February 17, 2009 at 9:58 am #3409
I have a customer whos laptop has been hit with some form of virus/script/whatever. The end result is that all the document (.doc, .ppt etc) and music files have been changed to an unreadable state.
The initial symptom is that the files are renamed to xxxx.doc.NCRYPTED.NCRYPTED.NCYRPTED.NCRYPTED.ncrypted
Renaming the file to remove the rubbish on the end makes no difference as the file is still unreadable – appears the file header has been altered perhaps?
There is also a text file left behind with the following:
“Some files on your machine are encrypted and your private informations were collected and sent to us.
To decrypt files so you could use them again, you have to buy our decryptor.
After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
To buy decryptor, contact us at: firstname.lastname@example.org or email@example.com
If you dont contact us, your private informations will be shared and you will loose all your data.”
Normally, I would just run a format & reinstall the system but in this case the customer is desperate to keep their data since they have no backup.
So far I have run multiple virus scans with NOD32 which has pulled off some 30+ infections. I have also run spyware scans but of course this has had no effect.
Goggle has so far been unable to help and I’m not very confident of being able to get this resolved.
Any ideas or help would be greatly appreciated! ???
February 17, 2009 at 2:06 pm #22349timmedinParticipant
That is not good. I haven’t persionally seen ransomware but I have heard of it. Kaspersky cracked the easier keys, but the bad guys began using 1024 RSA for encryption so good luck.
First, take the machine offline imediately and grab an image. If the malware isn’t the latest generation it may still contain the original files, but in unallocated space.
Do you have any idea what “infections” the scan removed? Having those details may help you figure out exactly what you have been hit with.
February 17, 2009 at 2:45 pm #22350NickFnordParticipant
this kind of thing scares the hell out of me… it’s no longer just a matter of wiping the virus off or reinstalling.
but I’ve always been calmed down when I think that all that needs to happen is for law enforcement to follow the money. not sure how this would work internationally though…..
February 18, 2009 at 8:27 am #22351
Yup, these are some scary developments. However if you follow best practice and backup (I know, there’s an elephant in the room…) then you can go back to wipe machine, restore backup (old enough not to be hijacked) and restore.
User gets back online with minimal fuss and loss of work, gives you time to work out infection vector and mitigate (image of machine plus VM should help). With a bit of luck enough people dealing with Ransomware this way means the bad guys stop getting cash and give up on this business model.
Additionally I’ve seen some ransomware knock-offs that have removed the link between .doc files and Word, along with a pop-up stating ‘you’re money or you files’. Those that know no better have been unable to open files with a double-click and paid up for the ‘fix’.
Depending on the value of the data I’d suggest you could:
- Contact law enforcement to handle the investigation, but I wouldn’t hold out much hopes of a result unless you work for a large company.
- Hire a forensic guy/team to assist (or go solo if you’ve got the skills, just CYA)
- Write off the data and reformat
- Write off the loss and pay up (pride and ethics may get in the way here)
- [s:3vqdm4p4]String up user to server as a warning…[/s:3vqdm4p4]
Likely there’s nothing above you haven’t thought of, don’t think any of the above options are ‘good’. Ultimately this needs to be a decision that is best for the business as a whole, not a technical one.
All the best with your problem, hope you get sorted.
February 18, 2009 at 2:36 pm #22352jasonParticipant
As for getting the data back, be sure to keep track of the malware before you clean it off of the machine. If you can find the particular nasty that was responsible for encrypting the data in the first place, then you stand a better chance of being able to undo the problem. If you really need the data back, this is the route that I would take.
February 25, 2009 at 6:48 am #22353
hey before having ur back up plz scan ur backup too as the virus or trojan might have been duplicated in ur actuall file name format… so better to check while taking the backup and retreving back the backup… todays trojan’s or worms are really smart 😛
February 25, 2009 at 8:50 am #22354
re-reading my post there is a fair amount that isn’t as understandable as I’d have liked.
Checking backups before the restore was what I had meant by ‘old enough not to be hijacked’. Should be common practice but I know several people (myself included) who have been caught by the same issue.
Thanks for catching the issue. I definitely wouldn’t want someone taking my advice word for word then complaining when they spent hours of work only to still be infected…
February 25, 2009 at 10:22 am #22355
i really agree with you , most of the time who are supposed to be taking care for others gets caught for them selfs …
there is a saying, “in a world of Information Security, the only final sin is human stupidity…!”
but its true , even i have caught with the same issues…
we just need to alert always and bit more carefull..:)
February 26, 2009 at 6:01 am #22356
finally there is solution after i submit the sample files to Trend MicroUNISTLVWT16 detected in machine and they relased the pattern files 5.853 for the same. Unfortunately the deleted files cannot be recovered.
The virus is termed as WORM_RANSOM.AQ by trend micro
February 26, 2009 at 11:08 am #22357
thanks for the update, I haven’t seen WORM_RANSOM.AQ around so I’ll keep my eye out for it. Can’t find much about it online, google shows a single site in foreign langauge (not sure which) and this tread. Do you know if this was a targetted attack at you employer or just something nasty that got you by accident?
Best of luck with the clean-up
February 27, 2009 at 3:47 am #22358
Please find the url which will shows some details about the virus
February 27, 2009 at 12:59 pm #22359
Thanks for the additional info. That’s a long list of file extensions that it encrypts 🙁
Some of the recommendations for recovering original, non-encrypted versions of the files are interesting and not a possibility I had thought of. Just wonder how long it will be until the BadGuys[sup:4ezcpcu9]tm[/sup:4ezcpcu9] start scrubbing the original files rather than just deleting them though…
February 27, 2009 at 4:02 pm #22360
BADGUYS were not always the badgusy, politics and there ppl make them for the cause of money , some do for fun and some do for revenge, and some do for there own business, this list might increase any time and might go to anylength, but who know there might be hidden stuff in the orginal files too, when ever there is positive there will always a negative for that, i just wonder wht the conficker might bring now…
February 28, 2009 at 1:07 am #22361tarterpParticipant
What would worry me the most in this situation, is the attacker talked about private information. I Would be worried about that, what do they consider private information. What did your client have on his computer that maybe would be more private than say login credential. Does your client hold any private personal records, that is what I would be worried about. Then unfortunately it is a lot scarier.
- You must be logged in to reply to this topic.