Restarted my Windows Server the other day, to discover my files locked and a message on my desktop about how they want 1 Bitcoin (~ 590 AUD) to unlock it. I don't use Anti-Virus, because I'm very careful, and haven't had any viruses in my 3 years of doing it. That changes this year.
Lost about 2TB / 8TB of my data, as it only hit one drive, and the boot SSD.
Noticed my friends were asking a tonne of questions, so curious, anyone want to ask anything about it? Just shoot.
Tried that exact one. No luck. Very rare form, not documented anywhere except a couple posts on Weibo, where the victims just reformated.
The tools remove the virus but cant do anything about the encryption except in some rare cases. In fact using removal tools can make it impossible to recover your data. Only if you arent going to pay and are prepared to lose your data you should do that.
I've Been with a Rare Form of Ransomware.
How was he/she? Good kisser?
Your very careful huh? Obviously not careful enough! I mean seriously, you must download and install some pretty random stuff to have that happen to you.
Interesting, i had a stand alone server, which doesn't exactly run anything, and it got hit with ransomware. At something like 3am in the morning. Yet my desktop, which would be the main computer to encounter any dodgy files, has never had it.
Sorry for your loss!
Did your server have any RDP stuff turned on? Most likely just insecure RDP that allowed someone access.
Yes, it had the basic windows remote access for the computer admin.
Thanks for the tip, do you suggest an alternative RDP program?
One of my work computers actually got hit by a cryptolocker last week as well. It only played it's role as a file server, but because it was unsecured and was running in root (full user access to the C:/ drive) all it took was an outdated Flash plugin to compromise it.
I highly suggest getting rid of Flash / Java on backup machines as well. And if it's a server with multiple users, you really should be using Group Policies to prevent unknown software from installing itself by restricting access to the C: drive
With RDP, change the default port to a random port of your choosing - but not 3390 etc.
Make sure ALL passswords are strong, but especially for the ones allowed RDP access. Much better to have a super complex password and have it written on your monitor, than have a weak or medium strength password.
This is just good practice if you are going to allow RDP, but I doubt this was the source of infection.
Personally I would never ever open RDP to internet even with strong passwords and a random port. Use RDP through VPN.
RDP is fine but the port being exposed to the outside world isn't. Setup a secure VPN connection into the network, then RDP from there. That way you've got a barrier and RDP isn't open for snooping.
I personally haven't found any protocol to be quicker or more efficient than RDP, so I like to stick with it.
that's terrifying to me, considering I just set up a Linux box for Plex and to host a website.
rofl at your 3 year record, and using a share server without any antivirus is just recipe for disaster. Your mama or sister must've downloaded some TVB dramas and got hooked up, or unless you're using a Lenovo mobo.
First of all you don't have to install or download anything to get a virus.
The Download happens without your Knowledge hence why you need an anti-virus which actually detects this and matches the signature in the DB
format
restore from backups
dont bother paying for it
id start checking all network drives etc and other pcs linked
also run Antivirus software tsk tsk
theres no way around it unfortunately
I have to :(
Hehe… about that
Exactly. Refuse to cough up $600 for replaceable files.
They 'provided' a list of locked stuff, only one the boot and one drive.
Does AV pick up ransomware well?
No - although that is NOT a reason to not run AV.
Criminals constantly update the files and methods used to thwart detection. A er "well run" ransomware campaign (or any well run online criminal campaign attacking online computers) will distribute files that are tested against most major AVs to ensure they are undetected. Major attack vectors used these days are driveby downloads (hacked website invisibly owns your pc) and display ads (an ad invisibly owns your pc).
As the file/method ages security researchers find it and it is added to AV definitions so it will be detected. Very organised criminals have constantly updating files and methods meaning they are essentially somebody is always vulnerable. However many criminals are hopeless or newbs or unmotivated and they will try to target you with stuff you can stop with AV.
I'm afraid you are required to behave as though you can be owned at any time because that is the reality - if you run an AV or not. The AV will considerably lower your chances of becoming infected and should be used.
