Cleaning up after ransomware (Cryptolocker etc.).

2015-06-10 15_59_50-cryptolocker - Google Search - Internet ExplorerAfter experiencing Ransomware a few times during the past months in our corporate setup I decided to scribble down some cleanup notes and things you can do to combat this.

This guide is seen from the point of a sysadmins and thus not from an enduser, however some tricks may apply even so (depending on various factors). In addition, this guide focuses on the cleanup of the server and not the client computer, which in my opinion always should be reinstalled after an incident like this.

This guide also assume that you have Shadowcopy enabled on your server; if not then you will need to go for a restore from backup (this however also loosely covered in the guide).  See the good thing about Shadowcopy is, that as the server is not infected nor is the servers shadowcopy – you thus have quick access to non-corrupted data from here quite easily and quickly.  Client wise things are different as most ransomeware clears the shadowcopy locally to ensure against easy cleanup locally, I heard that this may fail if the user is not a local administrator on his/her pc, so you may still have a straw to cling to if this is the case for recovering the local data easily.

Background.

First, let me sum up what this ransomware is all about.

Ransomware is a special type of malware, opposed to a regular virus it is not as much aimed at spreading but more focuses on its area of business (to extort users to pay to regain access to their data).  Ransomware is often spread via phishing mails, you may receive a mail stating that you have a package at the post office (just one example) and that you need to download and open the linked file to get the details.  Once you download and run the file from the phishing mail, it will execute the ransomware software, which will run in the background encrypting your files without you noticing it (to begin with).

It is very hard protecting against malware like this, as the makers of this type of malware keep changing the software to avoid detection.  Furthermore, antivirus is only of limited help as it cannot restore files that has been encrypted.

Ransomware usually starts by encrypting local files first and then move on to server shares.

Ransomware is actually not a new thing; it has existed since the MS-dos days in some form or other. I recall a very old virus that infected your boot sector, and upon the trigger event (could be a date or a number of boots) it would delete your fat table and bring up a slot machine, if you won the game you would get your FAT table back if not everything was lost.  Same but different.

How to get your data back after it being encrypted?  Well best bet is backups, hopefully you have either backups on some USB disk or in the cloud, if not you are likely in serious problems.  You can also choose to pay the ransom and have your data de-crypted, the price for this is usually around 100€ or 100$ depending, and from what I have heard it should work quite well and reliable to get your data back this way – some of the ransomware vendors should even have kind of customer support to assist you if you have problems – but supporting organized crime hardly seem like a good idea in the long run.

Anyhow, let us move on to the “fun” part, how to clean-up a file server after a visit from a client infected with ransomware.

So you have been struck by Ransomware (Cryptolocker, Cryptowall, Cryptodefence etc etc etc), “congratulations” and welcome to the club 🙁

Let us go through some steps to get things back on the road.

Important tip;

If you are using Shadowcopy on your server, DO NOT START CLEANUP BEFORE DATA HAS BEEN RESTORED – you may just waste storage space from your shadowcopy pool and thus be able to restore less data.

 

Step 1 – Stop the disaster from escalating.

You need to figure out which user is infected and stop this users pc from encrypting more files on your servers, if you are not fast to react your server will quickly look like this (the white is the infected files, it’s a mess).

Step 1.1 – how to identify the user

There are obviously different tactics for this, but two obvious once are;

1) look at an encrypted file and determine the owner – now to my surprise this did not work on the last server I looked at, here all the files for some reason was set to be owned by the local administrator group.

2) Look at the home folder for your users – most ransomware drop files on how to decrypt your data and these may serve as tell tail signs of “infection”.

2015-06-10 15_33_47-mRemoteNG - confCons.xml2015-06-10 15_29_46-mRemoteNG - confCons.xml

Thus, the user with all the “decrypt” files in his homedrive will be the user you are after.  Simply search the user’s folder for files with the word “decrypt” in it. The ransomware normally also targets the users local drives first, thus you may catch a lucky break if you like us have redirected the “My Documents” folder to the users home directory on the server, in our cases this meant that the infected users had tons of these files on his home share.

