Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware in Windows Server 2003


  • Please log in to reply
13 replies to this topic

#1 GreenManWalking

GreenManWalking

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 09 December 2012 - 10:06 PM

I have a major infection on my server.

Two days ago, two users reported they were unable to log onto our non-profit's constituent database. When I did so today, I could log on as the administrator; the error indicated that the database was not present.

I found that there were several scores of files on the server entitled "How to repair.txt". They were in the public directories and sub-directories, such as "C:\documents and Settings \All Users\Documents", and in the subdirectories of two specific users, out of about 15.

The contents of all of the files were similar:


If you reading this,it means your`s important files(photos,videos, documents,archives,bases, backups, etc.) are locked with military cifer.
Nobody can help you restore files without our decoder.
If you want recover files,
send e-mail to the repairmyfile@tormail.org WITH "how to repair.txt" and 1-2 encrypted files less than 1MB . After checking you will receive the decrypted files and our conditions how you'll get the decoder . Follow the instructions to transfer payment.

====================
7983DE6AB43161B43F2DA8038353A1F3911AD61DF86EA689F4D6E4CC5334BB6D
C2BBAE72FFFC600D0ADFB6F982B4645A00B43931599EE1299FCCA98F3DBB254B
9975E7124E30C6732860853C5BFEF5A627F612BD5B18178410B0E64A82712A5C
D61B154998BB9C09A2DC584AD761155D70C7E86F780E46BDFD550A0A5508792A
15757E7F7482D8EE711A57A810EB9EB51B3CCAE9763E3E0A7D0DBE3D9ABC8FD2
====================


The files showed up in folders in which there were files with the ".doc", ".xls", ".mdb", '.jpg"extensions, as well as in many other folders. The files seem to be identical.

In many of the user folders, the original files with the above named extensions were converted to files with ".doc.done", ."xls.done", and .mdb.done" extensions. In some of the driver directories, the conversions were not so clear. I tried to rename one of the files to its original suffix, but that was unsuccessful; the re-renamed file was not a valid file of the given type.

In viewing the security properties of the alien files, they seemed to have derived their permissions from one of two specific users, because they had a line for those users in the security properties page. These were the only users in whose private sub-directories the alien files were found.

The server uses Symantec EndPoint Protection system. I scanned the server with MalwareBytes Anti-malware, and the Microsoft Safety Scanner. None of these reported a virus, or malware of any type.

Questions:
Can these files be restored?

Can the source of the infection be another of the trusted computers within the domain?

How can such an infection be prevented?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:01 PM

Posted 10 December 2012 - 07:58 PM

Welcome aboard Posted Image

I'll report this topic to appropriate helpers.
Hold on....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 dani boy

dani boy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 12 December 2012 - 06:04 AM

Hi there!! i have exactly the same problem......does anyone any idea how to solve it???

cheers

dani

#4 GreenManWalking

GreenManWalking
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 12 December 2012 - 08:53 AM

I have more information, but I still need help.

By checking the Event log and the file system, I have induced that there was a weak password for one of our users. Some bot guessed it and started logging in on that account. Then it ran a program on all of the "interesting" files it could touch, and put a ransom note in each directory. This seems to have gone on for a while.

I have locked that account and changed all passwords, removing any accounts that aren't in use. I still need help in recovering the few critical files.

#5 Systematic

Systematic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 12 December 2012 - 10:39 AM

Hi,

We have had exactly the same issue with one of our clients. Luckily we managed to restore 98% of the data from backups, but a very small part was old archive information that the client had moved on to a NAS that had no backup routine.

It seemed to have generated from an external laptop which when connected to the network encrypted all docs, xls, etc.. on any network drives the user had access to.
Ran full Malwarebytes, SuperAntiSpyware, AV scans and found zilch. Ran Eset Online scanner and this found a couple of Trojans - This laptop will just be rebuilt on a new hard disk.

After several hours of research and not getting anywhere I created a bogus email account and did what the text file said. They did reply with the terms as shown below.


