I've got a bug and its name is Crypto...Locker

S

Stoly

Supreme [H]ardness
Joined
Jul 26, 2005
Messages
6,713
So yesterday, one of our development servers and a couple of our virtualization servers were hit by a crypto locker.
kangarooencryption

kangaroo-homepage.jpg


Fortunately the virtual machines themselves were not affected and while most files on the develpment server were encrypted, pretty much all the important stuff was on a cloud backup and a local NAS.

Suffice to say that the infected devices were cleaned and encrypted files deleted.

On the bright side, its the perfect time to install Windows Server 2016, which I already did on one of the Virtualization servers and the other sometime tonight I guess.
 
Ouch... Someone deserves getting beaten with their monitor for unleashing that on your systems
 
Skripka said:
Ouch... Someone deserves getting beaten with their monitor for unleashing that on your systems
Click to expand...
Yeah, but all signs point to either me or my boss, and I wasn't in the office the day of the event, so...
 
Sp33dFr33k said:
Might be a good time to implement application white-listing via AppLocker.
Click to expand...
Food for tought

BTW it seems the infection started on the development server which neither I nor my boss accessed yesterday, so we are clear.
 
I would treat ransomware like I would treat a total raid failure.

Format and restore backups.

You give money to these guys and it just encourages them to keep doing this stuff.

Though I am kinda curious how these things actually happen given how much it seems to be happening now. Are they actually hacking into networks and executing the code, or is it the old fashioned email attachment where somebody has to be dumb enough to open it?
 
Red Squirrel said:
I would treat ransomware like I would treat a total raid failure.

Format and restore backups.

You give money to these guys and it just encourages them to keep doing this stuff.

Though I am kinda curious how these things actually happen given how much it seems to be happening now. Are they actually hacking into networks and executing the code, or is it the old fashioned email attachment where somebody has to be dumb enough to open it?
Click to expand...

I'd love to say I agree with you and we shouldn't give in and pay.

Personally I've seen just one crypto attack on a client's laptop. I can't remember the OS. Vista or 7. Anyway, the guy made the mistake of dicking around with the computer before turning it in.
Maybe I'm preaching to the choir, but - whenever you get this - hard-shutdown your computer. Don't fire up that OS, period. Slave the drive on a known good system or use a Live CD. No ifs no buts.

The infection I saw began with a (I suspect) cracked game or keygen. So, indeed - as you put it - "dumb enough to open it". Still, first came the 'lock' screen. He rebooted, messed around with combofix and the like, but in the meantime the malware was slowly creeping around his hard drive. It was progressing rather slowly, and if he weren't dumb enough maybe he'd have contained it.

The virus started with popular folders, like the user's My Documents, and further down the profile. IIRC it then began traversing his other drives. We weren't lucky enough to find a decryptor or brute force it. I think I even got literally a few words out of whole large documents and that was it.

We tried shadow explorer to look around his System Volume Info folders, to find copies. Alas - combofix or some other antimalware got to them first... Guy actually had system restore setup so that his files were probably still there when he first rebooted the now infected host.

I have to admit, cryptos scare the shit out of me. I have my backup solutions (syncback+freenas) setup so that each Windows host has its own password protected share. Those shares store backups. Periodically I sync those shares onto an external USB 3.0 3TB drive and that's pretty much it.

PS. When I said I would love to say "no way I'm paying", I can imagine a scenario where the data in question is priceless. There's a fine line of data-cost to data-value ratio that I might try IF my life depended on it.
However, if you have data that's worth paying for to some snot nosed piece of shit, then you should also have a backup solution in place.

Aside from Syncback, which is no longer 100% free for commercial use, I was impressed with Cobian backup. I think that one is still free to use in a production environment.
 
Last edited:
Red Squirrel said:
I would treat ransomware like I would treat a total raid failure.

Format and restore backups.

You give money to these guys and it just encourages them to keep doing this stuff.

Though I am kinda curious how these things actually happen given how much it seems to be happening now. Are they actually hacking into networks and executing the code, or is it the old fashioned email attachment where somebody has to be dumb enough to open it?
Click to expand...


I agree, but unfortunately its not as easy. Downtime is a major concern. Thankfully the VMs were not affected so that gave us time to properly schedule reinstall and restore. VM server 1 is now up and running and VMs from server 2 have been migrated so we can now reinstall.

And NO paying was never an option.


Last year a couple of our clients were hit with ransomware, one of them had NO backup and were seriously considering paying the $25,000 ransom. We managed to find an old database backup from a year before and they literally had to hire people to capture the missing data.
The other was up and running in a few hours.
 
michalrz said:
PS. When I said I would love to say "no way I'm paying", I can imagine a scenario where the data in question is priceless. There's a fine line of data-cost to data-value ratio that I might try IF my life depended on it.
However, if you have data that's worth paying for to some snot nosed piece of shit, then you should also have a backup solution in place.
Click to expand...