Step 1.2 – Shutdown the user’s computer

Shutdown the user’s computer and change the password of the user (as the user has malware on his/her computer his/her passwords (all of them) are likely now compromised.

 

Step 2 – Assess the damage

You now need to look at the server to determine how much data have been encrypted. How to determine the “infection” rate, well that depends – different ransomware uses different tactics, however at least for now they seem to share these tactics.

1) The ransomware will encrypt files, then add some extension to the file to show that it is encrypted (the extension may vary, but could be .encrypted or .iufasee or something totally different/random – but still the same for all encrypted files).

2) After encrypting a complete folder ransomware will often add 2-4 files that pertain to how to decrypt data, these files could be named “HELP_DECRYPT.TXT” / “HELP_DECRYPT.BMP” / “HOW_DECRYPT.TXT” / “!Decrypt-All-Files-iufasee.bmp” or anything like that.

2015-06-10 15_29_46-mRemoteNG - confCons.xml

NOTE: the ransomware is quite clever as not to change the creationdata/last modified date as this makes it hard to just look for files changed in the past 24h – however, as I mentioned in step two then the ransomware often creates “how to decrypt” files/pictures/links in the folders and these may be used to spot the “infection”.

My suggestion is;

  1. Try to determine the file extension using the tips above.
  2. Use Windirstat to get an idea of the scope of the incident (you can see an example below) http://windirstat.info/
  3. See screenshoot (the white is the encrypted/infected data).

cryptolocker

 

Step 3 – Restoring data (the non-encrypted files)

See we had a special challenge with restoring data as we use online backup, and the restore hence will take a LONG time seeing that the data need to come from the WAN restoring gigabytes of data would take a LONG time, so we had to get creative to make the cleanup as fast as possible.

You first need to determine the time for the last backup/shadowcopy snapshot before the “infection” occurred.

If you have shadow copy, then go back through the snapshots to find the time where files had their original extension. You may get best results if you look at the infected users home folder, this is likely the first folder to be “infected” (you can also look at the creation date/time of the “how to decrypt” files which may give you a lead).

2015-06-10 15_29_46-mRemoteNG - confCons.xml

If you have local backup it is quite easy I guess, just restore more or less all data (with the do not overwrite newer/changed versions option set) and then proceed to delete the encrypted data and the “help files” (the once on how to decrypt) – see section below on how to cleanup.

If however you cannot easily restore data from backup (like e.g. if you use “online backup” like we did), then move to shadowcopy (which you hopefully have enabled on the server).

You could of cause restore one file/folder at the time from shadowcopy, this will take forever especially if users have worked on the folder structure meanwhile. So why not make it fast and easy by using robocopy (yes it is actually possible to use Robocopy, we found a cool way to do this).

Restoring non encrypted data via ShadowCopy and Robocopy.

  • Determine the “last good” shadowcopy, the one just before files started to be encrypted.

 

    1. On the server list the shadowcopy snapshots using the dos command, you do this to get the “identifier” which we will need in a moment.Start an administrative command prompt and issue the command;
      vssadmin list shadows
      (you may need to change drive to the drive you want to see)This will give you a long list of available snapshots, see screenshot.
      2015-06-10 15_00_00-mRemoteNG - confCons.xmlLook for the creation time and find the block just before the incident occurred.

      In this block “Contents of shadow copy set ID {…….}” look for the line “Shadow Copy Volume”, copy this line to a notepad starting with \\

      In this example;
      2015-06-10 14_56_13-mRemoteNG - confCons.xml

      \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107
      NOTE: the number at the end will be different for you.

