Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux python ransomeware .enc1 .enc2 motd with message


  • Please log in to reply
16 replies to this topic

#1 eohrnberger

eohrnberger

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 July 2017 - 01:44 AM

Hacked gained access to my Linux machine, not 100% sure how, but he did.

 

All home directory files have been encrypted with either a '.enc1' or a '.enc2' appended to the filename.

 

The /etc/motd file was updated with the following message (between the equal lines).

****************************************!WARNING!************************************************
******************************YOUR SERVER ARE INFECTED*******************************************
*******ALL YOUR DATABASES, SITES AND USERS HOME DIRECTORIES HAVE BEEN ENCRYPTED******************
=================================================================================================
YOUR UUID IS : 321809823178739217389217398217120392193893725897638217782601690971287794612871293
=================================================================================================
If you want to restore your files, send your UUID to  e-mail: beauchamp.tammie@mail.ru
You have to pay for decryption in Bitcoins. The price depends on how fast you write to
us. After payment we will send you the decryption tool that will decrypt all your files.

FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 1 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb

*************************************************************************************************
*************************************************************************************************
****************************************!WARNING!************************************************

The first thing I noticed was heavy system load and a python process consuming all the CPU.  I killed that off with a killall -9, which seemingly interrupted it.

 

I had zfs snapshot rotation in place, but all the snapshots are gone, destroyed, presumably, by this ransomeware (is there a way to recover them, and then the files from those snapshots?)

 

The only path to recover the data at this point would appear to be able to decrypt the files.

 

I uploaded the motd and a sample file on the ID Ransomware page, but that couldn't identify the ransomeware, and directed me here.

 

Please reference this case SHA1: d4b19626f4e4ee04001166af90de37e8f1475722


Edited by eohrnberger, 23 July 2017 - 02:53 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 PM

Posted 23 July 2017 - 08:03 AM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 eohrnberger

eohrnberger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 July 2017 - 08:09 AM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:

  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.

 

 

This is a Linux machine, so Windows isn't going to apply.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 PM

Posted 23 July 2017 - 08:14 AM

Disregard anything in regards to instructions for Windows. The malicious executable will still be helpful if you can find it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 eohrnberger

eohrnberger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 July 2017 - 08:21 AM

Disregard anything in regards to instructions for Windows. The malicious executable will still be helpful if you can find it.

Yes, it would be helpful, however, I think it deleted itself when it was done.  I do not have access to it.  But I will look for it.  I saw it briefly in the home directory of root, but next time I looked it was gone.  Listing hidden files didn't show it either.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:57 PM

Posted 23 July 2017 - 05:27 PM

We've seen one other ransomware that leaves a motd on Linux servers, I don't think we ever got ahold of a sample. It seems possibly similar*: https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

 

I did notice your submissions come through lately, but have not been able to find any other information. There isn't too much else we can do at the moment without the malware, or that Python script you saw (which could be the ransomware). I'd expect if you killed it, it would not have been able to delete itself, unless some other process had invoked it and just waited for it to finish, as opposed to the Python script deleting itself.

 

Afraid I'm not the greatest at investigative work on Linux myself; I maintain a few Ubuntu servers, but have to Google every command. :P Not familiar with zfs either, we use Veeam snapshots from the host machine.

 

*Actually, I took another read through that topic. If you can confirm a few things the others saw, I believe this is the same ransomware family at the least, and can add markers to ID Ransomware as appropriate.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 eohrnberger

eohrnberger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 July 2017 - 05:33 PM

We've seen one other ransomware that leaves a motd on Linux servers, I don't think we ever got ahold of a sample. It seems possibly similar*: https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

 

I did notice your submissions come through lately, but have not been able to find any other information. There isn't too much else we can do at the moment without the malware, or that Python script you saw (which could be the ransomware). I'd expect if you killed it, it would not have been able to delete itself, unless some other process had invoked it and just waited for it to finish, as opposed to the Python script deleting itself.

 

Afraid I'm not the greatest at investigative work on Linux myself; I maintain a few Ubuntu servers, but have to Google every command. :P Not familiar with zfs either, we use Veeam snapshots from the host machine.

 

*Actually, I took another read through that topic. If you can confirm a few things the others saw, I believe this is the same ransomware family at the least, and can add markers to ID Ransomware as appropriate.

Appreciate your post.  Seems that without the python script, compiled it was, I'm pretty sure, we really don't have much of a chance.

 

Investigating if I can recover the snapshot that was destroyed, and use that to rollback to original state.  I've purposefully not written to those storage zpools.



#8 zmal84976

zmal84976

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 05 August 2017 - 06:09 PM

Ok, I got hit by this same thing, I think.  Did not affect any Windows (that I can tell!) at all.  I assume came in over a linux box then spread to many others.  So far I've only been looking at the filesystem of a desktop.  This thing was fast! if the timestamps can be trusted.  This desktop had many 3-5 gigabyte files, all with a new encrypted timestamp of 5:53am today.  How can that be?  It uses an SSD but still...

 

ohrnberger -- did you get a filename on the suspected process?  I'm assuming the one on this machine was ended quickly, but I've got several other boxes (proxmox hosts) that were affected, and one that at first glance wasn't when I hard-stopped it.  so that one at least would still have the culprit in residence somewhere I hope.  I do have backups, but damn what a pain this is going to be.

 

Anything else I can provide to help?  I have yet to do a forensics boot on anything else (most affected were probably vm's which have backups that so far I don't think were corrupted).



