1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ransomware issue

Discussion in 'BlackHat Lounge' started by tymillz, Dec 27, 2016.

  1. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    It looks like one of my Windows servers was infected with Ransomware. Has anyone had any experiences with removing ransomware? Also, my main concern is my dropbox folder. Is it possible for the files in that folder to become infected and spread it to other machines that I have DB installed on?
     
  2. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,848
    Likes Received:
    5,310
    Gender:
    Female
    First of all, holy shit.

    Second, can you tell us which Ransomware affected your machine?
     
  3. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    When I did a search of the text thats there its saying the ransomware is called a Cryptoware virus. I trying to figure out how this couldve even happened.
     
  4. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,848
    Likes Received:
    5,310
    Gender:
    Female
    It usually comes from downloading something.

    Also, yes, it can probably affect your dropbox. Here's more info on that:

    https://www.dropbox.com/en/help/8406

    Finally, I think you may be able to get rid of it by using the restore option (taking your computer back to before the virus was infected) or finding a program that will get rid of it for you.

    I'm not an expert though. I think either @davids355 or @bartosimpsonio can help you better than I can. These things are tricky and they're always evolving.
     
    • Thanks Thanks x 3
  5. datsunguy

    datsunguy Supreme Member

    Joined:
    Sep 30, 2016
    Messages:
    1,458
    Likes Received:
    1,068
    Occupation:
    professional duck
    Location:
    a pond near you
    Home Page:
    used to work in an IT shop about a year ago, and for ransomware we refused to try and save the files, told the customer that he has two options: pay the ransom and hope you actually get your stuff back (unlikely ) or we can wipe the whole system. its a bitch.
     
    • Thanks Thanks x 1
  6. gman777

    gman777 Jr. VIP Jr. VIP

    Joined:
    Apr 7, 2016
    Messages:
    641
    Likes Received:
    487
    What do you mean infected?

    Have you performed a full scan, or did the antivirus detected the ransomware based on his actions?

    Did any program show asking you to pay money?

    You can also send the detected file to totalvirus to check...

    It can also be a false positive...

    A full scan with malware anti malware bytes should help you as well...
     
    • Thanks Thanks x 1
  7. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,848
    Likes Received:
    5,310
    Gender:
    Female
    Why did you refuse? Was it a lot of work or just impossible to get rid of?

     
    • Thanks Thanks x 1
  8. datsunguy

    datsunguy Supreme Member

    Joined:
    Sep 30, 2016
    Messages:
    1,458
    Likes Received:
    1,068
    Occupation:
    professional duck
    Location:
    a pond near you
    Home Page:
    whole pc was locked down, you could log on and open files but they came up with gibberish, pc would lock down with a message demanding payment when trying anything to restore the pc.
    looks normal at first glance on desktop but any word on the pc was turned into gibberish.

    it was the customers business pc aswell and he lost all info on there basically his work was crippled because of it, and to no surprise he didn't have copies of important work related documents. since then i made it a point to basically pressure everyone into at least making one complete and separate backup of important crap.

    it was impossible (for us) to get rid off it and we didn't know any other place that could attempt to unlocked it. we refused to save the customer money and time.
     
    • Thanks Thanks x 1
  9. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,848
    Likes Received:
    5,310
    Gender:
    Female
    Wow.

    Well it makes sense to save time and money.

    @tymillz Can you afford to wipe your PC? Do you have backups of your files?

     
    • Thanks Thanks x 1
  10. Fragmaster

    Fragmaster Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    678
    Likes Received:
    991
    Gender:
    Male
    Ransomware encrypts your files/file sytem. It is impossible to recover it without decryption key which attacker promise to give when you pay. Because usually you have time limit, and nobody (i mean regular people, breaking ETA could be 10 years) has computing power to break encryption in time.
     
    • Thanks Thanks x 2
  11. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    @alwaysinvisible thats what I am going to have to do. Its a virtual server so its no big issue. My main concern was my dropbox account. I wasnt sure if there was a way for them to infect those files and then infect all of my other servers.

    Here is the message that was left when I logged into the server...


     
    • Thanks Thanks x 2
  12. elavmunretea

    elavmunretea BANNED BANNED

    Joined:
    May 14, 2016
    Messages:
    1,579
    Likes Received:
    2,090
    Holy shit they've taken nearly 8 Bitcoins with this!

    https://blockchain.info/address/1HrEqMHQVWhKuCg7a3rxo2tAFAiKquJ5iP
     
    • Thanks Thanks x 2
  13. dolomite310

    dolomite310 Junior Member

    Joined:
    Aug 9, 2015
    Messages:
    169
    Likes Received:
    40
    Just as some have mentioned here hopefully you keep solid backups. I've found it to be nothing short of a pain in the ass when trying to clean a server with something that is meant to spread adding to the cost of both your time and money. Good luck. Hopefully you have a baseline clone of your server and or a BDC that you can switch to.
     
  14. gman777

    gman777 Jr. VIP Jr. VIP

    Joined:
    Apr 7, 2016
    Messages:
    641
    Likes Received:
    487
    • Thanks Thanks x 2
  15. Fragmaster

    Fragmaster Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    678
    Likes Received:
    991
    Gender:
    Male
    Actually its not new, you are just experiencing enlightment
     
    • Thanks Thanks x 1
  16. elavmunretea

    elavmunretea BANNED BANNED

    Joined:
    May 14, 2016
    Messages:
    1,579
    Likes Received:
    2,090
    Personally I'd never go anywhere near this. Ransomware is literally the shittest thing one can do, but boy are they making some serious green.

    @tymillz If you are concerned about the Dropbox files I wouldn't worry too much, as I doubt the virus would be that advanced, but to be in the safeside you could always download the files and put them onto a VM or fresh VPS and see what they do. Also, try change the pw for dropbox and log out from everywhere for a while
     
    • Thanks Thanks x 3
    Last edited: Dec 27, 2016
  17. nimdekvan

    nimdekvan Junior Member

    Joined:
    Jun 3, 2015
    Messages:
    184
    Likes Received:
    49
    Wait, if I were you I would unplug the lan of all the computers that have dropbox (before starting that machine) just to be on the safe side.
     
    • Thanks Thanks x 1
  18. redarrow

    redarrow Elite Member

    Joined:
    Apr 1, 2013
    Messages:
    4,286
    Likes Received:
    979
    You can only get rid of it via re installing the os ....

    Next time make a backup of everythink you got including the os.

    ransome softwere lock's password even dll files and can only be open with the key code...

    It inpossable to break all the codes from the os

    Sorry it new os

    Remeber this ransom also go to other harddrives connected to your computer ...

    You can try to restore computer from a restart point ,but i am sure wont work...

    This is usally from free programs you have downloaded, or a website you really shouldnt of Visited.
     
  19. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,020
    Likes Received:
    3,202
    Location:
    Hell
    Home Page:
    I think there is no way to recover files without paying for key. Its easy to remove virus by using antivirus but main issue is infected files.Try deep web may be you will find solution with less $$
     
    • Thanks Thanks x 1
  20. tymillz

    tymillz Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 15, 2009
    Messages:
    1,158
    Likes Received:
    3,585
    Occupation:
    This
    Location:
    (215)The Hood(215)
    Working on something now. Ill let you guys know how it turns out. Worse case scenario Ill just wipe the server. The good thing is that its one of my Virtual's and not any of my actual hardrives.
     
    • Thanks Thanks x 1