      IMPORTANT! Now add a “\” to the line in notepad: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\

      Finally add a prefix of “mklink /d c:\restore ” to the line in notepad.
      So the final line should look like this;
      2015-06-10 15_12_14-mRemoteNG - confCons.xml

      mklink /d c:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\
      (note: the c:\restore is a folder/name YOU choose, it can basically be anything you choose, the name must NOT exist before you run the command)Now run this command from the administrative command prompt.
      2015-06-10 15_09_35-mRemoteNG - confCons.xml

      It should give you a feedback much like;
      symbolic link created for c:\restore <<===>> \\?\GLOBALROOT\Device\HarddiskVolum eShadowCopy107\

      2015-06-10 15_13_13-mRemoteNG - confCons.xml

      Now if you write;
      dir c:\restore
      you will have a historic view of how the disk looked at the time of the shadowcopy snapshot, you could get the same via properties “previous version”… but this is much neater as you can access and script it.

  • Now we have the snapshot mounted we can run a robocopy job restoring any data that is not more recent or changed.In this example the command would be something like;ROBOCOPY C:\restore D:\ *.* /XC /XO /E /LOG:d:\restore.log
    2015-06-10 15_18_12-mRemoteNG - confCons.xmlYou will need to suit it to your environment.

    Things to make a note of are the /XC /XO command switches which ensures that we do not overwrite files modified after the “infection”. As the encrypted “infected” files have a different extinction this is not a problem.

    After the restore you can review the restore.log file to see if anything went wrong and see how much data was restored.

    Note, you MAY run into the problem that not everything was in shadowcopy in which case you have to revert to backups, in the incidents we have had “only” 10-20 gb of data was “infected” and our shadowcopy could easily accommodate this.

 

 

Step 4 – CleanUp

Final step is to clean up the encrypted files and the decrypt instructions.

Also remove the “directory link” to the shadowcopy snapshot if you used that (see previous section), you can just use “RD <directory name>”.

2015-06-10 15_13_13-mRemoteNG - confCons.xml

I used SearchMyFiles from http://www.nirsoft.net/ as it is easy and very customizable to use to find files, I suggest you take not more than 10.000 files at the time as deleting many files takes quite some time.

2015-06-10 16_41_29-2015-06-10 10_41_17-mRemoteNG - confCons.xml.png - Windows Photo Viewer

 

Mitigation strategy

  • On fileservers, try to limit access as much as possible – if nothing more than look at making data read-only wherever possible as this alone will protect you greatly.
  • FSRM – File Server Resources Monitor, set this up to detect and trigger alarms on new files where the word decrypt is part of the name – decrypt as part of a filename is uncommon enough to give only limited false alarms – I will create a separate article on the configuration of this later.
  • Supporters / super users – instruct them to react FAST to tell tail signs of ransomware, the faster you manage to stop the “infection” the less to clean up.

 

Tools that may be useful;

Decrypt Cryptolocker (this most likely will not work, but give it a go anyhow just in case).
https://www.decryptcryptolocker.com/

Windirstat                                     http://windirstat.info/
SearchMyFiles                              http://www.nirsoft.net/

Read more about Cryptolocker; http://en.wikipedia.org/wiki/CryptoLocker

Thanks to:

Torben Slaikjer for finding that link on how to mount shadowcopy snapshot as a directory, this made the job vastly easier.

Live view of ongoing DDOS attacks

attackmapSo if you like me have an interest in Internet security you may find this interesting, a live map of ongoing DDOS attacks.

http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16486&view=map

Free e-books

ebook

A good friend of mine (www.silents.dk) gave me a link to a collection of free Microsoft e-books;

http://blogs.msdn.com/b/mssmallbiz/archive/2013/06/18/huge-collection-of-free-microsoft-ebooks-for-you-including-office-office-365-sharepoint-sql-server-system-center-visual-studio-web-development-windows-windows-azure-and-windows-server.aspx

 

Plug In Launcher app for Android

A cool app for Android Phones, it allow you to configure what happens when eg. you plug in your headphones – eg. when you plug in your headphones your phone launches your podcast player..  This is really cool 🙂  Wish I had this for my iPhone 🙂

http://techotrack.com/archives/4846

NirCmd the swiss knife of scripting commands

If you ever find yourself scripting then this command must be added to your inventory;

NirCmd  http://www.nirsoft.net/utils/nircmd.html

It is a free dos util (about 30 kb) that will allow you to script a ton of different things, like;
Read/write from registry, dial ras, take screen shots, stop/start/restart/pause services, change displaymode, create shortcuts, set volume for the speaker, restart/shutdown windows (both remote and local) – and as if this was not enough you can even batch many of the commands eg. create a list/file with computer names that a command need executing on and then just point to this list/file.

