I've recently had a client infected with the .wallet encryption. It's literally wiped everything including backups and everything!
I'm waiting for something magical to appear online before I attempt to do anything with the files, however, that's not the real reason for me posting today. I've been struggling to work out how they've gained access to our network as everything was quite secure, or so I thought.
Turns out the workstation that executed the encryption has something a little odd on it. I shall start at the beginning so I don't miss anything that could be of some use to others!
We utilise Sophos AV, and this didn't pick anything up in real-time. I was on a call today with Sophos Support as they we're very interested in how it managed to get past the Real-Time protection. They potentially found a backup file that could of been on us, but sadly it was also encrypted once expanded (.vhd file hidden from view). Whilst typing the network address of the backup NAS device, I noticed a few random computer names that we're locally available on our network. I could ping them, but they we're within our actual network. I even unplugged the WIFI access point to double check!
Turns out that when the attack happened they managed to install a softVPN client hidden completed from view except in network adaptors. Even then it was renamed so to the untrained eye, you'd totally ignore it! I've managed to locate the 'config' for the VPN but it connects on Start Up and gives this little VPN network a lot of access to the machine/network. I've taken a number of screenshots of the config and anything I can see relevant to it. I can't see anything VNC related installed on the PC to give them access, but I am aware that this could potentially be quite well hidden from normal view.
Do you think they could have encrypted our server across a mapped network drive using this, as I can't see any event log things on our server to suggest something actually ran on it?
Available on PM if anyone has questions or wants screenshots!
Jordan - BWTechUK