Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Were you infected with: .wallet, .crysis, .dharma, .xtbl or Cerber? Read this.


  • Please log in to reply
6 replies to this topic

#1 JesseBropez

JesseBropez

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 27 January 2017 - 04:59 PM

Hello everyone!

 

I'm creating this topic to help out those who are affected by specific variants of ransomware (.wallet, .xtbl, .crysis, .dharma, .access_denied, .LeChiffre, and sometimes Cerber).

 

All of the variants included in this topic's title are distributed via compromised RDP 100% of the time, besides Cerber which also uses spam email attachments. Chances are, if you got Cerber on a server without users logging into it, then it was because of RDP compromise.

 

Usually with these variants, they primarily hit servers, most of those infected are clients of managed service providers or simply server owners.

 

What does compromised RDP mean?

 

Compromised RDP means your system (likely a server) was brute forced with weak username and password combinations because you have RDP open (port 3389) and attackers gained access.

 

How did the attackers do this?

 

These individuals scan for IP addresses with port 3389 open and send weak usernames and passwords to see if one is valid to login. Once they find a weak username and password, they remote into the system, download the ransomware, and run it. They often disable antivirus software and can bypass any type of protection because they have remote access.

 

A common tool used to do this is called DuBrute.

 

What can you do now?

 

Finding the compromised user is the most difficult part after being hit with one of these ransomware variants. There may even be more accounts on the system than there should be - some accounts can be created by the same individuals to maintain access even if the initial compromised account's password is changed.

 

Follow these steps to secure the system:

 

1) Install multiple top rated antivirus - it doesn't hurt to get a second or even a third opinion.

2) Review recently installed programs and remove any which do not belong, especially programs that allow remote access like Logmein, Teamviewer, etc. These can be installed for the attackers to maintain access.

3) Change all user's passwords and remove any accounts which do not belong.

4) Restore files from backup.

 

If you do not have a backup, you may try some tools to decrypt files (excluding Cerber), however it's a low chance they'll work.

 

http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx

https://support.kaspersky.com/viruses/disinfection/10556

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

 

What can you do to protect yourself in the future?

 

  • Use Reputable, Proven, Multi-Vector Endpoint Security
  • Back-up your data

 

and... Secure RDP

 

Secure weak username/passwords which have Remote Desktop access.

Increase password complexity requirements for users which use RDP. Some variants of ransomware are deployed via compromised RDP credentials because the credentials are weak and easily guessable by a brute force attack. We also advise changing the default port from 3389 for remote desktop, to a different port.

Preventing scanning for an open port:

  • Change default RDP port from 3389 to another unused port
    To change the default port, execute the following in an elevated command prompt –
    REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d 3390 /f
    The above command will change the default port to 3390.
  • Block RDP (port 3389) via firewall
  • Restrict RDP to a whitelisted IP range 

Preventing attackers from gaining access if RDP is enabled:

Optional:

  • Require two-factor authentication
  • Use protection software to prevent RDP bruteforce

Edited by JesseBropez, 28 January 2017 - 12:50 PM.


BC AdBot (Login to Remove)

 


#2 vpasi

vpasi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 28 January 2017 - 03:30 PM

 

Hello everyone!

 

I'm creating this topic to help out those who are affected by specific variants of ransomware (.wallet, .xtbl, .crysis, .dharma, .access_denied, .LeChiffre, and sometimes Cerber).

 

All of the variants included in this topic's title are distributed via compromised RDP 100% of the time, besides Cerber which also uses spam email attachments. Chances are, if you got Cerber on a server without users logging into it, then it was because of RDP compromise.

 

Usually with these variants, they primarily hit servers, most of those infected are clients of managed service providers or simply server owners.

 

What does compromised RDP mean?

 

Compromised RDP means your system (likely a server) was brute forced with weak username and password combinations because you have RDP open (port 3389) and attackers gained access.

 

How did the attackers do this?

 

These individuals scan for IP addresses with port 3389 open and send weak usernames and passwords to see if one is valid to login. Once they find a weak username and password, they remote into the system, download the ransomware, and run it. They often disable antivirus software and can bypass any type of protection because they have remote access.

 

A common tool used to do this is called DuBrute.

 

What can you do now?

 

Finding the compromised user is the most difficult part after being hit with one of these ransomware variants. There may even be more accounts on the system than there should be - some accounts can be created by the same individuals to maintain access even if the initial compromised account's password is changed.

 

Follow these steps to secure the system:

 

1) Install multiple top rated antivirus - it doesn't hurt to get a second or even a third opinion.

2) Review recently installed programs and remove any which do not belong, especially programs that allow remote access like Logmein, Teamviewer, etc. These can be installed for the attackers to maintain access.

3) Change all user's passwords and remove any accounts which do not belong.

4) Restore files from backup.

 

If you do not have a backup, you may try some tools to decrypt files (excluding Cerber), however it's a low chance they'll work.

 

http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx

https://support.kaspersky.com/viruses/disinfection/10556

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

 

What can you do to protect yourself in the future?

 

  • Use Reputable, Proven, Multi-Vector Endpoint Security
  • Back-up your data

 

and... Secure RDP

 

Secure weak username/passwords which have Remote Desktop access.

Increase password complexity requirements for users which use RDP. Some variants of ransomware are deployed via compromised RDP credentials because the credentials are weak and easily guessable by a brute force attack. We also advise changing the default port from 3389 for remote desktop, to a different port.

