Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypted Boot Ransomware Support Topic


  • Please log in to reply
36 replies to this topic

#1 fusioncases

fusioncases

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 26 January 2016 - 11:55 AM

I have a client that initially had their server hit with something similar to this: http://www.bleepingcomputer.com/forums/t/364894/new-infection-ransoms-your-computer-with-fake-encryption-message/
 
The message has a little different formatting and text but otherwise the same idea.  The full message is:
 
"Your hard drive is securely encrypted.  To buy password send an email to thewiz6688@sigaint.org with the code 1143."  After this message you are allowed to type in text to supply a password.
 
The drives show up with a driver letter in Windows (on another machine) but the partition is RAW and shows as being healthy, active and primary within Diskmgmt.  - This is important as none of the recovery scanning programs I've used will even run against it, nor will any programs that fix partitions as they are expecting the drive to be in a different state (some say they won't run because there isn't any blank space, others are expecting it to be unpartitioned).
 
Even though the backup drive was also encrypted/partition table corrupted, luckily they had rotated their backup drives right before.  We restored the server from backup and all was well.
 
Until we rebooted the workstations...
 
Now all of the workstations are infected with this as well.  The problem, as it always seems, is that there were a few key users who kept some incredibly important files outside of their redirected folders and on their local systems.
 
The initial variant of this from 6 years ago appears to leave the drive unencrypted, it just messes with the partition table.  Before I make any changes to the disk, how should I proceed on recovering these workstations?
 
All of the workstations are running Windows 7 Pro.  Some of the key stations are running SSDs, not sure if this changes the partition recovery process at all.

Edited by quietman7, 28 January 2016 - 09:06 AM.


BC AdBot (Login to Remove)

 


m

#2 multiburnz

multiburnz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 26 January 2016 - 01:49 PM

We have a client that was infected with this very same bit of ransomeware yesterday.  Same EXACT message and email address, only the code was different as ours was 1127.  Perhaps counting up the number of people so far infected?  

This particular client chose to pay the ransomware and their backup was also infected.  Would be curious to know if you were able to just fix the MBR and get these workstations up and running again, or if it did in fact also encrypt the drives?

 

And any thoughts as to how this one is worming it's way across the entire network?

 

Thanks!



#3 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 26 January 2016 - 02:06 PM

Attempting to fix the MBR alone hasn't worked.  I followed the instructions in the above linked thread on a PC we aren't concerned about but it doesn't work.  The Windows repair doesn't fix anything and the other tools won't run against it.  I've been trying to get the program "testdisk" to work but it doesn't find anything to recover even after a deep scan.

 

What did the client end up paying if you don't mind?  I was curious what they are charging.

 

As far as how it got across the network, I really have no idea.  This one is a different beast as the server wasn't accessed by any of the users directly.  We can't see how the MBR/partition table was changed when it's just a file server.  I've had other clients hit with cryptolocker/wall/whatever and it just attacks the share and the originally infected PC.  The scary thing is they had enterprise AV that was fully updated on everything!  Thank goodness they had just swapped out the backup drive.



#4 TazzyOpz

TazzyOpz

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 26 January 2016 - 02:19 PM

So this is a Pre-Boot warning? Are you even able to login to windows before this pops up?


Software Developer & Malware Analyst[/size]
Programming Langues: VB.net, C#, Java, & HTML.[/size]
[/size]Reverse Engineering/Tracking Tool familiarity: Ollydbg, IDA, CE, & Wireshak[/size][/size]
[/size]My Website[/size]

#5 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 26 January 2016 - 03:00 PM

Yes, this is a pre-boot message.  Windows doesn't attempt to boot and you can't hit F8 or anything else.  The partition shows up as RAW so it's not going to get past the malicious boot loader even if I repair it.  The partition needs to be fixed (or unencrypted if it's not just messing with the partition table) in order to really fix this.


Edited by fusioncases, 26 January 2016 - 03:02 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 AM

Posted 26 January 2016 - 03:05 PM

Have you tried reading data from a recovery disk or Linux? I'm curious to see if TestDisk/PhotoRec would find data from PartedMagic or another recovery-based Linux distro CD.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 26 January 2016 - 04:25 PM

I went ahead and purchased PartedMagic and I am currently running a scan.  So far it's not acting any differently though.  I still get:

Invalid NTFS or EXFAT boot
l * HPFS - NTFS             0  0 49 60801  60 27  976771824
l * HPFS - NTFS             0  0 49 60801  60 27  976771824

Bad relative sector.

when I select the device.  When I run it in Windows and I choose quick search it takes a couple of hours and comes back with nothing, a further deep scan (also a couple hours) comes back with nothing.  I guess we'll see if doing it under Linux changes the behavior though.

