Marian Dan

Apocalypse (New Variant) Ransom attack

Recommended Posts

Hello @Marian Dan

Looking at the name Apocalypse (New Variant), which you gave to this topic, you have already uploaded files to the service ID Ransomware. In fact, this is not a new variant, just the name was given a long time ago and has not changed for two years.
This corresponds to what we know and what is described in the article Apocalypse-Missing Ransomware.

I have a question for you: When did file encryption happen?

Share this post


Link to post
Share on other sites

Can you recall or trace what preceded this attack?
Some of your actions, someone else did something with the computer...

 

Share this post


Link to post
Share on other sites

at around 11:00PM I've got alarms from the firewall that rdp is attacked.... firewall dropped the connections at once..... I waited for 30 minutes or so to see if it repeats...

 

now the existing connection will still be up until the client logoff. looking in the logs everybody was off by midnight...

 

rdp ports are still blocked... passwords in the environment are randomly generated.... the only thing that is crossing my mind is an attachment that the bitdefender did not catch 

Share this post


Link to post
Share on other sites

I think it started from the terminal server.... not all of them got infected..... shadow copies got deleted.... the xml files from the backups are also infected.... it is on a NAS box

Share this post


Link to post
Share on other sites

Yes, I already understood something from logs.

Here, for some selected elements, you can see that your server is suffering from extortionists not for the first time. There are files that have been encrypted several times - Dharma Ransomware - Phobos Ransomware - again Dharma Ransomware...

Quote


==================== Files in the root of some directories ================

2019-06-20 08:08 - 2019-06-20 08:08 - 000000610 _____ () C:\Users\canon\ntuser.ini.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000726098 _____ () C:\Users\Public\181344.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000726098 _____ () C:\Users\Public\256993.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000001724 _____ () C:\Users\Public\desktop.ini.492.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000000756 _____ () C:\Users\Public\desktop.ini.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000002082 _____ () C:\Users\Public\desktop.ini.[[email protected]].wallet.492.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-06-20 08:09 - 2019-06-20 08:09 - 000001098 _____ () C:\Users\Public\desktop.ini.[[email protected]].wallet.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2017-08-08 10:00 - 2019-06-20 08:09 - 006914118 _____ () C:\Users\Public\RakhniDecryptor.exe.id[9EF8AE3C-1113].[[email protected]].actin.id-9EF8AE3C.[[email protected]].bat
2019-07-27 05:33 - 2019-07-27 05:33 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64MSI5411.txt.Contact_Data_Recovery.txt
2016-04-03 10:50 - 2016-04-03 10:50 - 001088240 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64MSI5411.txt.missing
2019-07-27 05:33 - 2019-07-27 05:33 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64UI5411.txt.Contact_Data_Recovery.txt
2016-04-03 10:50 - 2016-04-03 10:50 - 000027184 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\dd_vstor40_x64UI5411.txt.missing
2019-07-27 05:34 - 2019-07-27 05:34 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\PUTTY.RND.Contact_Data_Recovery.txt
2015-09-22 18:28 - 2019-01-21 18:30 - 000000608 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\PUTTY.RND.missing
2019-07-27 05:34 - 2019-07-27 05:34 - 000001048 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\Resmon.ResmonCfg.Contact_Data_Recovery.txt
2018-02-14 16:43 - 2018-02-14 16:43 - 000007600 _____ () C:\Users\administrator.OMCANFMA\AppData\Local\Resmon.ResmonCfg.missing

 

 

Share this post


Link to post
Share on other sites

It seems one of the malware is still active on your system. This can be cleared, but the files will not be decrypted.

I see that you have already tried the Apocalypse decrypter, but it is old and will not help for the Apocalypse-Missing Ransomware.

Share this post


Link to post
Share on other sites

And one more nuance. All three listed malicious programs (Dharma, Phobos, Apocalypse) refer to the common place from which they were launched. This place is called Ukraine. From there they all come. Now operators can be in different countries, but this does not change the essence. In addition, it is not the first time we are seeing the email addresses of the ransomware in these and other projects coincide.

There are currently no decryption tools for them. 

Now is the day off. It is possible that tomorrow the staff will give you recommendations regarding server security and its protection, which you need to do as quickly as possible. Otherwise, you will again be attacked and again be hacked by the same criminals. 

 

Share this post


Link to post
Share on other sites

As far as we know, this criminal gang does not want to compromise, does not reduce the price and can take money, without providing a decryptors. I and my workgroup been check them since early versions.

The forum BleepingComputer many such cases of fraud and deception, which were confirmed by victims from different countries. 

Share this post


Link to post
Share on other sites

Bye! It's already a deep night on my time zone. Wait for the response of the support employee tomorrow.

Share this post


Link to post
Share on other sites

Let's try getting a log from FRST on the computer that was infected, and see if it shows any signs of an activate infection. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

 

Also, I'll paste some steps for getting started dealing with RDP compromise below. Some of it you may already be doing, and keep in mind that other forms of remote access can be abused too. Criminals like this have also been seen using a RAT (Remote Access Trojan) to gain access, and these are often delivered via e-mail attachment, although technically they can come from almost any source that malicious software can come from. This list doesn't cover everything, so if you need more then you may need to contact an IT security consultant that is capable of reviewing your network security policies and making more specific recommendations.

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hi and good morning,

all the ports ware closed for the RDP right away.... admin passwords have been changed…. parsed the accounts and found a suspect one and disable it... the FRST log is attached in the post... i'm working on some contingency for tomorrow....

Share this post


Link to post
Share on other sites

Windows Defender may be damaged. If you don't have a paid Anti-Virus on the server (which is recommended), then you should at least try to run SFC /SCANNOW from an elevated Command Prompt to see if it can repair Windows Defender.

It looks like any active infections were removed before FRST was run. Beyond that, make sure your FTP server software (and any other software on the server) is up to date, that way there's less change of security vulnerabilities.

 

On 7/28/2019 at 9:19 AM, Marian Dan said:

admin passwords have been changed

When changing passwords, I recommend keeping the information at the following link in mind:
https://hashcat.net/wiki/doku.php?id=mask_attack

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.