Two ways you can drastically lower your chances of being owned are to use a script blocker and an ad blocker. Ad blocker is pretty easy for everyone but a script blocker will need to be set (once) for many sites you visit and may be confusing for some people. If you do use a script blocker a good policy is to block all scripts until something doesn't work and then just whitelist the server that's required to have the site functionality as you want it. An easier alternative to using a script blocker is to allow Javascript only and disable any plugins, particuarly Flash and Java.
Thanks for the tips! :)
It's always hard to say exactly whether the AV has stopped ransomware.
What I can say is I've had clients with Sophos, Bitdefender, AVG Business and Kaspersky all hit by Cryptowall / Cryptolocker variants at one time or another. All AV up to date, Windows patched etc and still.
Heuristics based HIPs are relatively more effective against these kind of malware. Even if they don't have signatures for the malware, based on behavioural analysis, if it starts doing weird shit like hooking into other processes/pulling secondary stages from remote sites etc.
The important thing is to have defence-in-depth. If this is purely your file server, you could actually start implementing a rudimentary form of application whitelisting, ensure there is no ancilliary software installed (or ensure they are patched).
Lastly, backup to an internal box that has no Internet connectivity.
@knk: My clients using MailGuard haven't been affected…but those using AV (Kaspersky, for example), were still hit when it came out.
I use ESET in a corporate network with ~1000 seats and anywhere between 1-200 in a lot of other networks. ESET is the only one I've seen to successfully detect and stop ransomware. When Cryptowall 4.0 was first released I had a network hit by it and ESET managed to stop it from running in memory and removed it.. I put the file that caused it through Virustotal and ESET and Panda were the only ones that detected it. I've also found Sophos to be good at stopping them.
Which edition? I'm going to try now.
@Clear: Thanks so much for the help. Fingers crossed this fixes it.
Thing is, I stopped the Ransomware from the get go. It's executable was in plain sight. Did ESET unencrypt the files?
@deanylev: Unfortunately it can't do decryption. Since Kaspersky didn't help with that you're probably out of luck. Do you happen to know what the name of the virus is yet?
@Clear: 'Hugeme45', nowhere on the internet - save for a weibo post, where the solution was reformat.
Good to hear Sophos and ESET works for you. At work, we are forced to use Mcafee which is a piece of crap it allowed any variants of crytolocker come thru peoples laptops and affected shared drives. Every time needed to be restored from backups. We don't wanna use Mcafee but corporate head office in the US do and the security team are bunch of laid back staff who don't care about Australia
@neonlight: I know what that's like when the IT is outsourced internationally. A company I was contracted to had theirs outsourced to India and you had to email everything to them. Was particularly difficult being out whoop whoop with no internet.
No chance of installing MBAE or EMET? Or are the PCs all locked down?
@deanylev: Unfortunately that's just the name of the executable. Without an expert examing the file there is no way of knowing what family of ransomware it has come from.
I posted above but I can speak from experience, we have had Sophos let ransomware past multiple times. The end users are clueless though, so hey theres that.
Haven't used UTM before just endpoint security which is pretty average. Might look into it when the next one comes up for renewal.
@knk: Physical ones are not cheap as they're for busineses. I think they have a software version with a trial.
I use ESET NOD32 and have done so for the last 10 years without an issue.
Would this be as effective as their Endpoint AV?
I manage approx 10,000+ gov end points (including road warriors in their laptops) and since introducing Cylance (enterprise solution), we've been 99+% successful in eliminating these nasties. Alarmingly Ziltch last year (not to say thousands are being picked up and prevented).
Keeping it out is manageable when you have all the basic precautions in place. Most important being - backups (but remember, even a poorly implemented backup strategy can be damaged by ransomware. So do it right!), Next - security suites. Next - patches, updates, computer policies. Next - Common sense (we all know the risks of pirating stuff, porn sites, rogue sites, etc). blah blah blah.
Many consumer based Security Suites (kaspersky, bitdefender, eset, etc) have caught up and are able to eliminate most of these ransomwares. Just remember, Ransomware is network file sharing aware so protect all end points in your network.
