HELP needed CryptoVirus on my server

[bitdota]

Hello all,

 

We got a crypto virus that changed all files to .onion and it's asking for bitcoins in ransom.

 

Any idea how could i remove it ?

Hope i posted in the correct forum

 

I hope someone can help 

 

Thank you,

[leadeater]

2 minutes ago, bitdota said:

Hello all,

 

We got a crypto virus that changed all files to .onion and it's asking for bitcoins in ransom.

 

Any idea how could i remove it ?

Hope i posted in the correct forum

 

I hope someone can help 

Basically none, you've only got 1 real choice and that is restore from backup. Paying any kind of money is a gamble and reinforces the profitability of making such attacks.

[desertcomputer]

You should have backups.

 

If it new ransomeware you might want to wait for decryption key 

 

If your server is running ZFS as file system you can restore snapshots. 

 

Try this? I pretty sure that is TeslaCrpto V3

https://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

 

 

[fjdhdhcyfhf]

your best best is to google it to see if any antivirus company has released a free tool.

All you will get from a public forum is "you should have a backup". Backup is much cheaper than buying bitcoins and is the only 100% way of recovery.

Paying the ransom is somewhere around 20% successful for residential and small businesses.

[fjdhdhcyfhf]

1 hour ago, leadeater said:

Basically none, you've only got 1 real choice and that is restore from backup. Paying any kind of money is a gamble and reinforces the profitability of making such attacks.

last time i look USA gov agency, might have been FBI, reported 20% are successful on paying. Hospitals were different, they get targeted big time and re-targeted, but for home & small businesses 20% is too low to even consider paying.

[bitdota]

2 hours ago, leadeater said:

Basically none, you've only got 1 real choice and that is restore from backup. Paying any kind of money is a gamble and reinforces the profitability of making such attacks.

 

2 hours ago, MrUnknownEMC said:

You should have backups.

 

If it new ransomeware you might want to wait for decryption key 

 

If your server is running ZFS as file system you can restore snapshots. 

 

Try this? I pretty sure that is TeslaCrpto V3

https://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

 

 

 

23 minutes ago, SCHISCHKA said:

last time i look USA gov agency, might have been FBI, reported 20% are successful on paying. Hospitals were different, they get targeted big time and re-targeted, but for home & small businesses 20% is too low to even consider paying.

 

Thank you for your replies,

 

I am saving all the files on an external storage and reinstalling everything from scratch. I will wait maybe in the future there will be a solution to access these files.

 

This is a lesson that i had to learn, the problem is that it was not my fault, someone who accesses our server maybe downloaded unintentionally this file from their mail. 

 

The only thing that would help if i could find out how exactly it got there. As i read on some sites, they don't access the server it has to be a user who clicks that file.

 

Or is it any other way ? 

[fjdhdhcyfhf]

6 minutes ago, bitdota said:

The only thing that would help if i could find out how exactly it got there. As i read on some sites, they don't access the server it has to be a user who clicks that file.

At my uni we are taught to capture packets and analyse them but i get the impression you dont have IDS or packet logging. All I can say is you need to be familiar with whatever logs you have and put in place

[leadeater]

4 hours ago, bitdota said:

Thank you for your replies,

 

I am saving all the files on an external storage and reinstalling everything from scratch. I will wait maybe in the future there will be a solution to access these files.

 

This is a lesson that i had to learn, the problem is that it was not my fault, someone who accesses our server maybe downloaded unintentionally this file from their mail. 

 

The only thing that would help if i could find out how exactly it got there. As i read on some sites, they don't access the server it has to be a user who clicks that file.

 

Or is it any other way ? 

There is no real way to stop this other than user education and basic endpoint security. If a user has write access to a share on the server a crypto virus will always be able to encrypt the files. As far as the server sees it a valid user is just making a bunch of file modifications, there isn't any way to tell the difference. The crypto viruses are running on the client computer not the server.

 

At the university I work for we setup hourly snapshot on our storage arrays because of things like this, that means we can instantly revert back if we get hit and only lose a maximum of a hour of data changes. We also keep I think 72 of those hourly snapshots and then a couple of weekly and we also have daily backups which we keep for a month then drop to weekly then monthly and keep those monthlies for a year on disk then another year on tape.

 

It is very hard at the technical level to stop all crypto vrisus from getting through to a user which is why the only sure fire way to prevent getting hit by these is good user education and a company wide mind set of "If I don't know what it is don't click on it, stop and ask".

 

From what we have heard this is an extremely big problem for Australian universities and they are getting targeted much more regularly than we do, some do 15 minute snapshots because the problem is so bad.

[Mikensan]

There is (expensive) software such as Varonis or Tripwire that can look for rapid file changes (100s within seconds or whatever you define) that can help mitigate such viruses. You can have it run a script when it sees such behavior. The script can do whatever you want, such as locking out a user account or shutting down ports on a switch. Sky's the limit.