#9 zmal84976

zmal84976

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 05 August 2017 - 10:15 PM

FWIW seems like all text files got a .enc1 extension, all binaries a .enc2 extension.



#10 eohrnberger

eohrnberger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 06 August 2017 - 01:17 PM


Ok, I got hit by this same thing, I think.  Did not affect any Windows (that I can tell!) at all.  I assume came in over a linux box then spread to many others.  So far I've only been looking at the filesystem of a desktop.  This thing was fast! if the timestamps can be trusted.  This desktop had many 3-5 gigabyte files, all with a new encrypted timestamp of 5:53am today.  How can that be?  It uses an SSD but still...
 
ohrnberger -- did you get a filename on the suspected process?  I'm assuming the one on this machine was ended quickly, but I've got several other boxes (proxmox hosts) that were affected, and one that at first glance wasn't when I hard-stopped it.  so that one at least would still have the culprit in residence somewhere I hope.  I do have backups, but damn what a pain this is going to be.


Check the home directory of root. If there is an unknown compiled python script there, I suspect that this would be it.

Yes, it's fast, as it appears to spin off as many instances of itself as there are files that it wants to encrypt. It seems to have some limitations in that once there are so many instances of itself running, all the memory and CPU are consumed, there will be some files that are either left unencrypted, or simply deleted during a failed encryption process, these would have to be recovered from backups. I noticed this appeared to be the results on video files, typically greater than 1 GB in size.
 

Anything else I can provide to help?  I have yet to do a forensics boot on anything else (most affected were probably vm's which have backups that so far I don't think were corrupted).


FWIW seems like all text files got a .enc1 extension, all binaries a .enc2 extension.

Yes, those are the the file extensions that this appears to use. Don't know the difference between end .enc1 and .enc2.


Edited by eohrnberger, 06 August 2017 - 01:20 PM.


#11 Suncatcher

Suncatcher

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 08 August 2017 - 05:39 AM

So did you find the way it infected you?



#12 zmal84976

zmal84976

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 08 August 2017 - 10:21 AM

As for me, not positive yet.  Likely via a vulnerability in old mail software.  Once in, though, somehow got shell and got my pw (which, sadly, may have been in a text config file somewhere) and went horizontal from there, presumably over ssh, to anything with that pw, which was a lot of vm's and stuff.  I've still got all the potentially infected stuff shut down.  Once I have a little time I'm booting from usb and checking filesystems.  There was a thing or two that had tons of data (my music and movies, which also exist on an unplugged external drive :), and some drive backup images from laptops that are no longer needed) and I'm hoping that the malware itself will still be on one of those since based on timestamps I've seen, it's likely I hit the power button before it was done.



#13 zmal84976

zmal84976

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 09 August 2017 - 05:58 PM

This is interesting.  Here's logs from auth.log of the perp getting in (having scarfed a pw from the initial vector, the .10 machine):

 

Aug  4 22:01:01 snarf sshd[648]: Accepted password for root from 192.168.88.10 port 43005 ssh2
Aug  4 22:01:01 snarf sshd[648]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  4 22:02:10 snarf sshd[648]: Received disconnect from 192.168.88.10: 11: disconnected by user
Aug  4 22:02:10 snarf sshd[648]: pam_unix(sshd:session): session closed for user root
 
And here's stuff from syslog:

 

Aug  4 22:01:34 snarf systemd[1]: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 705 (find)
Aug  4 22:01:34 snarf systemd[1]: Mounting Arbitrary Executable File Formats File System...
Aug  4 22:01:34 snarf systemd[1]: Mounted Arbitrary Executable File Formats File System.
Aug  4 22:11:50 snarf systemd[1]: Starting Cleanup of Temporary Directories...
Aug  4 22:11:50 snarf systemd[1]: Started Cleanup of Temporary Directories.
 

Now, mind you, this is a vm host machine, and it APPEARS unaffected, but I'm not letting it boot except for from a USB key until I figure more of this out.  I just don't know why the perp would have logged into this and back out without doing anything...  don't trust that.



#14 bjornts

bjornts

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 15 November 2017 - 03:24 PM

Just got hit by the same thing. That's what I get for ignoring the private linux server for long enough.

 

Anyway, I haven't found the perp and never caught them in the act, but tracing file modification times is interesting. The tool is definitely python-based, the first thing they did was install stuff, the following were created minutes before my files were encrypted along with all the relevant binaries using standard debian packages:

/usr/share/man/man1/python2-config.1.gz
./usr/share/man/man1/pip.1.gz
./usr/share/man/man1/python2.7-config.1.gz
./usr/share/man/man1/python-config.1.gz
./usr/share/man/man1/chardetect.1.gz
./usr/share/man/man1/pip2.1.gz
./usr/share/man/man1/dh_python-ply.1.gz
./usr/share/man/man1/x86_64-linux-gnu-python-config.1.gz
./usr/share/man/man1/x86_64-linux-gnu-python2.7-config.1.gz
./usr/share/man/man1/chardet.1.gz
 

Then they proceeded to install pycrypto.

 

What I haven't found is the actual malware.



#15 zmal84976

zmal84976

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 15 November 2017 - 04:06 PM

Were you able to figure out where it came from?  IP range, etc?  I never was able to find the malware in my case.  Now have just restored data from backups (offline backups... they got the online ones...  ) and life goes on, albeit with an entirely different network layout and internet interface stack.  What I found interesting was the speed, based on timestamps, with which this thing operated.  Also, when it came to big files, like large gzipped vm backups and large movies, etc, I guess their algorithm just decided it couldn't encrypt in time and just deleted stuff.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users