Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NMoreira Ransomware (.NM4 extension) Support Topic


  • Please log in to reply
6 replies to this topic

#1 jdempsey_ajns

jdempsey_ajns

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 08 June 2017 - 08:04 PM

Evening,
 
I had an office today hit with ransomware. The files are encrypted with a NM4 extension and I'm having trouble finding info on it. It appears to be version 4 of nmoreira from the searchs I've done.
 
I scanned one of the computers with malwarebytes and it came up empty even though I could see the encrypted files sitting right there. Same for the Symantec scan that was installed, lot of help that did.
 
I'm not really interested in getting the files back, I'll restore those and the systems are being wiped. The question I have is how did it infect the server (2008 r2) and four desktops (windows 7). The info I'm seeing about nmoreira previous versions, I'm not seeing any version 4, doesn't say anything about spreading but I don't see how it could have infected all five systems.
 
Anybody have any insight?
 
Thanks

BC AdBot (Login to Remove)

 


m

#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 08 June 2017 - 08:43 PM

Windows Security logs might have a clue.

 

Some ransomware has been coming in via RDP and weak passwords.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 AM

Posted 08 June 2017 - 09:59 PM

NMoreira 4 (was "R Ransomware" first, now "NM4")

ID Ransomware should recognize NM4. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Section :step2: in this topic explains the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 UrbanTechStudio

UrbanTechStudio

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 16 June 2017 - 11:38 AM

I have had the same issue at a similar site, with SBS 2008 infected and I am struggling to find any info on how the infection occurred.

 

jdempsey_ajns Did you end out finding out what happened?



#5 jdempsey_ajns

jdempsey_ajns
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 16 June 2017 - 12:36 PM

I didn't really find out for sure as the focus was on getting the systems back up and running. However the office did have weak passwords and rdp was enabled on each of the computers. Can't say for sure but it looks like somebody clicked on something that got them infected and it went from there. It appears they were infected for a couple days before they called me. I didn't get a call until the server had some of the files they use encrypted, they didn't notice before that but each desktop (no files stored on them) had already been infected.

 

The good thing, or bad depending on how you look at it, is there seemed to be a flaw in the way it attacked windows 7. The server booted fine but each of the windows 7 machines would not boot after a reboot. The office never reboots their desktops but when I rebooted them to scan them in safe mode the boot files were damaged and windows 7 wanted a repair run. I didn't spend much time trying to repair them but I tried on one of them and was not able to get it working and just wiped it.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 AM

Posted 16 June 2017 - 04:48 PM

I provided links in my previous post which explain the most common ways ransomware is spread...RDP is a very common attack vector for servers especially by those involved with the development and spread of ransomware.

Unfortunately, there is no known way to decrypt files encrypted by this infection without paying the ransom since it is based on a secure version of NMoreira Ransomware which is also not decryptable at this time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 UrbanTechStudio

UrbanTechStudio

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 18 June 2017 - 11:43 AM

This one seemed to act a bit odder than normal crypto I have seen though, as when infecting the server (file located C:\Intel\SVCHost.exe) it seemed to lock the data drive and then after a reboot takes it completely offline.
We are hoping to bring the server back up and complete some more sandboxed diagnostics of the infection. I will try and keep the thread updated with the findings.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users