Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Obamausa7@aol.com


  • Please log in to reply
5 replies to this topic

#1 Sartanis

Sartanis

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 February 2016 - 07:01 PM

Hi everyone,

 

Just thought I would share an incident that occurred with a client of mine.  Ive dealt with several randsomware infections in the past but this one is a bit different.    

Three days ago they received a notice from the ISP that attacks had been detected from their IP.  I was notified yesterday and assumed one of the workstations must be infected.  Usually not a big deal so I had them shut down the systems until this morning when I was able to have a look onsite.  Last night I tried to remote into the server and I was concerned when I no longer had access.   

I quickly found the source of the outgoing attacks was the "server".  Basically a windows 7 system running raid 0 to host basic shared documents.  This computer is not being used directly by anyone, it is under lock and key, so the infection was not due to user interaction in anyway shape or form.  It is used ONLY to share files.  I was able to see quite quickly that the criminals behind these randsomeware schemes gained access via rdp.  The password was not the most secure, but it also was not something easily guessed.  After they were able to connect via rdp they used the server to start sending out various port scans, participating in DOS attacks and so forth.  They also created their own user account with admin rights.  

I was not happy to find that my clients data had been encrypted.  The shadow volumes erased and the external drive obviously also infected.  At this point I have no options for my client, save for the fact various proprietary files formats were unaffected.  The only real saving grace is that there was not a tremendous amount of data.  

Needless to say the client is now on board for a better server solution as well as secure online backups.  Has anyone had experience with a direct attack like this on a PC that is not actually being used?  None of the other computers show any sign of infection, in fact all but one have been off for at least a week (very small office).  This Obamausa7@aol.com variant seems quite new, it leaves a com file with the ID number and name for every file it encrypts.    

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:27 PM

Posted 08 February 2016 - 07:12 PM

There's been a few going through manual RDP hacks. Definitely recommend making the RDP password very secure, changing ports, or even better, white-listing access if possible. Best solution is a VPN and to not port-forward RDP requests over.

 

It looks like it may be one of the "@" ransomwares. See Quietman7's post in another topic for this variant.

 

"obamausa7@aol.com" Virus on my system


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Sartanis

Sartanis
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 February 2016 - 07:28 PM

There's been a few going through manual RDP hacks. Definitely recommend making the RDP password very secure, changing ports, or even better, white-listing access if possible. Best solution is a VPN and to not port-forward RDP requests over.

 

It looks like it may be one of the "@" ransomwares. See Quietman7's post in another topic for this variant.

 

"obamausa7@aol.com" Virus on my system

Yes I certainly agree, I've been using different rdp ports (Ive only dealt with this client a short time), using secure passwords and disabling admin accounts for rdp access for all my clients for some time.  This was actually supposed to be done a month ago, sadly they declined and said they would worry about it later.  Well now its too late.  I will have a look at Quietman7's post, thanks!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 08 February 2016 - 08:35 PM

We have seen numerous "@" ransomwares. These are a few examples.
• <filename>.<extension>.<id-number>_av666@weekendwarrior55.com
• <filename>.<extension>.<id-number>_johndoe@weekendwarrior55.com
• <filename>.<extension>.<id-number>_email2_key@moonlinet.com
• <filename>.<extension>.<id-number>_email1_key@asteroidmail.com
• <filename>.<extension>.<id-number>_hairullah@inbox.lv
• <filename>.<extension>.<id-number>_sos@encryption.guru
• <filename>.<extension>.<id-number>_obamausa7@aol.com
• <filename>.<extension>.<id-number>_johnycryptor@aol.com
• <filename>.<extension>.<id-number>_fud@india.com
• <filename>.<extension>.<id-number>_decipher@keemail.me
• <filename>.<extension>.<id-number>_doctor@freelinuxmail.org
• <filename>.<extension>.<id-number>_decode@india.com
• <filename>.<extension>.<id-number>_email_info@cryptedfiles.biz
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Sartanis

Sartanis
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 February 2016 - 09:04 PM

Thanks Quietman7.  I will be donating to the fund for bleeping computers lawsuit.  I've enjoyed the benefits of this site and its knowledge staff & users for many years.  The day a company or person can sue because of  negative review is a dark day indeed.  Keep up the solid work! 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 08 February 2016 - 09:07 PM

You're quite welcome and on behalf of BleepingComputer, we thank you for the donation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users