JesseK

Member
  • Content Count

    19
  • Joined

  • Last visited

Community Reputation

0 Neutral

About JesseK

  • Rank
    Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. In case anyone is wondering, still no updates from me. Saw a hacker hacked someone who was giving out ransomware and thought I'd check on .cesar's status. No luck.
  2. From what I read, most have you contact multiple email addresses.
  3. Small victory: I got their domain suspended that they used for the email address on their ransom. Not sure if it will stick or not, but happy to know I can interrupt their scams at least a little.
  4. Essentially, yes. The encryption ruined my boot information when trying to go into safe mode. So I never did see a ransom message at all. If you slave it no autoruns will launch the virus so it's pretty safe. If you do this, try to quarantine or save all the files that are detected. They might come in handy to someone who can help.
  5. They only got to my NAS because my drives were mounted to my workstation. To the Trojan/virus they were local drives and it attacked them. It didn't care that they were running on a Linux box. This was my main home computer which is(was) on 24/7.
  6. Removing the infection isn't the issue. For me, I slaved the drive to my laptop and scanned. Found about 6 traces of it. Copied one of the exe files since they apparently are helpful. Another thing I noticed is they used my run command line to launch cmd. So I'm 100% certain it was an RDP attack. They were in my email and even deleted order confirmations then emptied the deleted items so I couldn't see everything they tried. The previous version had the keys posted by a random who I don't think was tied to any group, hacker or other. So those infected got lucky. I'll definitely update this thread if I make any progress.
  7. California. My guess is they just do a port scan for an open 3389 on a range of IPs and then brute force it. Chances are they already knew I had 3389 and when I made my password easy it just let them in. It took from Saturday to a Tuesday for them to get in once I changed my password. I'm on vacation so haven't looked into any solutions since the first couple days. Once I found out it was showing up in the wild in August I figured it was going to a while before the solution came out, if at all. It'd be wise to make backups before testing decryption tools on your files. Or at least try on files you know aren't important and can stand to lose. I've read of decryption attempts potentially ruining files.
  8. As GT500 said he doesn't really think this iteration will be cracked. The original version had its keys made public which is how the decryptor was made. This version was modified to have different encryption keys which may never be released. I presume if someone were to pay for the ransomware decryption the instructions on how to decrypt might be useful. But who knows if paying will actually get you what you're trying to buy. Obviously these people are shady.
  9. I ran a domain whois on the email address domain for the culprit I found. I then sent a notification to the owner of the domain as well as the hosting company who owns the domain. Not that it will help, but you may consider doing the same. As for the decryption programs, none currently will decrypt Cesar. I sent the Trojan exe and a few encrypted files to Kaspersky in hopes they can figure it out. I'm not holding my breath. My current approach is to ignore the damage and wait and see. It sucks, but I'd rather my data be encrypted than them have it. They might have copied some, but hopefully not. You probably want to check your PayPal, Amazon, and Visa Checkout accounts to make sure no fraudulent purchases were made. They connected to me via RDP as well and all of my passwords were saved, so they were able to make certain purchases.
  10. Then you don't have much wiggle room for recovery. As for what else to try, I really don't know. Unless you backup your NAS to archive drives, you're pretty much in my boat.
  11. The recovery software would really only be successful if your storage array was 50% or less full. When the files are encrypted they are overwriting free space. After encrypting they delete the non encrypted files. So, if you're like me, and have less free space than 20% your likelihood of recovering it with file recovery software is very low. That's why I'm not likely going to bother going that route. Either I wait and hope for decryption, or consider it all lost. Thankfully my wedding photos aren't on that NAS yet. Good luck!
  12. Well that's fun. To confirm, this can only run on windows right? Aside from the encryption, is there any reason I should be concerned with my NAS? (Synology)