Very powerful and easy to use.

Burnout – Identify copyprotection.

If you have an original game cd/dvd and want to know which copyprotection was used on it – maybe to find a NOCD or whatnot  – I sometimes even find this interesting from an intellectual point of view, then this utility might just assist you in identifying what copyprotection that is keeping you from playing “Battlefield Bad Company 2” without the DVD inserted.  It won’t break/crack anything, just identify which copyprotection was used.  Freeware and all that jazz.

Get it here

Malware Cleanup

So your PC have been infected by malware!?

Even if you have installed the best antivirus on the marked you can still become infected with malware, and once you are infected there is no certainty that your antivirus is capable of cleaning up without a little help.

Technical

On this page I will refer to malware as a generalization of viruses, malware, worms and trojans, and the techniques I refer to is aimed at Windows XP (can still be used on other platforms but may require additional steps/actions).

Tell-tail signs that something is wrong;

Your antivirus keep detecting infections day after day, you clean it but the next day when you reboot the machine it is infected again.

When is there little reason to be concerned;

If you browse to a web-site and immediately get a warning from your antivirus that this and that file is infected, and the reference is to a file in a folder with a name something similar to this (it may differ some);

C:\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\UserData\FY2BE6Q4

then there is a good chance your antivirus caught the malware before it got a chance to install itself and there is thus no reason to panic, I would however still recommend a complete system scan with the installed antivirus just to be on the safe side.

Infected, what now!?

How did I get infected and what is the big deal?

What often happens is that your PC is infected by malware while visiting a web-site, this can happen even without visiting dangerous/suspicious web-sites even very reputable sites sometime get malwarecode injected into their sites (this can happen via banner advertisements or by hacking etc.).  As the malware may be brand new your antivirus does maybe not know it and thus raises no warning, you have now unknowingly been infected.  After a few days, your antivirus vendor may pick up on the malware, and issue an update to your antivirus (definition update) once your antivirus has been updated it now detects that your computer has been infected. You might think that everything is fine now, your antivirus has detected the malware and offers to clean the infection!?  The problem is, that quite often a malware infection has had ample time to do it’s nasty business before it was detected and cleaned, thus your antivirus may very well clean the ‘original’ malware but may not pick up on some of the changes done to your system – this could be anything from harmless changes to the titlebar of your internetbrowser to more serious matters like the installation of backdoors, rootkits, botnet clients or other malware.

Anyhow, let us try to picture that your PC has now been well and thoroughly infected.

What do you do!?

  • Check that your antivirus is working and has the latest updates.
  • Do a complete system scan with your antivirus.
  • Restart your machine, do so by shutting down and then starting up the machine again (not a simple reboot)
  • Do another complete system scan with your antivirus.

Now many people think that once this is done, and the antivirus informs you that it has cleaned a number of infections everything is fine, well the correct answer is that MAYBE everything is fine.  The problem is, as mentioned before, that you may not know how long your PC has been infected nor what has happened during this time – if the malware has installed what is known as a rootkit, then this can be very hard to detect and may go completely unnoticed by your antivirus, thus we need to take additional precautions before we jump to the conclusion that everything is fine.

Additional steps/precautions;

  • Run Microsoft Malicious Software Removal Tool (MRT)
    This is a utility that Microsoft has included in Windows Update, it is thus installed on all PC’s and updated monthly, once a month an automated scan is made (without any warning or display thus you will never notice it).  You can launch this utility manually by opening a run dialog box (Windows key + R) and typing MRT.EXE and clicking OK, now click next and do a complete scan (you can start with a quick scan which is much faster, but I strongly suggest a Full scan of the system to be safe).
    run
     

mrt1

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

 

Now your PC should be cleaned for infections, however we still need to verify this.

