an average computer user SHOULD learn to do. Luck plays a small part in it…

    However, I can't vouch for no AV on shared computers, number 1 rule when dealing with PCs is only trust yourself. Don't skimp out on the AV unless you know your the only person using the computer. Rule is double on commercial machines which are susceptible to targeted attacks.

    If the ransomware is recent and therefore rare and you value your files. Consider locking said hard drives away and replacing them with new ones. Never know maybe malwarebytes will have something for it in a years time :p. Having said that, I am assuming you already tried to access your files on safe mode? You should be able to access all your files with only core services running.

    •  

      I knew someone would be in the same mindset as me :)

      THat's true. 100% my fault.

      I can still access my files, just they're encrypted, so unusable :(

      • -1 vote

        I was thinking more too… Finding the password like the guy I mentioned that turned up in the google links… If someone was going to go to that extreme (I'd at least try to learn programming if the files were important enough) - then I'd try decompiling the program they sent to decrypt the files… and look for the line of code where you enter their password - and just change it.

        Not really a solution though - just a thought I had.

        •  

          realfamilyman,

          Malware reversing is not as simple as reversing normal binaries. There is some amazingly skilled malware writers out there, it is nowhere as simple as you think it is.

          Most malware have stages. Think of it like a small relatively benign bit of code, that is executed somehow (maybe through a plugin being launched), and then it pulls the actual payload from the Internet in a very highly obfuscated form. Now the stager unpacks the payload within memory and starts running some maintenance processes etc to clean up anything on the filesystem, some would be preventing AV from hooking etc.

    •  

      Likewise here, I haven't had AV in 5+ years as well.

      As others have said before, I simply:
      + Check comments from Torrents
      + Upload suspicious files to online virus scanners
      + Run adblock on Chrome
      + Double check the downloads that I receive.

      With my last point, if I downloaded a video file I make sure its a valid video format and not some stupid .exe or .bat file.

      But speaking of which, I just gave my mother a Surface Pro.
      I shall be installing anti-virus on hers as a precaution.

  •  

    When you implement a backup solution going forwards be sure to use removable media. It's no point just backing up to an external drive that remains plugged in or your next outbreak of Crypto will encrypt your backups also.

    You should also look into changing some practices. How are people able to run applications on the server? Downloading and playing media via a web or other interface is one thing, actually executing an app on the server is another.

    Or perhaps your family member infected their own computer, which encrypted network shares on the server - in which case unless you clean their computer it is going to happen again.

    Can you right-click one of the infected files and check Properties and see who the file owner is? That will tell which family member it was provided you use distinct AD accounts for each person.

  • Top