Restarted my Windows Server the other day, to discover my files locked and a message on my desktop about how they want 1 Bitcoin (~ 590 AUD) to unlock it. I don't use Anti-Virus, because I'm very careful, and haven't had any viruses in my 3 years of doing it. That changes this year.
Lost about 2TB / 8TB of my data, as it only hit one drive, and the boot SSD.
Noticed my friends were asking a tonne of questions, so curious, anyone want to ask anything about it? Just shoot.
Yep. Exactly. That's what I'm gonna do. Think of a NAS like any other connected drive.
Yep. Buying a NAS with a bunch of storage most likely, and I'll keep it unplugged unless doing a backup.
For extremely critical files, you should consider an offsite solution (as well). If there's a fire / theft / some disaster you'll be glad you did.
Something like Dropbox, Google Drive, etc if you don't really mind it's unencrypted or if you'll encrypt the files before syncing or something like SpiderOak if you want it to look after that for you.
Unfortunately even on Optus' top 100Mbps Cable Plan, our upload is capped at 2Mbps (usually only gets around 1Mbps), making anything offsite or cloud impossible. Once NBN rolls out here in H1 of this year, then I'll definitely look into it.
I'll probably go with Amazon's though. For $60 a year they offer completely unlimited cloud storage. Can't go wrong.
Online backups are excellent but unless your files are manually uploaded (ie. through the browser), desktop versions with auto syncing can easily be encrypted too. On the plus side, you can revert to older file versions but some take a long time. Such as the standard dropbox account which won't let you revert whole folders at once, only individual files. Been there.
@deanylev: I thought that too (ADSL2+ connection with 1Mbps upload) so I only enabled documents, etc to be uploaded. However after they finished I enabled photos & just let it upload in the background. Sure it may take 3hrs for 1GB, but you just let it run over months and slowly your important stuff is being very well protected.
Sure you prefer to use a NAS when backing up / restoring, but if that's not available, the cloud can really be a godsend.
@OldBugger: true. sometimes the interface can make restoring from older versions annoying. But you have the older versions avaialble, which is better than nothing.
But I think in this case the encrypted files were renamed with ".ENCRYPTED" appended at the end, so that should help with restoring.
@spaij: I calculated, and by the time it'd finish, we'd have NBN with 40Mbps upload, so maybe it's a good time to start, and then when we upgrade to NBN it'll finish off.
@spaij: When our small office admin computer was hit, we did have dropbox but restoring the hundreds of files one at a time was almost impossible. Luckily I had synced all files to my laptop days before and had not placed it online since, so they were encryption free. I simply copied the files from my laptop back to the cloud.
Run a linux version and boot it from CD or USB. Knoppix is one of the versions of Linux which can boot entirely from CD without needing to reinstall. I used to have really old version (3-4 years back) of knoppix which could bypass any windows security to browse user files. I did this because my windows was stuffed and I didn't want to reformat my PC, so I backed up my data using Knoppix and then reformatted the PC. If that ransomware is programmed for windows, it won't be able to run on other OS like linux, so try that. Back up your data to other hard drive then format the PC and affected hard drive. Hope this helps. Other users might be able to help you if there are better versions than Knoppix which can do this.
EDIT: Never mind, just read they are encrypted. This won't work.
How often do you "re-use" the data you have previously downloaded?
Or, do you download in mass and then "use" the data?
I am wondering, as a friend used to have…1Tb of data, and most of the time he was using…not even 5% of it.
Thanks! :)
This got me thinking. Most of the stuff on the drives is not stuff worth backing up - meaning I could go with a smaller drive and just backup crucial files.
One the drive this affected, it's all media, that is used constantly.
On the others, not so much.
I am sorry to hear about your situation.
I work in IT myself, I would recommend in the future:
Will do, thanks for the advice
Turn off PNP
Is that the same as UPnP? (I have a Draytek 2710n - haven't logged into into yet to look for this, but did a quick websearch and UPnP came up instead.)
Sorry yes you are right, i meant upnp (universal plug and play). I highly recommend you disable that on your router, its used by things such as security cameras to automatically enable access from the internet, but can be abused by viruses and other nasties to enable remote access directly onto your computer. I'm Not a huge fan.
