Recommended Posts

 

Good afternoon, our server was affected by the ransomware that creates the .missing / .Contact_Data_Recovery.txt extensions. LI old articles but did not find anything that would help me, would they have any solution to this problem? The rescue email address [email protected] I thank the attention.

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

 

Follow the result:

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=5b482cc75a7b38661a04e2e4f9bf51450bb77bfe

Share this post


Link to post
Share on other sites

That detection appears to be correct. I'll see if there's been any updates in regards to this particular ransomware, however the latest information I have is that there is no known way to decryp the effected files.

Share this post


Link to post
Share on other sites

As far as we know, this particular ransomware is no longer being spread. If you have a copy of the malicious file that encrypted everything, then we could take a look at it and see if it's new.

Share this post


Link to post
Share on other sites

That's an encrypted PDF document. I'm looking for the actual infection that did the encrypting. If you happen to find it, you can upload it to VirusTotal, and post the link to the analysis here for us to review:
https://www.virustotal.com/

Share this post


Link to post
Share on other sites

RDP. In that case, someone more than likely brute forced the administrator password and logged in via Remote Desktop, manually copied the ransomware to the system, executed it, and then cleaned it up when done. In most instances they leave little to no trace behind, however sometimes they do overlook something.

Since this was what we refer to as "RDP compromise", I'll leave some suggestions for getting started dealing with it below:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hi ,

Thanks for your support. We ended up by paying the ransom as the only solution to recover some important files (for an unknown reason have not been backed up). We paid 0.1 BTC and they sent us a program called "Smart Descrypter.exe". Once you run it, it properly scans hard disks seeking for  the encrypted files but when you try to decrypt, it asks for an Activation Code. 

https://www.dropbox.com/s/h3o518iahfy2zbm/Smart Decrypter.rar?dl=0

Let me know if it helps in any sense.

Regards,

M

Smart Decrypter.rar

For your reference:

encrypted sample files: Encrypted.rar

resulting decrypted sample file (they did it as a free sample): Decrypted.rar

Share this post


Link to post
Share on other sites
9 hours ago, maurp75 said:

Thanks for your support. We ended up by paying the ransom as the only solution to recover some important files (for an unknown reason have not been backed up). We paid 0.1 BTC and they sent us a program called "Smart Descrypter.exe". Once you run it, it properly scans hard disks seeking for  the encrypted files but when you try to decrypt, it asks for an Activation Code.

Thanks. I'll make sure that our ransomware experts know about it in case they want to take a look at it.

Share this post


Link to post
Share on other sites

Hello there,

We got our server infected by the same thieves (restore_2019).

Fortunately we got all dat backed up on cloud servers and we suffered a limited damage. We only lost four files and managed to get two of them as their proof. We lost other work, but noithing we can restore with a bit of time and work.

I encourage everyone reading this to make a backup (survival) plan as soon as possible. I work for this small company where we work 13 colleagues and if we had lost our data it's most possible we could have go to our homes and lost our job. This is being a serious problem.

What most worry me is to know how they entered our server... user was not "Administrator" and password was really a bit hard to be bruteforced... I'm more inclined to think it could be through a Chrome extension... as we used on the server Chrome with an user logged, and as you know, once you start Chrome it syncs and install extensions installed on other machines by the same user(me).

Any chance to know How they could get to enter? Wich windows server version were you using, mairp75? We used Windows Server 2014. Now we have installed 2019 version.

Many thanks for sharing your experience and good luck to everybody infected.

Share this post


Link to post
Share on other sites
2 hours ago, vansievi said:

Any chance to know How they could get to enter? Wich windows server version were you using, mairp75? We used Windows Server 2014. Now we have installed 2019 version.

It's possible that a Remote Access Trojan (RAT) was used.

Regardless, if you do have RDP ports open in the firewall, then here's some steps to get started securing it:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.