lordgarthsliver

It says Amnesia on the screen backround, but...

Recommended Posts

It says amnesia on the screen backround.  But the encrypted files have a [email protected]  extension.  The ID ransomwear site ID's it as amnesia and AVCrypt.   I noticed my AVG protection was down at the time of the attack.  I tried Your Amnesia and Amnesia2 decrypters without anysuccess.  I have purchased and loaded Emisoft anti malware and have a copy of Hitman and AVG virus scanning running.   There are some files I really need to get off this computer.  Is there any help?

 

LordG

Share this post


Link to post
Share on other sites
14 hours ago, lordgarthsliver said:

I am also a bit baffled as to how I got attacked.  I generally don't use the machine for email or much downloading.  I do have my emails squirreled away somewhere, is there a way to get them checked for the ransomware?

 

 

It says amnesia on the screen backround.  But the encrypted files have a [email protected]  extension.  The ID ransomwear site ID's it as amnesia and AVCrypt.   I noticed my AVG protection was down at the time of the attack.  I tried Your Amnesia and Amnesia2 decrypters without anysuccess.  I have purchased and loaded Emisoft anti malware and have a copy of Hitman and AVG virus scanning running.   There are some files I really need to get off this computer.  Is there any help?

 

LordG

 

14 hours ago, lordgarthsliver said:

It says amnesia on the screen backround.  But the encrypted files have a [email protected]  extension.  The ID ransomwear site ID's it as amnesia and AVCrypt.   I noticed my AVG protection was down at the time of the attack.  I tried Your Amnesia and Amnesia2 decrypters without anysuccess.  I have purchased and loaded Emisoft anti malware and have a copy of Hitman and AVG virus scanning running.   There are some files I really need to get off this computer.  Is there any help?

 

LordG

 

Share this post


Link to post
Share on other sites

It may have been a variant of Scarab that uses the Amnesia name. Usually Amnesia and Scarab are installed by an attacker who compromises the computer via RDP (Remote Desktop) or some other form of remote access. It's also possible that you were hit by more than one ransomware, which can happen if two different attackers manage to brute force your RDP password around the same time.

You can attach copies of the ransom note and encrypted files to a reply if you would like us to take a look at them for you and try to more accurately ID the ransomware.

Just in case it was an RDP compromise that led to the infection of the system, I'll leave some information below about how to get started securing RDP.

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

 

Arthur thank you for your response.

It looks like a version of TigerVNC server was running.  Ports have been shutdown on router and firewall.  Attached is a sample file and one of the many Recover files.TXT.

This a small network here, 3-4 machines.  The only machine affected us the one that had a VNCServer running on it.  Will work on implementing VPN.  In the meantime there are files we need to try and recover.

The security measures are all being audited after this incident

[email protected]

HOW TO RECOVER ENCRYPTED FILES.TXT

[email protected]om

Share this post


Link to post
Share on other sites

I've asked our malware analysts if this is Scarab. There's been something like half a dozen new variants of Scarab in the past week, so that's a distinct possibility. None of the ones that have been reported on use the same e-mail address that was appended to the names of your encrypted files, however there were two that did append different e-mail addresses to the file names. The MO can vary a bit with different variants of Scarab, which may be an attempt to make identifying it more difficult, however in this case the evidence seems to point to Scarab.

Share this post


Link to post
Share on other sites

Our malware analysts are pretty certain it's Scarab from the ransom note and the encrypted files.

Share this post


Link to post
Share on other sites

It seems most likely from what I have  researched so far.  Bleeping Computer Forum people seem to think the same.

If you guys want me too upload more files/data let me know.  This really pisses me off, so any help I can be 

 

 

Share this post


Link to post
Share on other sites

What we'd need to look at is the malicious program that encrypted your files to be able to learn anything more. Keep in mind that the odds are we wouldn't be able to break the encryption even if we could look at it, as Scarab uses different public/private keys for every computer it infects, and it uses a secure form of encryption.

Share this post


Link to post
Share on other sites

It almost certainly deleted itself when it was done encrypting files (most ransomware does this to make analysis more difficult). We can try getting a log from FRST and see if it gives us any clues, however note that the odds of finding it (if you don't know where it came from) will be fairly low. Here's a link to instructions and downloads for FRST:
https://helpdesk.emsisoft.com/en-us/article/274-running-a-scan-with-frst

Share this post


Link to post
Share on other sites

I don't see anything that looks like the ransomware in the log.

Did this issue start on the 16th/17th of June?

Share this post


Link to post
Share on other sites

Yes around then, not completely sure.  The machine was on for a few days, possibly weeks.  It was running a fNC Server (Tiger I think), which is how I think they got in.  I just happened by and noticed the Amnesia screen splash.  From what I can discern I believe it is a scarab variant that deletes itself after doing it's work.  The drives with all their encrypted files have been saved off to an external drive.  I plan on rebuilding it at this point, maybe as a Linux machine instead.  We have been using as a Resilio Sync server (perhaps another hole)  a streaming video/audio server and a couple other small business related things.  There are probably about a month or so worth of data that has been lost at this point.  I have posted on Bleeping Computer.com as well and do not feel optimistic about recovery.  Nonetheless if a decrypt solution presents itself we'll try it.  I'm still pissed at whoever did this.

Share this post


Link to post
Share on other sites

VNC could certainly be the way they got in. I recommend always keeping the port for VNC closed, and tunnel your VNC connection over SSH (most SSH clients have a "port forwarding" feature). I also recommend only opening/forwarding the SSH port for the IP addresses that need access to it, that way unauthorized people/scripts can't sit there and try to brute force it. If you can't know the IP address that will need access (dynamic IP addresses or whatever) then something like Port Knocking or Single Packet Authorization can dynamically open ports for authorized devices.

As for recovery, there is one thing I haven't mentioned yet (although you may have seen it in other topics here), but I'd estimate the chances of it working at less than 5%. Here's the info if you want to try it, but it requires that you haven't yet reinstalled Windows or made any real changes to the system:

Most ransomware usually deletes Volume Shadow Copies, so as I'm sure you've already noticed ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.