Buy a spare cheap hdd from one of the deals that gets posted here frequently as a redundant backup and backup your critical data that you want to keep and then let it sit in your drawer for shit like this. I did when a hdd i had corrupted and now I never have to worry about losing anything ever again. The 4tb portable seagate ones from amazon cost me $200 aud which is fair for the security it provides.
Don't know how well AV would've worked though. Isn't Ransomware very hard to catch?
If I had the funds for a backup solution, believe me I would've sorted something out. Now I'm basically forced to cough up for at least 5TB of external.
So you had money to buy Windows server licence but not for backup?
I don't have time to fluff about in Linux. I know Windows Server, so I use it.
As a Windows user who's currently fluffing around with Linux on his desktop, I can fully understand. When it works, it works well; when it doesn't work you'll spend half a day trying to fix something simple.
As someone at your point a few years ago, I say persist with Linux for simple SMB filesharing, so long as you don't require any domain functions. Sounds like deanylev's in that scenario if it's a family server. Once you get Samba figured out and set up your server will be almost untouchable virus-wise. Be aware that you may sit on a Typhoid Mary if you don't still run a scan through it from time to time.
Also - and this sounds nerdy - ignore the GUI while learning. Don't even load a GUI on boot, just boot to runlevel 3. Learn how it works from the ground-up in the terminal, and do your configuration there. GUIs have gotten better and better since I started Linux, but terminal work is much better for learning, easier to find support for, and doesn't care what GUI you're using.
@Pinchie:
I have to agree here.
My 'server' back in the day was a trusty asus wl-500gp router, running DD-WRT with a custom image I'd packed together and a 250gb USB hdd plugged into it. Learning how to set everything up on this, from samba to rtorrent and actually building the firmware with the appropriate drivers taught me an amazing and made me so much more comfortable in a shell.
@knk:
Also, If you're wanting this experience you're going to want debian's netinst image or ubuntu's minimal network installer (think it's around the 10mb mark).
Windows server is a good stable system, as much as I love linux it has it's place. I'm a Debian fan specifically, RIP to Ian Murdock too.
If all you want is a file / media / torrent server, it's perfectly adequate.
Open media vault is awesome, so easy to use. Very appliance like nas software :)
Windows Server is easy to setup and use, but it's a needlessly heavyweight OS. For comparison, people on XBMC/Kodi forums mainly report using a Raspberry Pi or a NAS to serve their media. Unless you need to run game / web servers or the like Windows or even most Linux distros are overkill.
Do you have good back-ups?
Did your back-up regime work, or perhaps overwrite good back-ups with encrypted files?
What was the infection vector? Clicking an email link perhaps?
Nope, the amount of extra storage I'd need is just so expensive, but I'm forced to cough up for some external storage now.
No, I didn't have a backup solution, due to cost.
I believe someone in my family torrented something dodgy, it's a shared server. Hard to tell, it activated after a restart, and the server isn't restarted for weeks at a time.
Nope. Most of my TV/Movies are legally owned…
If you must know, my family torrent a fair bit of music. That's it.
It's ok to steal music, because even the music on the anti-dvd-piracy trailer 'you wouldn't steal a car.. you wouldn't steal a handbag..' was stolen.
http://www.abc.net.au/science/articles/2013/01/29/3678851.ht…
(although, these days I just use tune-in radio app/pandora/spotify etc.. and i rue the days I paid $30 for an album I bought on my $6.35/hr woolies pay)
@Stitchy: Wouldn't say it's ok :P, but no one feels all that bad. We all pay for Spotify Premium, but sometimes it's convenient to have the songs in other places (eg. My brother's gym iPod Nano). Doesn't make it ok, but it's not all that unethical I guess.
oops.. forgot to add a ':) / jk' to indicate that i was being a bit tongue-in-cheek when i said it's ok to steal music. :)
@Stitchy: Hahahaha I gotcha, it's super hard to portray tone in a comment, I wasn't sure if you were or not, hence the :P
@Ipiok: Did you even read my reply…? Yeah my illegal torrents of Call of Duty! Jeez, my 200+ Steam games and 40+ PS4 games must be pirated copies, right?!
