Announcement

Collapse
No announcement yet.

Encountered a ransomware, make sure you have an offline backup!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encountered a ransomware, make sure you have an offline backup!

    At some small company they were infected by ransomware. Since they didn't immediately pull the cables out of machine when I told them to on Friday, it destroyed network shares and parts of image backup that were on iscsi volume over the weekend (everyone running as Administrator with same passwor).

    It's pretty nasty stuff. All documents, zip files, pics, ... get changed to .ccc and you get a popup to connect to tor and pay up to get the key.

    See The present section here:
    TeslaCrypt 2.0 is different from previous ones in that it uses a significantly improved encryption scheme and uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.


    I imaged all the drives in offline mode and I'll see what I can recover if anything. Luckilly accountng database which is the most important is intact.


    The whole problem there is social and attitude. Guys install torrents, upgrade win7 -> win10 (with total disregard if this may cause their old parallel thermal sticker printer not to work), boss (woman) wants windows 10 but doesn't want to budget to move their accounting database from old XP box (new hardware + cost of moving). Once I came there and the NAS which was there for backups has been unplugged for couple of months because they needed the outlet to plug in some power tools.

    When I tell the boss that it's serious and machine should be unplugged she leaves it on and then surfs women, health sites ... over RDP on saturday night.
    Last edited by UtwigMU; 11 November 2015, 05:08.

  • #2
    Luckily, I do have off site backups. Also, the server backs up all clients, so those are fine. Shares on the server might be affected but those are backed up as well twice a day. No one has admin rights to the server.

    Are they a client of yours?
    Join MURCs Distributed Computing effort for Rosetta@Home and help fight Alzheimers, Cancer, Mad Cow disease and rising oil prices.
    [...]the pervading principle and abiding test of good breeding is the requirement of a substantial and patent waste of time. - Veblen

    Comment


    • #3
      Originally posted by Umfriend View Post
      Luckily, I do have off site backups. Also, the server backs up all clients, so those are fine. Shares on the server might be affected but those are backed up as well twice a day. No one has admin rights to the server.

      Are they a client of yours?
      They are wife of the big client of mine. So I come there about 2-3 times a year and do any tidying up and they are not very fond of paying much if anything either. They also don't listen to my recommendations. IE I told them - here behind is a NAS, it's where your backups are. I come and NAS is unplugged, some power tool is plugged and there is no backup in a month. Boss says, what about going to windows 10 i hear it cleaned all the viruses at some guys home. Awesome, we spent like half a day encouraging and explaining to you when you went from XP to 7 when it was high time and there is still an XP machine with all your important data. Wouldn't you be rather moving that to 7 and new hardware? I can't say you also don't go get breast enlargement because it might cure cancer.

      It's nasty. All the zip files in windows backup are encrypted. The VHD is already post disaster and while all files are there they are already encrypted. Presently recovering like million of all deleted files on HDDs with recuva. If there is a key among deleted files or still online I might be able to decrypt stuff.

      In typical Slovenian small business the phone of boss is usually worth more than the server with all their important data. Phone is seen but server is somewhere out there. Do we have a server and data? I thought everything is in the monitor.

      And also many other problems. For example I attached iSCSI from NAS with backups to spare clean Windows 7 PC. iSCSI kept dropping out despite two things only on known good Gb switch. Had to install linux connect iSCSI and dd to physical drive before I could look at backups. My spare POS router also died in the way so had to run out and purchase used WRT54GL to create separate network.
      Last edited by UtwigMU; 11 November 2015, 14:00.

      Comment


      • #4
        Anecdote: old XP machine's backup survived because it was too big to encrypt single large bkf file. The Windows 7 image backups had all the differential zips encrypted.

        Otherwise this changes everything. Before if spyware/virus hit, usually you could clean it up in 90% of cases, 10% cases back up data, reinstall, restore files. This is a first time I've seen a virus attack data since DOS days.

        Comment


        • #5
          Here is an idea: Install Rosetta@Home on all their machines (for MURC team of course). You can check whether they have been offline for a longer period of time by looking at the stats on Rosetta! ;-)
          Join MURCs Distributed Computing effort for Rosetta@Home and help fight Alzheimers, Cancer, Mad Cow disease and rising oil prices.
          [...]the pervading principle and abiding test of good breeding is the requirement of a substantial and patent waste of time. - Veblen

          Comment


          • #6
            On the other PC where only mapped share was affected I was able to pull 99%+ documents with Shadow explorer. If they would have unplugged the machine immediately when something started to happen I would have been able to perhaps also rescue data there.

            I'll try Rosetta on two Proliant ML350 G6s I have laying around in the office but after the dust from disaster recovery settles.
            Last edited by UtwigMU; 12 November 2015, 10:22.

            Comment

            Working...
            X