I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix.
I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up.
I 1st noticed the issue when my computer was logged out this morning as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled:
Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders, the following is what's in the document:
" HOW TO RECOVER ENCRYPTED FILES
Hello, my friend!
All your files have been encrypted.
>>> Your personal ID: >>>
If you want to recovery your files, send us e-mail with your personal ID and 1-2 test files (image or text,
non archived, total size of files must be less than 10Mb).
>>> Contacts: >>>
Use please both e-mail addresses.
If your mail server doesn't send e-mail to our contacts, we recommended you to create
an e-mail on Protonmail.com (https://protonmail.com).
>>> ATTENTION! >>>
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam."
I have read a few topics on the forums and lead me to check the ransom id site to confirm I had been infected with Scarab. I have also submitted a ticket with ESET to see if their decryption tool can help out.
I also noticed that they created 2 new partitions on my main drive (please see screenshots), with 1 having a winre image contained within.
So initially I would like to know if there are tools out there to check I am clean and what changes I can make to firewall/registry/etc to prevent this from happening again and applying it to my other computers.