Marian Dan 0 Report post Posted July 27 the domain controller got infected.... i'm attaching scan files and reference of the ransom demand.... I tried to upload an encrypted file but it was rejected. Please help. Thanks FRST.txt FSMMSILog.txt.Contact_Data_Recovery.txt scan_190727-131017.txt Addition.txt Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 Hello @Marian Dan Looking at the name Apocalypse (New Variant), which you gave to this topic, you have already uploaded files to the service ID Ransomware. In fact, this is not a new variant, just the name was given a long time ago and has not changed for two years. This corresponds to what we know and what is described in the article Apocalypse-Missing Ransomware. I have a question for you: When did file encryption happen? Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 July 27, 2019 2:00AM Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 Eastern Standard Time Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 Can you recall or trace what preceded this attack? Some of your actions, someone else did something with the computer... Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 at around 11:00PM I've got alarms from the firewall that rdp is attacked.... firewall dropped the connections at once..... I waited for 30 minutes or so to see if it repeats... now the existing connection will still be up until the client logoff. looking in the logs everybody was off by midnight... rdp ports are still blocked... passwords in the environment are randomly generated.... the only thing that is crossing my mind is an attachment that the bitdefender did not catch Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 I think it started from the terminal server.... not all of them got infected..... shadow copies got deleted.... the xml files from the backups are also infected.... it is on a NAS box Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 Yes, I already understood something from logs. Here, for some selected elements, you can see that your server is suffering from extortionists not for the first time. There are files that have been encrypted several times - Dharma Ransomware - Phobos Ransomware - again Dharma Ransomware... Quote ==================== Files in the root of some directories ================ 2019-06-20 08:08 - 2019-06-20 08:08 - 000000610 _____ () C:\Users\canon\ntuser.ini.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-06-20 08:09 - 2019-06-20 08:09 - 000726098 _____ () C:\Users\Public\181344.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-06-20 08:09 - 2019-06-20 08:09 - 000726098 _____ () C:\Users\Public\256993.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-06-20 08:09 - 2019-06-20 08:09 - 000001724 _____ () C:\Users\Public\desktop.ini.492.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-06-20 08:09 - 2019-06-20 08:09 - 000000756 _____ () C:\Users\Public\desktop.ini.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-06-20 08:09 - 2019-06-20 08:09 - 000002082 _____ () C:\Users\Public\desktop.ini.[[email protected]].wallet.492.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat2019-06-20 08:09 - 2019-06-20 08:09 - 000001098 _____ () C:\Users\Public\desktop.ini.[[email protected]].wallet.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat2017-08-08 10:00 - 2019-06-20 08:09 - 006914118 _____ () C:\Users\Public\RakhniDecryptor.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat 2019-07-27 05:33 - 2019-07-27 05:33 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64MSI5411.txt.Contact_Data_Recovery.txt 2016-04-03 10:50 - 2016-04-03 10:50 - 001088240 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64MSI5411.txt.missing 2019-07-27 05:33 - 2019-07-27 05:33 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64UI5411.txt.Contact_Data_Recovery.txt 2016-04-03 10:50 - 2016-04-03 10:50 - 000027184 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64UI5411.txt.missing 2019-07-27 05:34 - 2019-07-27 05:34 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\PUTTY.RND.Contact_Data_Recovery.txt 2015-09-22 18:28 - 2019-01-21 18:30 - 000000608 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\PUTTY.RND.missing2019-07-27 05:34 - 2019-07-27 05:34 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\Resmon.ResmonCfg.Contact_Data_Recovery.txt2018-02-14 16:43 - 2018-02-14 16:43 - 000007600 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\Resmon.ResmonCfg.missing Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 It seems one of the malware is still active on your system. This can be cleared, but the files will not be decrypted. I see that you have already tried the Apocalypse decrypter, but it is old and will not help for the Apocalypse-Missing Ransomware. Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 so there are no tools to help me.... ? i'm running scans on all of them.... Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 And one more nuance. All three listed malicious programs (Dharma, Phobos, Apocalypse) refer to the common place from which they were launched. This place is called Ukraine. From there they all come. Now operators can be in different countries, but this does not change the essence. In addition, it is not the first time we are seeing the email addresses of the ransomware in these and other projects coincide. There are currently no decryption tools for them. Now is the day off. It is possible that tomorrow the staff will give you recommendations regarding server security and its protection, which you need to do as quickly as possible. Otherwise, you will again be attacked and again be hacked by the same criminals. Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 I know that defeats the purpose but to try to contact them? Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 As far as we know, this criminal gang does not want to compromise, does not reduce the price and can take money, without providing a decryptors. I and my workgroup been check them since early versions. The forum BleepingComputer many such cases of fraud and deception, which were confirmed by victims from different countries. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted July 27 Bye! It's already a deep night on my time zone. Wait for the response of the support employee tomorrow. Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 27 thanks man for everything... have a good night Quote Share this post Link to post Share on other sites
GT500 593 Report post Posted July 28 Let's try getting a log from FRST on the computer that was infected, and see if it shows any signs of an activate infection. You can find instructions for downloading and running FRST at the following link:https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Also, I'll paste some steps for getting started dealing with RDP compromise below. Some of it you may already be doing, and keep in mind that other forms of remote access can be abused too. Criminals like this have also been seen using a RAT (Remote Access Trojan) to gain access, and these are often delivered via e-mail attachment, although technically they can come from almost any source that malicious software can come from. This list doesn't cover everything, so if you need more then you may need to contact an IT security consultant that is capable of reviewing your network security policies and making more specific recommendations. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses. Quote Share this post Link to post Share on other sites
Marian Dan 0 Report post Posted July 28 Hi and good morning, all the ports ware closed for the RDP right away.... admin passwords have been changed…. parsed the accounts and found a suspect one and disable it... the FRST log is attached in the post... i'm working on some contingency for tomorrow.... Quote Share this post Link to post Share on other sites
GT500 593 Report post Posted July 30 Windows Defender may be damaged. If you don't have a paid Anti-Virus on the server (which is recommended), then you should at least try to run SFC /SCANNOW from an elevated Command Prompt to see if it can repair Windows Defender. It looks like any active infections were removed before FRST was run. Beyond that, make sure your FTP server software (and any other software on the server) is up to date, that way there's less change of security vulnerabilities. On 7/28/2019 at 9:19 AM, Marian Dan said: admin passwords have been changed When changing passwords, I recommend keeping the information at the following link in mind:https://hashcat.net/wiki/doku.php?id=mask_attack Quote Share this post Link to post Share on other sites