A few weeks ago I downloaded an android app that was supposed to show nearby free Wi-Fi hotspots, according to your GPS location. Every time I opened a browser on the phone, I kept getting redirected to a site saying "Your phone has a battery damaged virus" or some-such rubbish. The phone vibrated and beeped constantly too until you hit the back arrow a dozen times. Actually, it did that all that again today when I visited a particular torrent site.
Anyway…
That app was the second one I uninstalled and the browser redirection stopped. But then the phone couldn't connect to the ADSL modem Wi-Fi. I restarted the phone Wi-Fi, the phone itself, re-entered the password, etc. Finally I went into the modem via the desktop computer and opened the Wi-Fi to any connection. (Initially I thought the phone Wi-Fi was broken so wanted to make sure it was ok.)
It connected fine. So I re-entered the modem password - and the phone reconnected a second time. The same password I'd had all along. (I didn't bother changing it, because I have a dynamic IP and had turned the modem off/on several times.)
So I think they managed to change the modem password - after I installed that app - which wanted Wi-Fi permission - by decrypting the password from the hidden stars in my android phone!
I'm in the exact same boat as OP!
A friend linked me to this post asking if it was me who posted it since the situation is identical to mine. I've always maintained a healthy server and haven't been struck with a virus for years. Low and behold, I come home last Christmas eve to find my server running sluggish and a process with millions of I/Os. Immediately killed off the task (it was called "hugeme45.exe") and then realised most of my personal files had the ".encrpyted" extension. The gravity of the situation only struck me when I realised it was irreversible!
I run a Windows Server 2008 R2 VM on a Windows 7 OS (yeah, weird I know but there's a reason for it).
The ransomware crawled my entire PC and encrypted almost every file. It even extends out to network drives and attached storage! All it left behind was a crudely typed text document on my desktop with 3 email addresses and a bitcoin wallet address to make a 1 BTC transfer to in order to receive the key to decrypt.
This is what boggles my mind. Did it enter through my Win 7 OS? If so, how on earth did it enter my VM and encrypt the files there too? How did it deactivate my antivirus? I'm of the opinion that it entered through my Win Server 2008 R2 OS and branched out into my Windows 7 OS through the shared network drives. But what's even more concerning is that my Win Server installation was a vanilla install; only had the bare OS which runs a python script that I have written. What I also found on the desktop was an exe for Dotnetfix (not sure if you had this as well).
After reading your post, I am even more certain that it came through my Win Server OS through some security hole.
Fortunately for me, I kept cold backups of most of my files (by accident too since I rarely erase old drives!). The ransomware has certainly been a wake up call for me in terms of how I should be backing up. I also feel quite uneasy with operating my server unmanned as I fear a repeat of the same event through the same backdoor.
Wow the exact same Ransomware! Yep 'Hugeme45.exe' and 'Dotnetfix'. Everything is .encrypted. So annoying.
I think I might go with Linux now on my server, based on everyone's recommendations to.
Just a note, having Linux on your server may not even stop this particular attack vector if the shared drives are accessible to Windows machines. ie. if you initially managed to get the ransomware through someone else in your household who hit a dodgy site/ran a dodgy exe on their connected computer, if they do the same thing then regardless of what OS your server is running, all the accessible files on your server will still get encrypted.
Seen this many times too, most of the time it's a workstation because someone opens an 'invoice' which is inside a zip file….
Make your drive shares "read only", and then the ransomware can't affect the server unless you manage to run it on the server. It can still encrypt files on the connected computer though, but the server will be okay.
A poorly maintained linux server will have the same risks it will just not be as big a target. I'd stick with what you know, and close off RDP to the outside world.
I guess it depends on what you want to run on it though, I'm running Debian on mine and it handles Plex, CCTV, File storage / sharing (samba), torrenting (deluge) etc :).
You like Debian? I'm open to trying anything :)
Debian's great and very stable, however for a beginner it might be a bit of a learning curve. Ubuntu server isn't bad if you're just dipping your toes.