  • Shutdown your PC, start it again (a simple reboot is not enough) now do a new scan with your antivirus scanner.

Experienced users;

If you are an IT professional here is a few additional steps you may try, these are additional steps not required, and you will still need to perform the steps above. I do not reccomend these steps for novice/non IT professional users.

  • You can try to check which programs are set to autostart, look for suspicious programs that are configured to startup automatically.This can be quite complicated to determine as the references/names used often may be difficult to identify (eg. acr32rd.exe etc).To check which programs and services autostart you can use the utility msconfig.exe (Windows Key + R) type msconfig.exe and hit OK-  or try the more advanced utility from http://live.sysinternals.com/autoruns.exe
    however be cautious, if you disable important systemfiles the PC may not boot correctly and it may be difficult to undo the damage.

Update May 4th 2011;
a new tool is available to scan and clean your pc;
Microsoft Security Scanner, get it free here;
http://www.microsoft.com/security/scanner/en-us/default.aspx

Update June 5th 2011;
Recently I mentioned the Microsoft Security Scanner (http://www.kanmandet.dk/?p=2011) a portable/standalone scanner for your pc, well it seem Microsoft is stepping up their Anti Malware/Rootkit effords – link to their new scanner Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline a bootable ISO containing a Rootkit and Malware scanner.  It is also worth noticing that the latest version of Microsoft DART “ERD commander” (the old Winternal/Sysinternal utility to boot, modify and fix Windows installations) now also contain a malware scanning and removal utility – this is however sadly only available to Microsoft corporate license holders.

This link may also be useful; http://www.bleepingcomputer.com/download/anti-virus/rkill 
(direct download http://download.bleepingcomputer.com/grinler/rkill.exe)

Video tutorial to installing and cleaning using Malwarebytes scanner;
http://youtu.be/gme75Aq_goI – Danish version 
http://youtu.be/P26migKnHC8 – English version

Additional links added January 2011;

Kaspersky Rescue Disk 10 – a boot and clean disk you can use to cleanup your system (untested by me, but was recommended).
http://support.kaspersky.com/viruses/rescuedisk  (Free)

Sophos Anti-Rootkit (Free) – a detection and removal kit for Rootkits
http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

SpyBot Search and Destroy (Free) (I however still prefer Malwarebytes, but this is a good cleanup utility also)
http://www.safer-networking.org/

Software I use

On this page I will eventually try to list some or all the software I use on a regular basic

Updated Feb 19th 2011

I usually convert video using;
Any DVD Converter Pro – http://www.any-video-converter.com/products/


DVD backup is done using;
DvdFab – http://www.dvdfab.com/
AnyDvd (bypass region coding and more) – http://www.slysoft.com/en/anydvd.html


iTunes is used to manage my podcasts (and Audiobooks);
http://www.apple.com/itunes/download/

Media files are played using;
Media Player Classic (Home Cinema x64) – http://mpc-hc.sourceforge.net/


The problem with missing codec’s etc are solved via;
Windows 7 codec pack (Sharks) – http://www.shark007.net/


Photos and graphic is edited using;
http://www.getpaint.net/
and sometimes Photoshop from Adobe.


When I need to convert .MP3 to .M4B (iPod/iPhone audiobook format) I use these utils;
http://www.freeipodsoftware.com/
http://www.shchuka.com/software/mergemp3/


AVI video to DVD is created via;
http://www.vso-software.fr/products/convert_x_to_dvd/


AVI editing is done via;
http://www.photodex.com/products/proshow/producer
Windows DVD maker (live tools)


Virtual machines;

VmWare Workstation/Player for my Workstation and Hyper-V for my servers

Filecompression;
WinRar – http://www.rarlabs.com/


Files Shared via;
http://www.dropbox.com/


Passwords remembered via;
http://lastpass.com

Encryption;
http://www.truecrypt.org


Coding done via;
Borland Delphi 7 (old old version)


DRM removal (needed to play wmv on iPod) done via;