Because I think the issue is more than just "piracy" itself. It's not as black and white issue as others trying to portray.
I think that's why you earn that downvotes. I also got hit the same thing.
Have you ever considered someone who pirate & legally buy tons of game which stored in their steam library and then never play them (Netflix included) considering the tons of bargain in games
You must be a patriot religious soccer-mom who NEVER even torrent right? or perhaps you're another hypocrite people who never reflect yourselves
system restore point?
lol.
if you wanted to tell, look at the encrypted files, look at the owner of the files in explorer (add the column called owner) and as long as everyone doesn't log into their respective computers with admin or user, you can tell.
Even the free versions of AVG, Avira, Avast, Bit-defender are better than nothing.
The obvious question is why would you not want to run anti-virus?
I found them all super obnoxious, and in the past, they would never catch the viruses that infected my PCs. Bought a Kaspersky license, as they have their shit together when it comes to Ransomware. It's actually really great so far.
So the timeline looks like this?
You used to use AV but found them super obnoxious (although I doubt that would be the case with bit-defender free)
You still got infected with viruses
2a. Did you investigate why you were still getting infected?
2b. Did you take appropriate steps to remove the viruses?
You thought well these AV programs must be crap! So I better just uninstall them and be careful??? (which seems to fly in the face of previous experience where you have had AV but still getting infected).
It seems you have multiple people using this computer which means you cannot control their behaviour.
You now have ransomware and who knows what else on your computer.
Yep.
a. It caught a lot of viruses, but it let a couple slip through.
b. Yes, every time. Once it was bad enough that the PC wouldn't boot and no amount of troubleshooting could fix that.
No. I just didn't think the trouble I had with them was worth it. I also made a system where I could get all the programs/settings I needed back in around 15 minutes, in the case that I needed a reformat.
That's not going to change, but I'm making everyone chip in for a backup drive.
Just ransomware. Done multiple checks with multiple AVs.
Thanks for the honest answers, I'll be honest too.
Viruses, Malware, Ransomware, Rootkits all rely heavily on user behaviour to download/execute the payload.
I'm guessing you are the most technical person and have taken on the role of configuring and maintaining the media/torrent server. It's concerning that you believe no AV is better than annoying AV (although that has now changed).
Based on your history and attitude towards security in general e.g. prioritising a 15 min cure over minimising infection by using AV, there is a VERY high probability this will happen again. Maybe not ransomware, but malware, viruses etc.
I guess you've already accepted that?
@h4lcyon: You're 100% correct. But 2016 is a new year, and the first where I really take a strong stance on computer security. I've been extremely lucky for 3 years.
Kaspersky and CryptoPrevent will be a requirement for new Windows installs in my household. Nightly backups of every computer will also be done onto a RAID-1 array. Malwarebytes will be on every Chrome browser for quick and painless scans for everyone.
Torrenting will be done in a VM, and the needed files will be transferred after automatic scans.
I think this should keep me safe.
Thoughts/tips?
@deanylev: it won't matter, the infected machine will still encrypt network mounted drives. Not just locally.
How many nights of backups do you intend on keeping as a backlog? You may have also backed up files that are manipulated days ago where you may not have noticed.
@supnigs: Only network drives that are 'mounted' as drive letters? Because if so, doesn't matter, my server's drives are network mounted elsewhere, not the other way around.
@supnigs: This one seems to be. It only infected a percentage of files on 3/6 drives on the system and the file was hiding in plain sight on my desktop. The warning was in a Notepad file on my desktop, and the decryption program they emailed me is so poorly coded.
@deanylev: encryption takes time to do, it is done by stealth, such that a normal user will not notice. It mayb continue to destroy files too. No such thing as a portly coded decryption program. It's not something you would be able to tell anyway unless you can disassemble. Turn off the server and physically remove any network routes to stop further damage. Salvage data on drives using a clean system.
@deanylev: Any particular reason you're backing up onto a RAID-1 array? You're better off just making a longer history of backups (so rather than wiping your backups every night wipe them every other night, or if you're keeping 5 days of backups on a raid-1 array, make 10 days on a JBOD).
