Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Ransomware 6
- Thread starter dik
- Start date
-
1
- #2
- Thread starter
- #3
My three backups, USB attached were affected, too. Will keep you posted on ontcome. My son has sent me some information and will try it tomorrow. I've turned the machine off for tonight and will look at it fresh in the AM. A separate computer, not attached and almost a mirror, was up to date about a week ago. A little late, but a good reason to look into cloud storage.
-
1
- #4
TLDR: Sorry, can't decrypt and recover currently
-
1
- #5
Mike Lewis
Programmer
I bookmarked this article a few years ago:
I don't know if it is still in date, but it might be worth a glance.
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
I don't know if it is still in date, but it might be worth a glance.
Mike
__________________________________
Mike Lewis (Edinburgh, Scotland)
Visual FoxPro articles, tips and downloads
- Thread starter
- #6
Thanks very much gentlemen... I've made arrangements to pay the ransom... big mistake on my part... had 3 backups of everything, but attached to the computer. When I get things up and running again, I'll look into cloud storage, too. Any suggestions? Fortunately I'd copied nearly all my data files to another computer a couple of weeks earlier, so a lot of the data was not affected. I let you know how the ransom works out... still a little concerned about paying for 'nothing'.
Once everything is decrypted, are there any 'remnants' lurking on my machine, and how do I scrub it clean. Once I have my backup files on a portable drive, can I do any sort of virus scan? and then reinstall the OS?
Dik
Once everything is decrypted, are there any 'remnants' lurking on my machine, and how do I scrub it clean. Once I have my backup files on a portable drive, can I do any sort of virus scan? and then reinstall the OS?
Dik
goombawaho
MIS
a good reason to look into cloud storage" INDEED. Not trying to pick on you, but I feel like everyone should have cloud backup to avoid data loss from theft/fire/flood/malware. I use idrive for me and all my customers that will pay.
Macrium Reflect will do a data backup and/or an image backup to the same computer, another computer, external drive or a NAS. And they have a feature to prevent malware from touching the backup file (Image Guardian). Not sure if it can withstand all crypto-malware (how could you ever know that), but it's better than a backup sitting somewhere waiting to get encrypted. I use it myself and for quite a few customers.
The Macrium data backup is obvious, but the image backup lets you regurgitate the system back to a day before the malware, then you can restore your backup from the cloud (idrive or whatever). Your OS will be back up and running in about 20 minutes. Then some time to restore your data.
There's no more sad feeling than to tell customers that their data is hosed. I do everything I can to explain to them the value of backup from the most minimal (flash drive) to more numerous and diverse strategies. The big game changer was the "crypto-malware revolution" because it tries to reach out to every device connected to the computer and even network drives.
Regarding the scanning. I would personally do a reload of the OS. You don't really want to trust that the system has been cleaned completely. You can post a question or read on Bleeping Computer for advice.
Macrium Reflect will do a data backup and/or an image backup to the same computer, another computer, external drive or a NAS. And they have a feature to prevent malware from touching the backup file (Image Guardian). Not sure if it can withstand all crypto-malware (how could you ever know that), but it's better than a backup sitting somewhere waiting to get encrypted. I use it myself and for quite a few customers.
The Macrium data backup is obvious, but the image backup lets you regurgitate the system back to a day before the malware, then you can restore your backup from the cloud (idrive or whatever). Your OS will be back up and running in about 20 minutes. Then some time to restore your data.
There's no more sad feeling than to tell customers that their data is hosed. I do everything I can to explain to them the value of backup from the most minimal (flash drive) to more numerous and diverse strategies. The big game changer was the "crypto-malware revolution" because it tries to reach out to every device connected to the computer and even network drives.
Regarding the scanning. I would personally do a reload of the OS. You don't really want to trust that the system has been cleaned completely. You can post a question or read on Bleeping Computer for advice.
- Thread starter
- #8
- Thread starter
- #10
goombawaho
MIS
Cloud storage can be "attached" to your computer" Not universally true. IF your backup service has VERSIONING as the one I have suggested does, the latest backup will be a backup of encrypted data. But you can choose a SNAPSHOT of your data on the day before which will have no encrypted data. So, you would be one day/backup behind current.
Most all cloud storage services are version controlled, so you likely have the option to go back to a previous version. I was just noting that cloud storage is a great way to infect all your connected systems.
Even with version control you may find some limits. It is possible that we may not notice ransomware encryption until days or weeks later when old versions have been purged from the server, as they fall out of the retention policy. Versioning may not be fully/regularly employed with massive files (like video). Is the particular flavor of ransomware developed to thwart version control solutions, continually modifying encrypted files to push the safe backups outside of the retention policy limit?
This is the eternal challenge and where you really need to fully investigate the source of the exploit. It is possible that the malware was loaded days or weeks before it did harm. So analyzing file changes since the apparent infection may not be sufficient. The monster may still be in the house. I'd use a handful of malware scanners on any recovered system and files.