Otherwise something more appliance-esque wouldn't be a bad idea, how about something like FreeNAS? It'd probably do everything you need, I haven't personally used it in years though.
build a quantum computer?.. should decrypt files in seconds. :)
seriously, sorry to hear this has happened.. and thanks for sharing. many people who suffer this sort of attack won't have the courage to share their experience openly.
It's a pity some responses are a bit harsh, but you can expect that a 'geek' topic would attract a few ass-burgers.
It took a house fire to make me serious about backups.. your post has been a 'refresher course' and has also got me thinking about my parents current security/backups or lack thereof.
:)
I was actually thinking about the house fire thing last night. Next investment will be a fireproof NAS. I don't want anything being able to compromise my data anymore. This year I'm taking backups and security seriously.
I lost everything in the fire, and it was a shock for the first day or so.. but then came this feeling of freedom/relief, it was just stuff I was worrying about, protecting, cleaning.. weighing me down. Stuff I wouldn't really ever pull out of a box again. The only thing I really missed were photos. I vowed never to lose another photo.
These days I cloud my emails/photos/docs. I have a lot of videos relating to my business that are backed up off location.
I have a raid array so I have minimal disruption with hardware failure.. has already saved me a couple of times.
all the best
That's terrible. But I know what you mean, a year ago my nearly-full 3TB Barracuda failed along with everything on it. I had that same feeling, no more data to worry about. A fresh start, with good practices. Unlike you, I got lazy and stingy, and didn't learn my lesson. This is my second major data loss.
I'm going to setup a RAID-1 array with a few drives too.
Or just a wireless one - in the garage or car. ;-) House catches alight while you're away from home - drives are in the car, or, grab out of garage before the fire takes it out too. House catches while you're home - move car down the street.
@op dl and run malwarebytes anti malware software very good may dig deeper than most
His files are encrypted this won't help.
Maybe you could use a chrome box/ Android device as your new torrent machine?
I lost 1tb due to my own fault even though i double checked. It was 99% media that can be easily replaced. Never bothered replacing it and at the time i was a bit annoyed but no fks given, its all rubbish
This happened to someone I personally don't know, but a close friend does. The victim ended up paying around the same amount of money ~$600 because he relied on making his income through his computer config. He has a few computers that mine on Runescape and then sell something to someone. He makes an actual salary from doing it so he had no real option but to pay. They ended up unlocking his files. Seems like it is becoming more common, really sucks, sorry OP
Hi Op and here's to a better year than last year for you!
Thanks for posting. I learned a lot from this thread and sorry for some of the less than helpful posts but, there were plenty of really good ones as well!
We don't Torrent because I don't allow it in my family (although how would I know - right?) but, we may have in the past, accepted files by hand from ultimately unknown sources (I don't allow that anymore either and I do trust my family to do the right thing). We do browse the web through any number of browsers and O/Ss and download files from mod sites, Steam and plenty of other places of course.
Also we stopped using servers and portable disks a while back and switched to the Cloud but, that is no absolute guarantee also I guess. We don't store large files anymore either - Yay for Netflix and sorry for our local video store!
We do run anti-virus locally however, so scanning now and reminded the family about the risks. What considerations/criteria did you use to choose Kaspersky?
Thanks again.
Thank you!
You're welcome, if I could help one person, that's a success. Didn't want my experience to be a complete negative.
I chose Kaspersky, because they seem to know what they're doing when it comes to Ransomware. I can deal with other viruses, but not Ransomware. Of course they protect against most everything. It also is a lot less obnoxious and intrusive than other AVs I've tried. Nice and cheap too, $10 for a key on eBay. It also has some features I genuinely like, like Protected Money, and I love its UI.
Thanks for this. Will take a look at eBay now. Have flitted from one paid provider to another over the years and also used all the free ones many times. definitely time to look at them again.
Torrenting may not be the cause of the ransomware. My server doesn't even have torrenting software installed yet it still got infected.
As mentioned in my post above, my system is bare bones yet it still got infected. I'm afraid the best and safest way to protect yourself is to keep offline backups of all your files.
Try the following:
"password"
"batman"
"696969"
"passwordistaco"
"letmein"
696969 worked, thanks for the help.