IMO if you have data worth paying for, you should take the steps necessary to prevent it.

The client I mentioned before, we had been offering backup and security solutions for years, he declined every time. Even after the event, they still don't have a backup solution. He went as far as saying that he'd rather go back to pen and paper than to invest in IT, as it would be very costly.
 
Stoly said:
IMO if you have data worth paying for, you should take the steps necessary to prevent it.

The client I mentioned before, we had been offering backup and security solutions for years, he declined every time. Even after the event, they still don't have a backup solution. He went as far as saying that he'd rather go back to pen and paper than to invest in IT, as it would be very costly.
Click to expand...

Agreed. I tried to put myself in that place to help understand why there are so many thick skulls.

First of all, with a piece of paper, or any other physical object, everyone can figure out a way to keep it safe. It can be hidden behind closed doors, there can be a cover sheet placed on top - obvious stuff.
You can predict most things that can happen to a piece of paper.

But with computer data, you have endless attack vectors. Computers as a whole are... vast.
And yet more often than not computers are awkward and clunky. Things rarely "just work". You buy a printer and you can't use it because you can't find find a free USB port, or you plug it into the (often flimsy) front ports that'll cause grief because of the printer popping in and out of the system.
When you finally plug the USB cable in, you don't know if you should follow the onscreen instructions your OS is giving during automatic driver install, or maybe you should pop the CD into the tray and follow those prompts. Open up a random person's 'printers' folder and you have something like "HP LaserJet Whatever (4)".

If a user finally manages to install the printer, a new foe emerges. The printer software will start asking questions like - you want to register? you want to buy supplies? You want to update? Schedule updates? Tea?

Your typical user doesn't know where the hell he's at, adobe reader, word and internet explorer are one thing to a newbie, so he'll constantly struggle with flipping printer settings.
You can change your settings via the printer software's tray icon, in the Windows control panel, in the software that's rendering the document.
Plot twist - you can also enter the printer control panel FROM the software that's rendering the document!

It gets so stupid because suddenly your software is asking for shit.
It wants to connect to the internet, it wants to sell you supplies or add features. The product you bought is now asking you for money.
That's where the user gets suspicious. He can't really win because the user interface changes almost on a monthly basis.

Obligatory car analogy. You're driving and it starts to rain. Some cars will automatically start wiping the windshield. There's no prompt informing you that it is now raining and whether you want to wipe the left or the right part of your windshield. Your windshield wipers aren't trying to sell you magic windshield water, neither.

I totally get people that simply gave up in frustration and are actively considering going back to pen and paper. I really do.

Now, back onto backups and viruses :)D) - Windows or any other operating system is already capable of simply taking care of itself. Think ZFS and it's automation. Why not extrapolate? Windows sees free space on a drive - why not simply start backing up files the user is creating/editing in the background WITHOUT asking stupid questions first?

Sorry for the rant.
 
A lot of our unmanaged clients (those not on our MSP programs) have gotten whacked by various crypto-ware over the years.
Even a couple of our managed ones...although much less frequency because we have so many layers on their protection.
Luckily the majority of our good clients are on Datto backup...it's a quick restore of the servers snapshot typically just an hour ago.

For those with older fashioned backups..ugh..it's an expensive time consuming rebuild.
 
Spam filtering....block all those PDFs, DOC and RTF files. Along with that, some basic web filtering.

Applocker sounds good until you look at it further and realize that all of the logging is on the local host, rendering it almost useless of any type of troubleshooting. I love the product for $#%^ Microsoft and their crappy logging capabilities. I couldn't find a way to syslog it either otherwise I'd be using it.

Whether you pay or not depends on a couple of factors. Do you have backups that you can go back far enough that are not impacted by this? Will restoring those impact your business (will you lose valuable data)? How vital is the data to your business?

It is easy to say don't pay until your entire business is at risk.
 
evilwon said:
Spam filtering....block all those PDFs, DOC and RTF files. Along with that, some basic web filtering.

Applocker sounds good until you look at it further and realize that all of the logging is on the local host, rendering it almost useless of any type of troubleshooting. I love the product for $#%^ Microsoft and their crappy logging capabilities. I couldn't find a way to syslog it either otherwise I'd be using it.

Whether you pay or not depends on a couple of factors. Do you have backups that you can go back far enough that are not impacted by this? Will restoring those impact your business (will you lose valuable data)? How vital is the data to your business?

It is easy to say don't pay until your entire business is at risk.
Click to expand...

thing is paying may not give back the data anyway, because... why

As I said before if your data is so valuable then you should protect it.
 