Even with version control you may find some limits. It is possible that we may not notice ransomware encryption until days or weeks later when old versions have been purged from the server, as they fall out of the retention policy. Versioning may not be fully/regularly employed with massive files (like video). Is the particular flavor of ransomware developed to thwart version control solutions, continually modifying encrypted files to push the safe backups outside of the retention policy limit?
dik said:
This is the eternal challenge and where you really need to fully investigate the source of the exploit. It is possible that the malware was loaded days or weeks before it did harm. So analyzing file changes since the apparent infection may not be sufficient. The monster may still be in the house. I'd use a handful of malware scanners on any recovered system and files.
goombawaho
MIS
I was just noting that cloud storage is a great way to infect all your connected systems." Not correct. The cloud storage (or a least the one I am mentioning) is a one way dump from each computer. One computer gets infected then that computer backup is affected. The other computers are not affected at all - data nor backup. A different "backup bin" for each. 30 version retention too.
I saw someone that had shared their DropBox with their tax person. Tax person's PC got infected and corrupted all the files on the customer's cloud storage.
I saw someone that had shared their DropBox with their tax person. Tax person's PC got infected and corrupted all the files on the customer's cloud storage.
- Thread starter
- #14
Thanks... I didn't realise it could have been of the system for a bit before it loaded. Trying to make a bitcoin transfer, but it's difficult to do with all the verifications. I found a recent total back up on an HDD that I had forgotten about when I put in the 16TB drive. I'll see how close it is... two weeks old at latest. If it's a matter of losing a weeks work, which I can recover through eMail, mostly. I may forget about ransom. Thanks, Gentlemen.
- Thread starter
- #16
goombawaho
MIS
If I had no backup, I WOULD consider paying. You can't put a price on your data. Sure, a few extra pictures of aunt Nellie can go missing without too much pain. But what about invoices, emails, employee files, etc. if you're running a business. Paying starts to look better!!!! I wish people knew the feeling of missing data before it happens so they would get good backup. It's like being thrown out naked into the cold. Well......... not quite.
-
1
- #18
goombawaho said:
The difference here is that there is a backup. Everyone reading this topic should be preparing for this possibility with a backup. With that done, there is no reason to ever consider paying.
There are many other reasons to not pay. You cannot be certain that:
[ul]
[li]the criminals will release your files back to you.[/li]
[li]the criminals will not release your files to the public, or other buyers of confidential data.[/li]
[li]the criminals will not raise the ransom price after they discover your willingness to pay.[/li]
[li]the criminals are not leaving behind other malware to monitor/control your systems.[/li]
[li]you will not be criminally charged for funding terrorism or other crimes.[/li]
[/ul]
Sophos reports that only about 60% of victims get all their data back after payment.
Plenty of people demonstrate their stupidity by falling victim to a ransomware attack. Don't further confirm it with a payment.
- Thread starter
- #19
Thanks spanjim... I've decided not to pay the ransom.
I have one HDD that wasn't connected for the last couple of weeks. It's a total backup of everything, except executables/apps. I even backed up the desktop and files. I removed it to install a larger HDD, and forgot about it until yesterday morning. I copied it to the computer I'm currently working at. I'm not on a network and all my computers are 'stand alone'. I plan to take one of the infected drives, a 10TB and reformat it and make another backup of the uninfected drive, and set it aside. I've already started to 'recreate' some of the lost data and I will include the updated material on this newly created drive. I've lost a bunch of design data files, that cannot be recovered.
I had several hundred files (they were quite important and I'm glad I didn't lose them; they were months of work) on the desktop of the encryped computer in a dozen directories that were not encrypted. I've copied these to a USB stick and have checked the USB using Windows 'hidden and system files' approach, using the infected computer, and there are no hidden files or other software on the USB drives. There doesn't appear to be anything hidden. Is there a way to do an anti-virus scan of the USB stick by themselves to insure there is no malware? I have Bitdefender; is there a better one? I don't want to infect my clean machine. The clean HDD backup is not attached to anything, right now.
One of the other remaining encrypted drives will be reformatted and used as a backup. The third one will be set aside, with the encrypted files, in case there is a solution to the type of ransomware.
I intend to reformat the encrypted machine and re-install my software and the 'clean' files.
I'll also start a 'cloud' backup, too.
I have one HDD that wasn't connected for the last couple of weeks. It's a total backup of everything, except executables/apps. I even backed up the desktop and files. I removed it to install a larger HDD, and forgot about it until yesterday morning. I copied it to the computer I'm currently working at. I'm not on a network and all my computers are 'stand alone'. I plan to take one of the infected drives, a 10TB and reformat it and make another backup of the uninfected drive, and set it aside. I've already started to 'recreate' some of the lost data and I will include the updated material on this newly created drive. I've lost a bunch of design data files, that cannot be recovered.
I had several hundred files (they were quite important and I'm glad I didn't lose them; they were months of work) on the desktop of the encryped computer in a dozen directories that were not encrypted. I've copied these to a USB stick and have checked the USB using Windows 'hidden and system files' approach, using the infected computer, and there are no hidden files or other software on the USB drives. There doesn't appear to be anything hidden. Is there a way to do an anti-virus scan of the USB stick by themselves to insure there is no malware? I have Bitdefender; is there a better one? I don't want to infect my clean machine. The clean HDD backup is not attached to anything, right now.
One of the other remaining encrypted drives will be reformatted and used as a backup. The third one will be set aside, with the encrypted files, in case there is a solution to the type of ransomware.
I intend to reformat the encrypted machine and re-install my software and the 'clean' files.
I'll also start a 'cloud' backup, too.
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
- Status