 

This really seems fixable if I can just figure out how to fix the partition.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 26 January 2016 - 09:08 PM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 AM

Posted 26 January 2016 - 10:15 PM

Would love to see a mbr dump and even a disk image for the partition you are seeing. Not sure what we need to do that, so will research that.

So your saying that the actual drives when taken out of the infected machine and tested offline are not accessible? They show as corrupt?

#10 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 27 January 2016 - 01:00 AM

I'll be happy to provide whatever is needed.  I have the original untouched drives handy.  We decided to assume the worst and put in new drives and reinstalled Windows so they can work, but we would still like to recover any files we can.

 

If I take the physical drives and plug them into a Windows PC they show up with a drive letter in explorer but they have no size associated in explorer.  If you try to access the drive it says it needs to be formatted.  If you view the drive in disk management it will show it as having a raw partition over the entire drive.

 

I finished running TestDisk under the Parted Magic live ISO.  The results were the same.  This message seems to come and go when I analyze the disk and it's a bit different than the other one I posted:

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

The harddisk (500 GB / 465 GiB) seems to small! (< 1837 GB / 1711 GiB)
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partition can't be recovered:
    Partition        Start        End        Size in sectors
> FAT16 >32M    81918 202 10   223410 136 28    2273064841

I ran the PhotoRec (another tool from cgsecurity) against the entire drive just to see if it would find anything.  I did this with two drives.  The first one I ran in Windows against a SSD and it only found a single corrupt MP3, not sure what to make of that.  Running it under the live CD against a mechanical hard drive recovered thousands of .tib files...  Not sure what to make of that either.

 

Using Ghost I made a sector by sector clone of one of the drives so I could try destructive fixes on the clone.  I tried writing a new MBR with TestDisk but it didn't help.  I also used Ranish to rewrite the MBR as it saw it as unknown.  That got rid of the ransom message but didn't help with the data partition at all (not that I was expecting it to).  Running another recovery on it yielded the same corrupt MP3 but nothing else.


Edited by fusioncases, 27 January 2016 - 01:04 AM.


#11 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:42 AM

Posted 27 January 2016 - 07:42 AM

Any chance you could get me a MBR dump from one of the infected disks? You can create it using this tool:

http://tmp.emsisoft.com/fw/mbrmastr.exe

Just select the disk from the drop down and click "Backup MBR".

Thanks :)
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#12 SimonZerafa

SimonZerafa

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 27 January 2016 - 10:56 AM

Hi,

 

I would be very interesting to see the MBR and VBR records from an infected PC. I wonder if the malware creates a copy of those records (encrypted or otherwise) elsewhere on the drive?

 

Are these PC's using MBR based drives or are they GPT partitioned and can the malware can work on both, or does it only work on MBR based drives. assuming it can even tell the difference?

 

Kind Regards

 

Simon Zerafa

Simon's PC Services

--



#13 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 27 January 2016 - 11:57 AM

Not sure how to easily get a dump of the VBR, but here are three examples of the MBR dumps using the MBR Master tool linked above.

 

https://www.dropbox.com/sh/4q6z2x9sr5bvjya/AABYBHLxrEJWoNnfrr1DVnd_a?dl=0 (I'm guessing I'm not allowed to attach files yet).

 

*edit* and in regards to the GPT disks, none of the drives at the site were GPT so I can't say if they could be impacted by this.


Edited by fusioncases, 27 January 2016 - 12:12 PM.


#14 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:42 AM

Posted 27 January 2016 - 12:41 PM

The MBRs look fine at first glance. You can get a dump of the VBR with a tool like HDHacker for example:

http://dimio.altervista.org/eng/

Just select the drive letter of the partition you want to get the VBR from and dump the first sector.

Edited by Fabian Wosar, 27 January 2016 - 02:13 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#15 fusioncases

fusioncases
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 27 January 2016 - 02:05 PM

My options are choosing a logical drive or physical drive and then choosing first sector or specify a sector.  There's nothing about dumping the first letter.  Since none of the drives have multiple letters (because they all show up as a single RAW partition) I'm not entirely sure what you're implying.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users