I have a NAS at home for linux iso's and royalty free images. It's unsecured but I accept the risk that someone might do something stupid and download a virus (or family member accidentally deleted a 3tb folder sigh - yes that actually happened)
Hopefully you can just format and spend a month downloading those linux iso's again.
Wow really?
I haven't been hit with this issue but have learnt a lot reading this thread.
Is everything salvageable now? Would a reformat now be the only thing needed?
Cheers.
PS also curious about what happens if the backup software is triggered and replaces the proper files with encripted files before the problem is discovered. How then do you retrieve the backup'ed files without paying the fees?
Wait, you mean "696969" was the key that unlocked all the files the ransomware encrypted?
Bahahahaha no not really.
Virtualisation may help.
Possible config:
Create snapshots of VM #2 periodically.
You should never use snapshots as backups.
Snapshots should only be used for rollbacks and should generally never be kept for longer than a week.
You can use VSS (Shadow Copy) on a rolling 14 day period for your host and necessary files, incremental daily backups and weekly (or monthly) full backups.
Agreed don't use snapshots as backups. Use something like Veeam Free edition(veeamzip) https://www.veeam.com/virtual-machine-backup-solution-free.h…
to take a complete image or invest in a proper solution like Veeam or Shadow Protect.
Would 'important' files be all that large and growing constantly? If it were things like photos, home videos etc unless you're always snapping photos I'd imagine something like Dropbox would be enough for the essentials combined with a secondary backup.
Personally I use Dropbox for everything important, and then my server pulls it snapshots it locally and also uploads it to Crashplan. You know, just incase lol.
For NAS backups don't use shared drives.
Setup your NAS for ssh/sftp/ftp connections and use any ftp/sftp program to backup data. Of course with username/password.
This will hide backups from ransomware.
I feel for you mate.
Out of interest were your software updates up to date?
Also I used to be the same with AV as well, because of the performance hit. I'm OCD about performance. So I never used to run it and I never got hit with anything. But since Defender/Endpoint Protection is free and has been built in to Windows I decided to give it a go and honestly I don't even notice it anymore (the hardware is obviously a lot better nowadays). You can excluded large files anyway (mkv,iso)if that's what you are worried about. It's has saved me a number of times with viruses, but can't say that it will stop ransomware.
As for advice…hmmm…
Plug the disks into a new install.
I would find a JPG and try and open with an open image viewer(the type that will read any format regardless of file extension). Try a hex editor on a word doc as well and see if you can read anything.
See you don't actually know if they are encrypted or just forcibly corrupted/renamed. If you can see anything, then you can work from there.
Also keep the bad.exe and run it against another install/vm, while you are watching it with Procmon. You never know, you may notice some pattern which will help.
Also since you mention your have clients that connect to the server, in addition to whatever you have already done, check that startup registry keys on them and make sure they are clean.
But if it's just media, I wouldn't bother, just redownload it…. at work… ;)
696969 worked, thanks for the help.
Do you mean it's decrypting the files!? Surely not, or you'd be filling the screen with !!!!!!! marks.
Hahahahaha nope
???? so why the comment that it worked. Really puzzled.
Whooosh He was joking.
@Clear: Well fair enough. Looking at the password lists, it probably should have clicked with me. Could it be possible however, that the offending software which presumably is attacking numerous computers have a password that works on different computers that are affected, or are the passwords generated by a keygen type code that is dependent on the affected computers' configuration?
This is not my field of expertise :-(
@x d: Depends on the family and variant of ransomware. Some have a list of passwords that companies like Kaspersky know while others can be randomly generated.
Pro-tip: Your usage habits will matter more than the AV you use.
Try Using Dr Web to decrypt you files. You might have to buy a license for their software but it's only about $40.
https://support.drweb.com/new/free_unlocker/for_decode/?lng=…
I've been looking into this a fair bit. Dr Web isn't revealing how they're doing it, but they've either found a weakness in the encryptrion, have a list of keys for some variants or have direct access to the Command & Control Centres.
This site is a partner of Dr Web and seem to be able to do it, but they have a fee.
http://www.decryptolocker.it/
There have been security researchers who directly attacked some C&Cs and managed to retrieve keys. I'm guessing that is how Dr Web and decryptolocker are doing it.