The fact of the matter is RAID (by itself) =/= backup. RAID = uptime in the event of single mechanical HDD failure. If it turns out the ransomware/virus was lying dormant you could just reinfect yourself by restoring the most recent backup and may require going back into your library of backups.
@serrin: I'm not yet, but I was going to, for redundancy's sake. But what you said is all true, I'm going to need to keep a good few days of backups.
Ideally stop using Windows Server, if all you are using it for it a file server instead look at moving to something like FreeNAS. Also forget RAID 1 and look at either RAID-6 or if you are using FreeNAS you can use the ZFS filesystem and have RAIDZ2 (ZFS implementation of RAID 6) that would give you distributed parity and tolerance for 2 disk failures, you get increased read speeds because all drives can contribute at the cost of slower write speeds.
Side note copying files to a RAID array is not really a backup more so a redundancy, true backups of important files (photos, docs) should ideally be offsite even something like Dropbox or Google Drive would do. If you are really keen you can get some Amazon S3 or even Amazon S3 storage for not a lot of money, the initial upload may take a long time but it's worth it. Alternatively copy stuff to a external hard drive every month or so and leave it at your parents/friends place.
Since it is a shared server all users should have their own accounts and their own folders on the server, they should only allowed to write to their own folder and be given read access to other peoples that way if this happens again only 1 person's data would be affected.
Kaspersky, Malwarebytes and Cryptoprevent will possibly cause more issues then they prevent if the other users are tech literate and instead of nightly backups why not just sign them up to Dropbox or some other cloud service then if their computer gets infected just nuke it and sync it up with the cloud to restore files.
As for torrenting there isn't much you can do except maybe try and get on to a private tracker or in lieu of that start using usenet.
None of this will keep you safe, merely reduce the likelihood of something bad happening and giving you options to recover.
@serideth: Wow you covered all bases. Thanks for the super detailed answer. Would you mind if I PM'd you to ask a couple questions about my drive config?
Avast is super lightweight and can run in silent mode so no annoying pop ups
Do you know exactly how did you get it?
Downloaded a pirated copy of Half Life 3 perhaps.
Shhh, that's between me and Gaben.
I believe someone in my family torrented something dodgy. Hard to tell.
Restore from a backup.
You have a backup right?
Hehe… about that.
Nope. The amount of backup storage we'd need is expensive, and I'm an idiot. I deserve this.
I was reading a site this morning that talked about the failure rate of HDDs. Some place that runs drives 24/7 and documents when they fail. The failure rate does, of course, go up exponentially as time goes on. I think it said after 4 years, the drives that didn't fail in the first 12 months, 12% will fail every year. (I think it was!?)
I have no backups either. I'm going to do something about that real soon.
2016 is the year of security and backups for me.
No more bad practices.
When you think about it, there are probably not many things you can't stand to lose: Photos and documents are all I really care about - everything else is replaceable.
Upload your photos to google photos (unlimited storage for files up to 16mp and will downscale for you), and put your documents into a free drive (google, mega, dropbox, whatever).
@macrocephalic: Yes there are a few free options that allow you to have an offsite copy of your data.
And if you're concerned about other people seeing your files then look at something like: https://spideroak.com
It's cloud backup that encrypts your files locally before transferring them. It's not too expensive considering what it's protecting…
If you have the bandwidth, NBN if you're lucky? Crashplan is unlimited, business offering is only $11pm.
I have the download, just not the upload. 100/2. Waiting for NBN in a few months, then I'll have 100/40.
you didn't tell us what is the name of ransomware is it? or what version of windows server you have. Have you got backup or tried shadow copy to restore your files?
We need more info so we can help you, this is not an AMA and I don't think we have to ask all these basic questions.
Very uncommon type, not documented anywhere. File was 'Hugeme45.exe'.
and… any progress in debugging?
Have you actually tried using any ransomware removal apps? I know you're somewhat allergic to any sort of antivirus programs but perhaps humble yourself and give Kaspersky a go:
https://noransom.kaspersky.com/