Drmbuster http://drmbuster.com/ (Simpler version)
TuneByte http://audials.com (more advanced)


Browsing done via;
IE + Firefox


CD-Burning done via;
Nero Burning Rom – http://www.nero.com/eng/nero-burning-rom-overview.html
Alternatives are; http://cdburnerxp.se/  –  http://www.imgburn.com/  –  http://infrarecorder.org/
But also check here; http://www.ghacks.net/2009/12/21/free-cd-burning-software/
http://mytechquest.com/windows/8-free-portable-cd-and-dvd-burning-software/


ISO Mounting is done like this;

http://www.kanmandet.dk/?p=1790


Mail is read using;
Microsoft Outlook 2010


Screenshots are taken via;
http://www.techsmith.com/jing/free/


Video/screen video captured via;
Hypercam 2 (Free) – http://www.hyperionics.com/hc/ 


Various Utilities I also use;
Virus total (scan files for virus with many engines) – www.virustotal.com  and a right click plugin http://www.virustotal.com/advanced.html#uploader
TerraCopy (MOST excellent, speed up copying and much much more – a MUST have) – http://www.codesector.com/teracopy.php

Microsoft Security Essentials – Beta (Now Available)

mseYes it is here “Microsoft Security Essentials”, the Beta for Microsoft’s new free anti virus (previously codenamed morro) and the replacement for One Care Live a paid anti virus solution Microsoft attempted earlier which reached eol in June 2009.

We use Forefront Client Security (Microsoft’s corporate anti virus solution) at work, and it works quite well.  The malware and anti virus part is just as good as any I have tried, but the corporate management part is somewhat lagging I would say.  But as Microsoft Security Essentials is a standalone product this is not an issue, and I would suspect the engine etc. to be the same as Forefront Client Security so all in all I expect this to be an excelent product.

Read more;
http://www.microsoft.com/security_essentials/ 
Here you can also get the beta (if you are eligible)

http://hacktolive.org/wiki/Microsoft_Security_Essentials
Here you can also get the beta (if you are not eligible 😉 )

A pretty good walkthrough here;
http://www.winsupersite.com/win7/mse_beta.asp

Some random posts;
http://www.addictivetips.com/windows-tips/microsoft-security-essentials-review-with-screenshots/
http://www.pcworld.com/article/167160/is_microsofts_morro_malware_in_disguise.html

Other Neat Outlook tools

Bonus Outlook tools.

For some additional tools to help you manage Outlook files and contents, don’t forget about all the awesome (and portable) Outlook tools offered recently by Nir Sofer.

Outlook/Office Utilities – (freeware) – NirSoft.

NK2View – (freeware) – Did you know that if you use Outlook the email names used in the To/Cc fields are retained? The NK2 file is the “auto-complete” file. Great place to review if you are auditing an Outlook user’s pc. Anyway, this handy utility allows you to view the N2K file, display all the email address records stored, and export them into various file formats. Handy for security techs.  Also allows you to quickly edit, sort, save/restore, and delete items in the file itself.  Particularly useful if you need to bulk-edit the contents due to changes/conversions in corporate address book items.

OutlookAttachView – (freeware) – This utility can help you locate, extract and/or remove attachments embedded in your Outlook email messages.  It displays the list of attached files in your Outlook’s mailbox, and allows you to easily select all attachments that you need, and then extract them into a folder that you choose. 

OutlookStatView – (freeware) – Nir is on a roll! For all you Outlook junkies out there, this tool can gather a lot of great statistics on your email habits. Quoting from Nir’s description, “OutlookStatView scans your Outlook mailbox, and display a general statistics about the users that you communicate via emails. For each user/email, the following information is displayed: The number of outgoing messages that you sent to the user (separated by to/cc/bcc), the number of incoming message that the user sent to you, the total size of messages sent by the user, the email client software used by this user, and the time range that you send/received emails with the specified user.”

Source; Claus V. http://grandstreamdreams.blogspot.com/2009/05/outlook-thread-compressor-new-escapee.html