Preventing scanning for an open port:

  • Change default RDP port from 3389 to another unused port
    To change the default port, execute the following in an elevated command prompt –
    REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d 3390 /f
    The above command will change the default port to 3390.
  • Block RDP (port 3389) via firewall
  • Restrict RDP to a whitelisted IP range 

Preventing attackers from gaining access if RDP is enabled:

Optional:

  • Require two-factor authentication
  • Use protection software to prevent RDP bruteforce

 

Hi
so you know whether assistance available access_denied decrypt files?
I would be very happy if only would restored



#3 JesseBropez

JesseBropez
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 28 January 2017 - 08:40 PM

 

 

Hello everyone!

 

I'm creating this topic to help out those who are affected by specific variants of ransomware (.wallet, .xtbl, .crysis, .dharma, .access_denied, .LeChiffre, and sometimes Cerber).

 

All of the variants included in this topic's title are distributed via compromised RDP 100% of the time, besides Cerber which also uses spam email attachments. Chances are, if you got Cerber on a server without users logging into it, then it was because of RDP compromise.

 

Usually with these variants, they primarily hit servers, most of those infected are clients of managed service providers or simply server owners.

 

What does compromised RDP mean?

 

Compromised RDP means your system (likely a server) was brute forced with weak username and password combinations because you have RDP open (port 3389) and attackers gained access.

 

How did the attackers do this?

 

These individuals scan for IP addresses with port 3389 open and send weak usernames and passwords to see if one is valid to login. Once they find a weak username and password, they remote into the system, download the ransomware, and run it. They often disable antivirus software and can bypass any type of protection because they have remote access.

 

A common tool used to do this is called DuBrute.

 

What can you do now?

 

Finding the compromised user is the most difficult part after being hit with one of these ransomware variants. There may even be more accounts on the system than there should be - some accounts can be created by the same individuals to maintain access even if the initial compromised account's password is changed.

 

Follow these steps to secure the system:

 

1) Install multiple top rated antivirus - it doesn't hurt to get a second or even a third opinion.

2) Review recently installed programs and remove any which do not belong, especially programs that allow remote access like Logmein, Teamviewer, etc. These can be installed for the attackers to maintain access.

3) Change all user's passwords and remove any accounts which do not belong.

4) Restore files from backup.

 

If you do not have a backup, you may try some tools to decrypt files (excluding Cerber), however it's a low chance they'll work.

 

http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx

https://support.kaspersky.com/viruses/disinfection/10556

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

 

What can you do to protect yourself in the future?

 

  • Use Reputable, Proven, Multi-Vector Endpoint Security
  • Back-up your data

 

and... Secure RDP

 

Secure weak username/passwords which have Remote Desktop access.

Increase password complexity requirements for users which use RDP. Some variants of ransomware are deployed via compromised RDP credentials because the credentials are weak and easily guessable by a brute force attack. We also advise changing the default port from 3389 for remote desktop, to a different port.

Preventing scanning for an open port:

  • Change default RDP port from 3389 to another unused port
    To change the default port, execute the following in an elevated command prompt –
    REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d 3390 /f
    The above command will change the default port to 3390.
  • Block RDP (port 3389) via firewall
  • Restrict RDP to a whitelisted IP range 

Preventing attackers from gaining access if RDP is enabled:

Optional:

  • Require two-factor authentication
  • Use protection software to prevent RDP bruteforce

 

Hi
so you know whether assistance available access_denied decrypt files?
I would be very happy if only would restored

 

There is a support topic for it at https://www.bleepingcomputer.com/forums/t/633285/al-namrood-ransomware-access-denied-support-help-topic however I do not believe a utility has been released. Do you have system restore points you can try?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:41 PM

Posted 29 January 2017 - 09:34 AM

We have had two recent discussions about protecting yourself from malware and ransomware (crypto malware) infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 turner_pg

turner_pg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 29 January 2017 - 12:21 PM

We have had two recent discussions about protecting yourself from malware and ransomware (crypto malware) infections.

 

Does any one know if there are any fixes for the .access_denied ransomeware? An example of a corrupted file name is RECEIPT france IPAD.pdf.ID-817DBD0ECA[decryptgroup@inbox.ru].access_denied



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:41 PM

Posted 29 January 2017 - 12:25 PM

Any files that are encrypted with Al-Namrood Ransomware will have the .unavailable, .disappeared, .NOT_AVAILABLE, .access_denied or .ciphered extension appended to the end of the encrypted data filename. Fabian Wosar has released a decrypter for older variants of this infection.Unfortunately, the cyber-criminals have fixed flaws and updated their malware so newer variants of Al-Namrood/Apocalypse ransomware are not decryptable at this time. There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JesseBropez

JesseBropez
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 10 February 2017 - 12:03 PM

Any files that are encrypted with Al-Namrood Ransomware will have the .unavailable, .disappeared, .NOT_AVAILABLE, .access_denied or .ciphered extension appended to the end of the encrypted data filename. Fabian Wosar has released a decrypter for older variants of this infection.

Unfortunately, the cyber-criminals have fixed flaws and updated their malware so newer variants of Al-Namrood/Apocalypse ransomware are not decryptable at this time. There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

 

Great information quietman7, thank you! 

 

Bumping for more people to see -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users