Im curious to how to solve your problem as well as my last computer got infected by ransomware and i stopped using it. There has to be someone who can fix it like harddrive data recovery at a price.
Looks like it's gonna be a reformat and loss of data bud :(
(I mean this in the least rude way possible, hard to project a tone over the internet) Are you familiar with how data encryption works? Hard drive data recovery works by reading data off the magnetic platters, when a drive is inaccessible. This drive is accessible, so all they'd be able to read is the encrypted files unfortunately :(
Forget data recovery. Once it's encrypted - that's pretty much it. No professional data recovery will go near a drive encrypted with any decent Crypto variant.
I read a while back on bleepingcomputer that there is one piece of software that MAY be able to help. I can't remember the name of the developer, it was a smallish Russian AV outfit. I haven't used it myself but a few people said that it worked for them with some of the older, more popular variants.I'll see if I can find the original article
Kaspersky. I posted the link back on page one.
However this is a very new generation crypto and the encryption key is unfortunately not in the database.
No, not kaspersky. I'm well aware of the kaspersky utility and by all accounts it is next to useless.
The one I'm thinking of is from some small firm, not a giant firm.
@shawnsmaggot: Dr Web is the one.
Emsisoft have released some decryption tools for other less known ransomware. Randamant and Gomasom .Crypt.
Edit: Turns out Dr Web is only offering the decryption service to customers who purchased their software prior to the infection.
Thanks! That's the one :D
I believe some people on bleeping computer said they were able to obtain the tool shortly after subscribing.
Apparently It only works with some variants. Anyone else used it?
Hey love2buy, The original poster (deanylev) and shawnsmaggot are being a bit grim (although they might be right, it's really 'it depends'). In the crypto-locker variants I've dealt with, it's a per-file encryption process so your 'groceries.txt' file gets rewritten encrypted as 'groceries.txt.encrypted', and usually a HOW_TO_RECOVER_FILES.txt file per folder providing instructions on how to pay the ransom.
The damage is usually a function of how long it's left to run & encrypt your files, and how fast the PC & disk is for reading & writing. To put some numbers to this, in a corporate environment, a user connected to the network got infected and the cryptolocker ransomware managed to encrypted approximately 26,000 files in about 34 minutes. If a backup is available for these encrypted files, I can easily selectively restore only the infected files.
In home-user environments, backups are much less likely, or if they exist, they might be on the same PC or an external hard disk always attached to the PC and hence at risk of being crypt-locked too.
For professional recovery services, or to have someone properly diagnose it, gets expensive (we are talking minimum 1-2 hours to examine it, more to recovery files, and professional recovery services charge $100's per hour for their services).
Thanks i think ill leave it and be more careful. I couldnt think of anything important in it but what should i do with infected pc.
To stop this happening in the future - look into a program called CryptoLocker. Basically a program that whitelists programs, stopping the cryptolocker variant programs from being installed in the first place.
Does take a bit of configuration at first, but the time and effort that it can save is more than worth it.
CryptoLocker is the name of a famous crypto trojan.. I think you misremembered the name..
What you might be thinking of is CryptoGuard. Formerly known as Hitman Pro , they got bought out by a company called SurfRight which is a division of SOPHOS and re-rolled as HitMan Pro.Alert
http://www.surfright.nl/en/cryptoguard
Hitman Pro.Alert is preventative and if you are already infected and have encrypted files you'll need to download HitmanPro.Kickstart
Damn it! Meant to say Cryptoprevent
I really don't understand how people reason that if they are 'careful' they needn't concern themselves with AV. Why not be careful and use an AV? it's like arguing "I don't really bother locking my doors because I live in a safe neighbourhood, two minutes away from a police station & I don't know any criminals." This is especially confusing if you have several people who aren't tech-savvy on your network.
Do people honestly think their caution can compete with software that is constantly checking and monitoring their system & is updated to detect the latest threats? Additionally, AVs have come a long way from the days of the bloated garbage like Norton used to be. Just run one, even a free one. I use Avira and it is fine.
I sympathise with your situation OP, and maybe an AV wouldn't have caught this threat, but I just struggle to appreciate the logic of not using an AV.
