Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown ransomeware. Fixed, can't see those PCs on LAN.


  • This topic is locked This topic is locked
11 replies to this topic

#1 jscheeren

jscheeren

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 10:02 AM

G'day,

I am reaching out to see if anybody might have some suggestions for me, for which I would be extremely grateful. About a week ago at home and at my cottage 4 of my Windows 10 Pro computers were infected on the same day. I have no idea by what ransomeware, or how it got into my two networks, or why it only infected 4 (3 PCs and a laptop) of my 8 PC's. Each of these machines was protected by both Malwarebytes Pro (running real time) and Norton Security. As soon as I discovered this I disconnected them from the network, ran both security software scans and then visually checked my data files. Neither security program detected any malware. Almost all files now had a new ..readme extension and I found the ransom note (I will try to attach a photo of that screen.) Over the next few days, I then reformatted each of the boot drives and all of the data disks. I then reinstalled Windows 10 and applications. Unfortunately, I did not think to save file copies of the ransom note or any of the encrypted files.

 

My problem now, which I have spent days trying to solve, is that none of the x-infected computers will show up on the network via File Explorer. They cannot see themselves, or any other PC's. I can however ping them and see them on network scans and use the browsers to the internet. Even doing a cmd net view does not work (get various error messages) or doing a full Windows network troubleshoot, or doing a Windows networking reset on them, or doing a cmd reset on them has worked. I have also done a full reset on my routers. All other devices can be seen in File Explorer (Network) as before.

Cheers,

Jan   



BC AdBot (Login to Remove)

 


#2 sysmatt

sysmatt

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 10:22 AM

Can they ping out? 

Where are you pinging them from? 

Can those machines ping 8.8.8.8 

Try assigning them a static ip in your subnet ie :192.168.1.199 etc. that conforms to your dhcp server settings. 

You said you reset your routers, does that mean that your gateway IP changed? 


And when you said you reinstalled windows 10 and applications was it a bare metal install, or a repair keeping your applications intact? 

Thanks 

 



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 AM

Posted 07 June 2018 - 10:23 AM

Without the ransom note and encrypted file to upload to ID Ransomware, we can only speculate on what ransomware it was. My guess would be GlobeImposter 2.0, I've seen it use the "..readme" extension before (note the double dot). If so, it usually comes in via infectious emails or downloads. It doesn't have actual worming capability, so any "spread" would have been either from individual infections, or it was just encrypting files over the network via SMB shares.

 

Sounds like the network discovery service may not be enabled, which I think is the default. You can check this in the Network and Sharing Center, or services.msc.

 

Double-check you don't have any remote access to your any system on your network exposed to the web as well.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 jscheeren

jscheeren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 11:23 AM

Wow. You two guys are amazing and responding within such a short time. I will try all of those suggestions and get back.

In the mean time I did afterwards submit the email addresses on the ransom note (as I do have a photo of that note) and the suggestion was that it might indeed be Globelmposter 2.0 as the addresses were allfilereturn@outlook.com and allfilerereturn@cock.li. In immediate response to Demonslay335, I do have CrushFTP installed and it does have some ports (that I set up in the Port Forwarding of the router) exposed to the internet, but there are passwords assigned to each port. I also do have (I think) the network discovery service running (as under Network Sharing Center is set to network discovery) but I do not see a service called "Network Discovery" if I go to Computer Management/Services which list all services.



#5 Amigo-A

Amigo-A

  • Members
  • 533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:18 AM

Posted 07 June 2018 - 12:12 PM

send to us this photo with allfilereturn@outlook.com and allfilerereturn@cock.li


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 jscheeren

jscheeren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 12:58 PM

Re Amigo-A, excuse my ignorance, but how might I upload or attach a
.jpg? I did try finding instructions on this site, but to no avail.

#7 Amigo-A

Amigo-A

  • Members
  • 533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:18 AM

Posted 07 June 2018 - 01:17 PM

There is no direct download of image files on the forum.
The easiest way is to use the service www.sendspace.com
It allows you to share a link to a downloaded file.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 jscheeren

jscheeren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 02:22 PM

To Sysmatt:

 

Can they ping out?

>>>>Yes 

Where are you pinging them from?

>>>> any PC on the LAN including the x-infected ones to and from. 

Can those machines ping 8.8.8.8

> Yes, all of them can

 

Try assigning them a static ip in your subnet ie :192.168.1.199 etc. that conforms to your dhcp server settings.

>>>>I did this and got inconsistent results. For this test I bought a new ASUS router and set it up with defaults and not connected to the internet and only connected to it two laptops wirelessly: an x-infected one and a non-infected one (at least true initially and after attack, as it was turned off and it had no ..readme encrypted files.) Initially I got same results as when devices connected to original router. ie x-infected laptop could not see itself or other x-infected PCs, but could see non-infected PCs and non-infected PCs could not see x-infected PCs.

1. with ipv4 setting set to static, only on x-infected laptop, but pointing to the wrong default gateway (by mistake, subnet 1 instead of 50) the x-infected laptop finally showed its own name (this is a first) and could see non-infected laptop, but non-infected laptop on LAN still could not see x-infected PC.

2. with ip4 setting on x-infected reset to correct default gateway (i.e. the router) the x-infected laptop would no longer show itself but could still see non-infected laptop, BUT non-infected laptop could now see x-infected laptop! In this case cmd/ net view on x-infected laptop got an error stating that the service has not been started. The non-infected laptop cmd/ net view showed both laptops successfully. When trying to re-configure x-infected laptop back to wrong default gateway it now would not see itself anymore!

 

You said you reset your routers, does that mean that your gateway IP changed?

>>>>>>No, gateway IP did not change as after doing a reset on router, I loaded the saved config file for the router and therefore all settings remained the same. Note point 2. above. 

 

And when you said you reinstalled windows 10 and applications was it a bare metal install, or a repair keeping your applications intact?

>>>>>I reformatted all 3 partitions on boot SSD and did a bare metal install.

 

Thanks again so much. Lots of mysteries, but concerned that ransomware is still effecting things.



#9 jscheeren

jscheeren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 June 2018 - 03:59 PM

Thanks Amigo-A. I signed up for Sendspace and this is the link to a photo of the screen from Ransomware

 



#10 Amigo-A

Amigo-A

  • Members
  • 533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:18 AM

Posted 08 June 2018 - 02:08 AM

jscheeren

 

Yes. This is GlobeImposter. 

 

Extension: ..readme 
Email: allfilereturn@outlook.com, allfilerereturn@cock.li
Telegram: @decryptionfiles

Edited by Amigo-A, 08 June 2018 - 02:48 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 jscheeren

jscheeren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 June 2018 - 05:34 AM

Good day,

So Amigo-A has identified that the ransomware my computers had been infected with was GlobeImposter. Thank you. Would anybody be aware of any security software that can recognise this malware? To repeat, I was running Malwarebytes Premium (real time) and Norton Security, but neither of them detected this attack during, or after. I suspect I will get hit with this ransomware again.

Again, thanks.

Jan



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:18 AM

Posted 08 June 2018 - 05:49 AM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

Important: Keep in mind that when dealing with ransomware it is best to quarantine malicious files rather than delete them until you know what infection you're dealing with. In some cases, samples of the malicious files are needed for further analysis in order to identify it properly or create decryption tools.

Note: Disinfection will not help with decryption of any files affected by the ransomware.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users