Sign in to follow this  
Marco1234

.wq2k possible B2DR ransomware

Recommended Posts

It looks like you've already made your way to the BleepingComputer forums, and probably already know this may be a variant of B2DR:
https://id-ransomware.malwarehunterteam.com/identify.php?case=289216f8106d3d987a1effa66781382c6cf7fab4
https://www.bleepingcomputer.com/forums/t/674161/b2dr-ransomware-help-topic-b2dr-b4wq-b2fr-sg1e/page-2#entry4652353

As far as I know analysts and researchers have yet to find a copy of this particular ransomware to analyze its encryption method for flaws, so we don't yet know if it is possible to decrypt the files.

If you have any idea where it might have come from, then let us know. If we can get a copy of it then we'd be able to determine if it was decryptable.

Share this post


Link to post
Share on other sites

BTW: If you did pay them and received a tool to decrypt your files, then let us know. Analyzing the decryption tool isn't as good as analyzing the ransomware itself, however it can still tell us things about the encryption format they used.

Share this post


Link to post
Share on other sites

Yes, I made a topic in BC forums as well. I didn't catch the ransomeware itself. I have decrypted files and original files but I think this will not help much. 1 of the possibilities, that it came through 1 very old remote desktop connection, witch had a weak password. But I cannot tell You the origin of the ransomware itself.

Share this post


Link to post
Share on other sites
13 hours ago, Marco1234 said:

1 of the possibilities, that it came through 1 very old remote desktop connection, witch had a weak password.

That's entirely possible, especially if this is a corporate computer that this happened to.

Share this post


Link to post
Share on other sites

It probably just took that long for someone to run a port scan on that IP address, find the open RDP port, and brute force the password. Such things have only become a major issue in the last couple of years, and while it was theoretically possible for it to have happened before that, before that you didn't have a large number of people with malicious intent running port scans on IP ranges looking for open ports in order to gain access to systems and install ransomware.

In case it helps, here's some basic advice for getting started dealing with RDP compromise:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

You're welcome. Hopefully that will at least help prevent it from happening again.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.