Ransomware zero-overwrite files

Windows 7: My mom downloaded a loaded "invoice" email attachment (.doc she thinks) which converted some desktop shortcuts to .hta files which in turn delivered the your-files-are-encrypted with 2048 etc and send bitcoins to us to decrypt with the usual links. All of her various document data files were overwritten with zeros (binary or ascii I don't remember) instead of encrypted. I looked at busted files with hexviewer and they were solid zeros.The .hta files delivered a text screen that matched nemucod messaging when I sent it thru the ID utility. Malwarebytes scan was clean. I guess theres no running processes left with this. Did a VSS restore on her data etc and removed all .hta icons on desktop. Is there anything else to watch?

thanks...

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware). RSA-4096 / RSA-2048 / RSA-1024 / AES-256 / AES-128 are encryption algorithms and not an explicit way of identifying a particular ransomware infection.

What was the actual name of the ransome note? The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:


Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

Windows 7: My mom downloaded a loaded "invoice" email attachment (.doc she thinks) which converted some desktop shortcuts to .hta files which in turn delivered the your-files-are-encrypted with 2048 etc and send bitcoins to us to decrypt with the usual links. All of her various document data files were overwritten with zeros (binary or ascii I don't remember) instead of encrypted. I looked at busted files with hexviewer and they were solid zeros.The .hta files delivered a text screen that matched nemucod messaging when I sent it thru the ID utility. Malwarebytes scan was clean. I guess theres no running processes left with this. Did a VSS restore on her data etc and removed all .hta icons on desktop. Is there anything else to watch?

thanks...

You should be fine, but I'd run another scan with another free AV scanner just to be secure (Emsisoft Emergency Kit, ESET's online scanner) for example. Does your mom have an AV on her system, is there a backup of her files? Next time you may not be so lucky and VSS snapshots may be deleted.

 

xXToffeeXx~

@xXToffeeXx-

 

I will scan with ESET as well. She just has windows sec essentials running right now and I scanned few times with MWBytes.

She didn't have backups (seems like the norm out there) so VSS saved her by the skin of her teeth. I told her how lucky she was because she had a lot of docs that she had been hand formatting so it would have been a disaster. I'm going to research and find her a backup solution. I was quite surprised the infection didn't clear her VSS. Very surprised.

I just ran SFC and also chkdsk'ing just because I have her computer here at my house.

 

@quietman7-

There isn't any encryption samples to send for analysis. The files are not encrypted-- they are completely zeroed over. From one end to the other. I ran the ransom note thru the ID analyzer and it said it was nemucod (sp?) because it mentioned RSA-2048 and AES, but it wasn't dropping kovter or whatever the hell it usually does.

 

BTW, there were no extension changes at all.

 

Thank you all for chiming in!!

Edited by daveaust, 23 July 2017 - 11:09 AM.

Yea ID Ransomware is not as accurate when submitting only one type of file. Submitting both encrypted files and ransom notes provides a more positive match and helps to avoid false detections but not every situation will allow for that. Sometimes the criminal's email address for ransom payment is useful and so is the malicious file responsible for the infection itself which is why we ask in order to cover all the bases.

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted. However, it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies as what appears to have happened in your Mom's situation. But as xXToffeeXx notes, the next time you may not be as lucky so backing up data and prevention are your best defensive strategies.

• The smartest way to stay unaffected by ransomware? Backup!

Although Microsoft Security Essentials combines the features of an anti-virus and anti-malware scanner to provide real-time protection against viruses, spyware, and other malicious software...it is weak, meaning it does not provide comprehensive protection especially from ransomware. To protect you Mom, you may want to have her consider replacing MSE with a better solution such as Emsisoft Anti-Malware which includes protection against ransomware.

• Emsisoft Anti-Malware Anti-Ransomware module
• New: Emsisoft Anti-Malware 12 Keeping you safe from ransomware

See my comments in Choosing an Anti-Virus Program for more specific details as to why I recommend Emsisoft Anti-Malware.

quietman- I may put the Emsisoft package on her machine. I didn't know too much about it but I went to their site -and- if it is recommended by this forum's members then I know it will be good product. She got really lucky that the virus was "dumb" enough to leave the shadows lol. It really made the recovery easy for me. Glad there are a few absent minded malware coders out there. I for now just slapped Mozy on her machine to at least get copies of her data files off site daily.

thanks again for all the info on this...

You're welcome on behalf of the Bleeping Computer community.