Recommended Posts

 

Good afternoon, our server was affected by the ransomware that creates the .missing / .Contact_Data_Recovery.txt extensions. LI old articles but did not find anything that would help me, would they have any solution to this problem? The rescue email address [email protected] I thank the attention.

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

That detection appears to be correct. I'll see if there's been any updates in regards to this particular ransomware, however the latest information I have is that there is no known way to decryp the effected files.

Share this post


Link to post
Share on other sites

As far as we know, this particular ransomware is no longer being spread. If you have a copy of the malicious file that encrypted everything, then we could take a look at it and see if it's new.

Share this post


Link to post
Share on other sites

That's an encrypted PDF document. I'm looking for the actual infection that did the encrypting. If you happen to find it, you can upload it to VirusTotal, and post the link to the analysis here for us to review:
https://www.virustotal.com/

Share this post


Link to post
Share on other sites

RDP. In that case, someone more than likely brute forced the administrator password and logged in via Remote Desktop, manually copied the ransomware to the system, executed it, and then cleaned it up when done. In most instances they leave little to no trace behind, however sometimes they do overlook something.

Since this was what we refer to as "RDP compromise", I'll leave some suggestions for getting started dealing with it below:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hi ,

Thanks for your support. We ended up by paying the ransom as the only solution to recover some important files (for an unknown reason have not been backed up). We paid 0.1 BTC and they sent us a program called "Smart Descrypter.exe". Once you run it, it properly scans hard disks seeking for  the encrypted files but when you try to decrypt, it asks for an Activation Code. 

https://www.dropbox.com/s/h3o518iahfy2zbm/Smart Decrypter.rar?dl=0

Let me know if it helps in any sense.

Regards,

M

Smart Decrypter.rar

For your reference:

encrypted sample files: Encrypted.rar

resulting decrypted sample file (they did it as a free sample): Decrypted.rar

Share this post


Link to post
Share on other sites
9 hours ago, maurp75 said:

Thanks for your support. We ended up by paying the ransom as the only solution to recover some important files (for an unknown reason have not been backed up). We paid 0.1 BTC and they sent us a program called "Smart Descrypter.exe". Once you run it, it properly scans hard disks seeking for  the encrypted files but when you try to decrypt, it asks for an Activation Code.

Thanks. I'll make sure that our ransomware experts know about it in case they want to take a look at it.

Share this post


Link to post
Share on other sites

Hello there,

We got our server infected by the same thieves (restore_2019).

Fortunately we got all dat backed up on cloud servers and we suffered a limited damage. We only lost four files and managed to get two of them as their proof. We lost other work, but noithing we can restore with a bit of time and work.

I encourage everyone reading this to make a backup (survival) plan as soon as possible. I work for this small company where we work 13 colleagues and if we had lost our data it's most possible we could have go to our homes and lost our job. This is being a serious problem.

What most worry me is to know how they entered our server... user was not "Administrator" and password was really a bit hard to be bruteforced... I'm more inclined to think it could be through a Chrome extension... as we used on the server Chrome with an user logged, and as you know, once you start Chrome it syncs and install extensions installed on other machines by the same user(me).

Any chance to know How they could get to enter? Wich windows server version were you using, mairp75? We used Windows Server 2014. Now we have installed 2019 version.

Many thanks for sharing your experience and good luck to everybody infected.

Share this post


Link to post
Share on other sites
2 hours ago, vansievi said:

Any chance to know How they could get to enter? Wich windows server version were you using, mairp75? We used Windows Server 2014. Now we have installed 2019 version.

It's possible that a Remote Access Trojan (RAT) was used.

Regardless, if you do have RDP ports open in the firewall, then here's some steps to get started securing it:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hi,

is there any new informationen about the ransomware?

We had the same problem with the server of a customer and the customer has decided to pay. Then we also got the tool "Smart Decrypter" and after pay twice time more, we got a key, but this key not works.

 

 

Share this post


Link to post
Share on other sites
14 hours ago, bb1291 said:

Then we also got the tool "Smart Decrypter" and after pay twice time more, we got a key, but this key not works.

I'll ask if anyone knows why the decrypter and key may not be working.

Would you be able to send me a private message with your decrypter, key, and a few encrypted files for us to test with?

Share this post


Link to post
Share on other sites

Hi, I received this response from Kaspersky when I submitted the files for analysis: After analysis, the lab team found that the files were encrypted by a variant of Trojan-Ransom.Win32.Kangar, unfortunately this variant uses a secure encryption algorithm that makes it impossible to create a decryption tool. We understand and find it natural that he is dissatisfied with the fact that he has been the victim of a cyber crime. Some variants of ransomware have cryptographic keys and algorithms that make it possible to break the encryption of files. Unfortunately, in most cases the type of encryption used does not allow the development of reverse encryption, since the criminals did not intend to recover all files after the rescue, only part of them for the victim to pay or only intended to cause damage in the environment. Certain variant can create files of different extensions and also variants with different algorithms can create files with the same extension. In the case of the current infection, the malware analysis team has detected that the type of encryption used makes it impossible to decrypt.

Share this post


Link to post
Share on other sites

There's a possibility that they sent you the wrong key. I've asked our malware analysts, and if they are able to take a look at it then I will let you know.

Share this post


Link to post
Share on other sites
On 23.01.2019 at 23:13, maurp75 said:

 

Good afternoon, our server was affected by the ransomware that creates the .missing / .Contact_Data_Recovery.txt extensions. LI old articles but did not find anything that would help me, would they have any solution to this problem? The rescue email address [email protected] I thank the attention.

 

For your information
This variant of the Apocalypse Ransomware is described in my article as Apocalypse-Missing Ransomware
In the title of the article there is a link to an English translation.
The extortionists switched to a more reliable (for themselves) variant of the attack , which was carried out against the topic starter.
I think it can be deciphered if someone takes them up. 
FW broke all old versions when they were actively distributed.

Share this post


Link to post
Share on other sites
1 hour ago, bb1291 said:

Is there any new information about the ransomware?

No, there's no new information.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.