On 11 December 2012 17:38, <repairmyfile@tormail.org> wrote:


1. decrypted sample in attachment
2. Decryptors price - 100 eur without any discounts.
3. sorry for the delay
4. Go to www.ukash.com send me copied UKASH code 100 eur
5. after checking you`ll get the decryptor


I spoke to UKash who clearly were not interested and the next step is to speak to the police. How important are theses files?? Very!!
......Scum, sub human money scamming scum!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 12 December 2012 - 01:16 PM

Unfortunately crypto malware, especially of the sort that uses dedicated server hacks (as seems to be the case here) is very hard if not impossible to remove. The infected components can usually be removed without problems, but the files usually cannot be decrypted as the decryption codes are not stored on the computer.

The only solution is reinstalling/reimaging the server and restoring a backup. To prevent this, be sure to:
  • Install all latest updates for the OS as well as software installed on the system.
  • Use strong passwords that cannot be cracked easily by using brute-force attacks.
  • Be sure to use offline backups; any data on a connected backup drive will be encrypted as well.

If you have any scan results that can give an indication of what ransomware variant this is, that would be helpful. Likewise if you have any files that (you suspect) belong to this infection, or were involved somehow, you can upload them here so we can have a look. Please post a note here once you submit any file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 GreenManWalking

GreenManWalking
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 12 December 2012 - 02:47 PM

As was suggested by Systematic, I ran Eset online, and it found instances of Win32/Filecoder.AN.Gen.trojan. I have a copy of a simple xls file in the file pile you suggested.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 12 December 2012 - 03:38 PM

I am afraid I have bad news. The files are encrypted using RSA, which means there is no way to recover them.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Systematic

Systematic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 13 December 2012 - 07:21 AM

Found this on another forum. Translated from Spanish to English, so the text is a little unclear. Basically the scam is to try to extact more money!!


"yes it looks very bad .... I have investigated in several forums. some of them in the U.S. and there seems no way .... you have to try to retrieve backed up but mine is 3 months.

I've been in touch with the "character" and ask me € 100 ..... I exchanged emails and all it does is raise the demands ..... now I'm going for 300 €"

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 13 December 2012 - 09:58 AM

While I understand that encrypted files may be very important please consider that paying the ransom is no guarantee you'll get anything back either; 1) nobody gives you the assurance that, once paid, your files will be decrypted and 2) when using direct payment methods the chance is there that personal/sensitive data will be stolen.

Due to the way the files are encrypted, decoding the files without decryption key is not possible; the decryption key is stored on a remote server, not on the infected computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 dani boy

dani boy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 13 December 2012 - 11:01 AM

the question is: what are the chances of the problem being solved? from what i read without the hacker co-operation none....is that right?

to be honest, my only chance is that the hacker finds a little of compasion in his hear and give the solution away...has it happened before? is it worth saving the corrupted files in case he does that in the future??

cheers

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 13 December 2012 - 11:12 AM

the question is: what are the chances of the problem being solved? from what i read without the hacker co-operation none....is that right?

None, the file encryption is done using RSA. The decryption code is simply too complicated to crack, even for a computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 dani boy

dani boy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 13 December 2012 - 11:34 AM

thanks Elise, another person that was affected just contacted me. he paid 100€ to the hacker and solved the problem (that´s what he said).

We´ve been exchanging emails and asked me some encrypted files over the last 2 days. He just confirmed me that he could restored them but wants me to share the 100€ he paid.....I´ve got his mobile phone (he is also in spain) and I will talk to him after work.

Obviously I want some kind of guarantee before paying......but is that really possible? the key that the hacker gave to this guy could also good for my case??? or its another guy trying to get money from poor people´s issues!!??

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 13 December 2012 - 12:27 PM

It is very hard to say that, but I suspect the latter unfortunately. You could try a raw-data recovery tool like PhotoRec, however this is pretty time consuming and success is not guaranteed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users