Jump to content

Recommended Posts

Came to office to ransomware on our Terminal Server. We are running Windows Server 2012r2. I found the proper steps too late and deleted the files. When I run EEK. it can't find any infections. I do have the logs from FRST and a pic of the EEK screen before i deleted the files. Please let me know how I can help or what I can provide to help. I know I'm not the first desperate tech guy to be in dire straights. ....but I am

Link to post
Share on other sites
9 hours ago, MitchJ said:

When I run EEK. it can't find any infections. I do have the logs from FRST and a pic of the EEK screen before i deleted the files.

What are the following files?


That last file (TSMSISrv.dll) may be the stage 2 payload from the malicious version of CCleaner (5.33) that was released after Piriform's systems were compromised. Keep in mind that there is also a legitimate Windows file with this same name, however I don't think it's normally in this location.


9 hours ago, MitchJ said:

but i will not copy an infected file to send from another computer. 

Your files are not infected. They're encrypted.

Most ransomware will delete itself after all of the files on the computer are encrypted. In this case, since the compromise was more than likely via RDP, an attacker simply logged in to the server after brute forcing credentials to an account (more than likely one with admin rights) and manually copied the ransomware to the server and executed it, and they don't like to leave traces of their compromise behind (beyond the encrypted files and ransom notes) so they generally delete everything they copied to the system themselves.


9 hours ago, MitchJ said:

Came to office to ransomware on our Terminal Server.

Since this is almost certainly RDP compromise, I'll paste some basic steps to getting started securing RDP below:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

  • Thanks 1
Link to post
Share on other sites

434.tmp.id-C8DAE7D0.[[email protected]].html
F.doc.id-C8DAE7D0.[[email protected]].html
chrome.exe.id-C8DAE7D0.[[email protected]].html

.id-C8DAE7D0.[[email protected]].html  - this is the format of Dharma Ransomware (detailed description + link to English translation in the title of the article).

These extortionists have been robbing users for 2.5 years with impunity and law enforcement agencies are shamefully inactive.

  • Thanks 1
Link to post
Share on other sites

They work only for older versions.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...