I've gone over 5 years now without antivirus.
I admit I've downloaded some shady items but I've always been careful. I also acknowledge that I've even clicked on a .exe file which was meant to be a .avi file but I was fortunate enough to have enabled UAC on Windows to double-check with me before opening any application.
Right now, I don't see myself using Antivirus for a long time. If any more suspicious file comes along, I'll just upload the said file to virustotal or whatever to scan it first.
AV adds extra cost, slows the entire system down and gets too many false positives for what I download. Also, if torrenting, just read the comments before. Though take this with a grain of salt.
• Not all malware needs to be executed by the user. You could have malware on your system right now that you simply don't know about. How would you? You have no security packages installed. Even if someone runs Linux I still say install an anti-virus on Linux if they switch between Linux and Windows.
• There are very good AVs which are free. Some even outperform paid versions in objective testing.
• As I mentioned earlier, AVs are quite efficient and effective nowadays. I agree back in the day they were crappy, usually because every vendor wanted to add a billion different useless modules which hogged resources but that isn't as much an issue. Plus hardware is much improved since then.
User caution is one part of the equation when it comes to security. It is a big and important part but it alone cannot provide sufficient protection.
Ultimately, it is your system; use it as you see fit. I cannot ever see myself going sans AV or encouraging others to. :)
With the proliferation of SSDs now, and the speed advantages offered by them, the scanning of the files are also much quicker than before so that makes it that much less painful than in days of yore
I've spent too much time looking into this, but it could be Ransom32 that was discovered several days ago.
I don't think so, only because mine was just a poorly written Notepad file and no way of decryption was provided.
I think it was a Java exploit of some sort, because it only happened two days after Java was installed on the machine.
Very likely someone was testing a zero day vulnerability with a crude build of ransomware.
In my 20+ years of computing, I NEVER had an antivirus and NEVER had a virus.
Linux anyone ?
I really want to go with Linux, but it's so hard to leave Windows. Even just for my server. Especially when my server with Linux can infect Windows computers in my house, it's gonna be hard to convince me. I was convinced earlier today, but I'm just gonna miss Windows too much.
Linux is easier than you think :-) start with an Ubuntu based distro and start from there.
Thoughts on Zorin OS? Looks awesome
Linux is easy, fun and VERY customisable. As much or as little as you want.
Thoughts on Zorin OS? Looks awesome
@deanylev:
Looks really good, Ubuntu based.
I would highly recommend Linux Mint (Cinnamon): http://www.linuxmint.com/download.php
Also, have a look here: http://distrowatch.com/ on the right hand side.
When you think Linux (unix / *nix) think of: Android, iOS, Smart TV's and almost every web server out there that powers everything from Google to OZB.
As I said, if you want to dig deep you'll discover a world of possibilities. If you want to use it as a normal computer and don't care about anything, you will be fine with Mint, Ubuntu, OpenSUSE, Mageia, etc, etc, etc. It's all about taste really :)
P.S. I would install Zorin
@zapy: Love me some Linux Mint, but it's almost a tad boring now. It's a solid OS, but I'm looking for something new for a change, Zorin it is! :D
First with ransomeware and now with Linux?
You playerrrrrr
Ransom32 is programmed entirely in JavaScript, html and CSS, so not even Linux is safe from the clutches of the latest generation crypto malware, since the modified code could be executed on any x86 OS.
http://www.bleepingcomputer.com/news/security/ransom32-is-th…
Better safe than sorry and back up always
What has this world come to… Is their seriously no OS safe from attack? I'm going to DOS.
CD c:
Del * /f /s /q
You're pretty safe with Linux booting from a DVD-R. Anything goes wrong, you just reboot the machine. Set it to reboot at 5am daily, just to be sure.
However for the DATA you are downloading - if you must run a web browser, run it inside a VM, and run it as a different user. Even if a virus gets loose on the VM, it can only damage the files inside that VM. If it manages tunnel through the VM, the different-user bit stops it from getting any further, unless it can also crack Linux.
Noob question here - but I assume the same applies to NAS drives? So in theory if a NAS is used primarily for backups it should be powered on, backup software allowed to run - then powered off again?