Stoly said:
thing is paying may not give back the data anyway, because... why

As I said before if your data is so valuable then you should protect it.
Click to expand...

Yep, I like to look at it this way: What is your plan if your entire system crashes rendering the data completely unusable? Use that plan for ransomware too.
 
Just a heads up: the cryptocrappers have an ability to crawl around your system. So, any mounted network share or removable drive that is used for backups should be disconnected once you're done using it.
Compared to defending yourself against catastrophic drive failure, you also need to take the crawling ability seriously. Some of them even roam around the LAN, so that's why using a username+password combo and not sharing too much even at home is paramount.
 
I had one crawl through my managed network and use admin shares and hit every workstation that was powered on encrypting everything. Domain Users in Domain Admins group is a big no no.
 
michalrz said:
Just a heads up: the cryptocrappers have an ability to crawl around your system. So, any mounted network share or removable drive that is used for backups should be disconnected once you're done using it.
Compared to defending yourself against catastrophic drive failure, you also need to take the crawling ability seriously. Some of them even roam around the LAN, so that's why using a username+password combo and not sharing too much even at home is paramount.
Click to expand...

By the time we removed the malware a couple of folders on a Synology NAS were being encrypted. Fortunately none of our users were affected.
 
Stoly said:
By the time we removed the malware a couple of folders on a Synology NAS were being encrypted. Fortunately none of our users were affected.
Click to expand...

It's friggin scary. It's one of the few threats I'd have in mind while choosing an AV. Heuristics ought to be able to spot this is happening even if the signature is not in the database.

There are many decryptors available for various kinds of this crap. Is there a tried (preferably free) all-in-one code breaking product available? Would want it in my arsenal.
I guess it would be a good idea to keep a plain text file somewhere in the directory tree with some known keyword in it. So you have a reference for brute forcing it later.
 
michalrz said:
It's friggin scary. It's one of the few threats I'd have in mind while choosing an AV. Heuristics ought to be able to spot this is happening even if the signature is not in the database.

There are many decryptors available for various kinds of this crap. Is there a tried (preferably free) all-in-one code breaking product available? Would want it in my arsenal.
I guess it would be a good idea to keep a plain text file somewhere in the directory tree with some known keyword in it. So you have a reference for brute forcing it later.
Click to expand...
What we are also doing is changing the extension for backups and important files. So Instead of .bak its an arbitrary one, like .safe. Since most ransomware encrypts common extensions, like .docx. mp3, etc, it will ignore the custom one.
 
Stoly said:
What we are also doing is changing the extension for backups and important files. So Instead of .bak its an arbitrary one, like .safe. Since most ransomware encrypts common extensions, like .docx. mp3, etc, it will ignore the custom one.
Click to expand...

That seems like a lot of work for something that should not be necessary if the backups are done properly with a monthly-weekly-daily rotation. The only potential issue is if lays dormant for a long time.

Heuristics may work, whitelisting is (almost) guaranteed to if it is setup correctly. That is a pain but if you are dealing with a lot of cryptoware, that is what I would do. Heck, even without remote logging (thanks Microsoft) Applocker would prevent crypto-malware from running. Applocker should not be too difficult to setup if an environment is fairly static - gets more challenging if you have developers or give everyone admin rights.
 
Shockey said:
there is a simple batch command that will rename all file extension of .exe to .text. only takes a few second to run.
Click to expand...
I wrote one myself and as you said it only takes a few seconds
 
Well my dad's work has been hit. Not sure if by the same thing but they gave 72hrs for 2BTC and it goes up after 72hrs I guess. It hit the companies server. They are a home repair and remodeling company who works on multi million dollar homes. Don Davis, and the Chancellor of TCU are clients if that gives you an idea.

They are unable to access any of the files I guess and are unable to even run timesheet information and payday was today. They cut hand written checks for those that need it to get by for now. The owner is looking at paying the 2 BTC because it seems they really have no option around it.
 
scgt1 said:
Well my dad's work has been hit. Not sure if by the same thing but they gave 72hrs for 2BTC and it goes up after 72hrs I guess. It hit the companies server. They are a home repair and remodeling company who works on multi million dollar homes. Don Davis, and the Chancellor of TCU are clients if that gives you an idea.

They are unable to access any of the files I guess and are unable to even run timesheet information and payday was today. They cut hand written checks for those that need it to get by for now. The owner is looking at paying the 2 BTC because it seems they really have no option around it.
Click to expand...

Yikes!!!
 
I would really advice not paying as they might not recover the info anyway.
 
recently I read an article saying that we can decrypt these files without paying to these pigs. Will update it here later if I found it again,
 
You must log in or register to reply here.
Back
Top