(Any SIEM or file integrity monitors should be able to do this)

 

Also as you rebuild your network/computers - shutdown every single computer that you so much as suspect has having been impacted. Then slowly one by one rebuild them. My level of paranoia for something like that would be new hard drives for each machine, but that's not very cost effective (or really needed). Or at the very least boot from a CD and do a full 5 pass wipe. 

[kirashi]

13 hours ago, bitdota said:

We got a crypto virus that changed all files to .onion and it's asking for bitcoins in ransom.

Any idea how could i remove it ?

You don't remove crypto viruses - pave n' nuke is the way to go. Then restore from backup. You're basically gambling by paying - you might get your files back, you might not. Either way, you're only supported the bad guys here and enabling them to bait more victims into these types of infections.

 

2 hours ago, Mikensan said:

There is (expensive) software such as Varonis or Tripwire that can look for rapid file changes (100s within seconds or whatever you define) that can help mitigate such viruses.

Products like MalwareBytes 3.0 and CryptoPrevent both work similarly, watching for rapid file changes in certain directories to catch and kill ransomware. I've had Dropbox get flagged as ransomware because I was modifying a buttload of files at once, so I know MBAM works... almost too well.  And neither of these programs cost tons of money, relative to enterprise level stuff.

[desertcomputer]

18 hours ago, bitdota said:

 

 

 

Thank you for your replies,

 

I am saving all the files on an external storage and reinstalling everything from scratch. I will wait maybe in the future there will be a solution to access these files.

 

This is a lesson that i had to learn, the problem is that it was not my fault, someone who accesses our server maybe downloaded unintentionally this file from their mail. 

 

The only thing that would help if i could find out how exactly it got there. As i read on some sites, they don't access the server it has to be a user who clicks that file.

 

Or is it any other way ? 

I would suggest creating account and giving them certain access such as read only and write on certain folders. Backup is key, i would suggest ZFS and have hourly backups or even 10 minutes depend how much changes the files are happening.  ZFS is far the easily to rollback data from what i have experienced, such as accidentally deleting data. 

 

 

[Mikensan]

22 hours ago, kirashi said:

You don't remove crypto viruses - pave n' nuke is the way to go. Then restore from backup. You're basically gambling by paying - you might get your files back, you might not. Either way, you're only supported the bad guys here and enabling them to bait more victims into these types of infections.

 

Products like MalwareBytes 3.0 and CryptoPrevent both work similarly, watching for rapid file changes in certain directories to catch and kill ransomware. I've had Dropbox get flagged as ransomware because I was modifying a buttload of files at once, so I know MBAM works... almost too well.  And neither of these programs cost tons of money, relative to enterprise level stuff.

That's pretty cool, haven't touched malwarebytes in ages. Do they look at the actions of the users, or sit and stare at files? In one scenario I could have a single instance running while it eye-balls important directories etc... In contrast if it monitors actions of users then it'd need to be install on every endpoint. Would be a nice solution at home. I have snapshots + backups, but preventing it from happening in the first place would be nice.

[kirashi]

3 hours ago, Mikensan said:

That's pretty cool, haven't touched malwarebytes in ages. Do they look at the actions of the users, or sit and stare at files? In one scenario I could have a single instance running while it eye-balls important directories etc... In contrast if it monitors actions of users then it'd need to be install on every endpoint. Would be a nice solution at home. I have snapshots + backups, but preventing it from happening in the first place would be nice.

Right now MBAM just recently launched MBAM 3.0, which combined their Anti-Malware, Anti-Exploit, and Anti-Ransomware programs into a singular solution. Works out to be less expensive than buying everything separately, and of course, it's a lot easier to manage all being under one app. They're working on ramping up their support for Technicians and the IT sector now (I can't say more than that), and recently acquired both JunkwareRemovalTool (JRT) and ADWCleaner, as well as TheSafeMac's Adware Medic for the macOS platform.

 

I highly recommend registering an account over at their forums and trying to get into their Techbench program if you're running your own IT / technician firm, or convince your boss to do so. Alternatively, look into their endpoint security solutions.

https://forums.malwarebytes.org

 

Yes, it needs to be installed on each endpoint for proper protection, unless you plan on providing read only access to the network file shares your users will be accessing. Think of it this way - if ransomware started encrypting files on the NAS and you only had MBAM installed on said NAS, it has no way of stopping the encryption process because it's not running on the NAS.

https://www.malwarebytes.com/business/endpointsecurity/

[samiscool51]

ouch....

yea, unless there is a decrypter for your flavor of virus (their might be, have a look around online, you never know) you have to restore from a backup

one question

is your backup plan like this?:

daily backup (local and offsite)

weekly backup (local and offsite)

monthly backup (local and offsite)

yearly backup (local and offsite)

if so, then thats good practice, i ram it into new Admins every time so it sticks more than superglue!

if not, do you have a death wish?