Windows 8 Ransomware

[Willo3092]

My home PC was playing up this morning and I tried to restore a backup but it failed.
Restarted and couldn't access my home network and I then noticed that some of my dropbox files were renamed with a .??elec extension.
I opened another file and it was a ransomware message.

I immediately pulled the plug and network cable but then had to go to work.
I've accessed my home network from work and noticed that some of the files on there have also been renamed with the strange extension, but not all.
I have shut the server down remotely.

My question is, will my network server continue to propogate the malware if I restart it or is it reliant on the host computer?
It's a Synology NAS so not Microsoft Windows.

I'm a bit limited as to what I can google at work

 

[lincsat]

I would suspect that your PC has the malware/virus and it's renaming files. Maybe best to access from another PC and virus scan all the files on the NAS before you do anything else.

 

[Willo3092]

Will be a job for tomorrow now as I'm at work until 11pm.
I just wondered if the ransomware can spread once the main PC is shut down. It only seems to have affected network shares on the NAS.

 

[steptoe]

do you have a spare external HDD.?
you could try running a LIVE Ubuntu session from a USB stick and see if photorec can recover any of the original extensions to the external HDD
assuming that the ransomware is windows dependent, it wont have access to the root paswsword of Ubuntu/Linux, so wont be able to take ownership of any more files

EDIT : your NAS is probably running SAMBA with a FAT filesystem so its windows compliant (?) ?? , so therefore able to be read/write/copy/delete etc from your windows machine, is that correct.?
if that is the case I'd deffo not be starting up the windows machine again until you have tried recovery, you can also try recovering your files on the windows machine via the LIVE USB and then reformat and re-install

 

[woody6222]

I have a spare pc you can borrow if you need a cleanup machine.

 

[Willo3092]

I'm not going to lose anything mate as I make regular backups to external media and cloud services.
The files are proper encrypted, not just renamed so will format my PC and all internal drives and reinstall.
It's just that some of the files on my NAS shared drives were also encrypted and I don't want to reinstall if the NAS is now infected.

I just want to confirm if anyone knows if the malware is working from the host PC or does it spread to other devices?

I managed to grab the ransomware notice before shutting the NAS down:

---= GANDCRAB V5.2 =---

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: .RIELEC

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.


The server with your key is in a closed network TOR. You can get there by the following ways:

----------------------------------------------------------------------------------------

| 0. Download Tor browser - https://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/97bb827b49c2ab80
| 4. Follow the instructions on this page

----------------------------------------------------------------------------------------


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

BELOW THIS WERE THE ENCRYPTION KEYS

 

[Willo3092]

I have a spare pc you can borrow if you need a cleanup machine.

Cheers Woody but I've already got a spare PC, just don't want to connect it if the NAS is infected.

 

[steptoe]

I'd hazard a guess that any of the files on the FAT could have been modified to carry the virus as the ransomware took ownership of them via windows.
but, I know more about fish suppers than computers, and I know fek all about fish suppers.

 

[woody6222]

It won't matter if this gets infected.

 

[Willo3092]

I've been onto Dropbox online and everything is encrypted.
Good news is that you can restore previous versions of a file.
Tried it on one file and it has remained unencrypted so far.

All my photos seem okay on Google Drive too so hopefully will just need a reinstall.

 

[ASHHBI]

Out of interest what anti virus/malware/ransomware software were you running?

 

[Willo3092]

Malawarebytes

 

[ASHHBI]

Have you accessed your nas yet and run its virus/malware software?

 

[Willo3092]

No, I'm at work till late but I think the host pc was encrypting files on shared drives.
I didn't even think of checking my NAS until I got to work. Some files were encrypted and some not so hopefully stopped it.
Will it show up as a virus though? It got past Malawarebytes without any problem.

 

[woody6222]

https://www.google.co.uk/search?sou...46.1......0....2j1..gws-wiz.....0.6CY52sYhhYA

 

[cactikid]

What malwarebytes were you running and last scan done?
https://malwaretips.com/blogs/remove-gandcrab-v5-2-ransomware/

 

[southsimon]

we always used to use trend micro at work before moving to a different brand, but I still use them for home stuff, I believe you can use house call to scan your NAS. hope it helps m8.

https://success.trendmicro.com/solution/1055290

 

[Willo3092]

Finally sorted my ransomware issue (without paying the ransom!)
Luckily I have always been quite anal about backing up my data and was fortunate enough to be at my computer when the attack started and pulled the plug before too much damage was done.

I have no idea how I managed to unleash this nasty piece of work but I suspect it was hiding in a torrent download.
It managed to get past Malawarebytes but this may be an old version that had not been updated.

I first noticed something was wrong when my PC fan went into overdrive for no apparent reason.
This was obviously due to the exe file encrypting my data as fast as possible.

My browser then stopped responding and went back to default settings.
I then opened a folder and saw a text file named RIELEC-MANUAL.txt which was the ransom message.
The RIELEC part of the filename is randomly generated and is the extension that the encrypted files are renamed with.

I then pulled the network and power leads to prevent further damage.

This particular ransomware is named GANDCRAB 5.2 and there is no current way of rescuing your data apart from paying the ransom.

Luckily the nasty little exe file that encrypts the data seems to remain in the C:\User\Appdata\ folder and doesn't spawn to other drives.

It will encrypt data on any drive that is connected to the computer and this includes removeable drives and mapped network drives.

My advice is to unplug or power off any backup drives after backing up your data and to unmap network drives. It's easy enough to create shortcuts to your network in a dedicated folder.

I have reinstalled by pulling the C: drive out altogether and putting a new SSD drive in.
I've then reinstalled an AOEMI backup and formatted my other drives.

I have then just used find and delete to get rid of any encrypted files on my NAS and restored backups.
I have also bought a years sub for Total AV to save myself all this hassle again!

Hopefully this will help someone else.

 

[Willo3092]

What is GANDCRAB 5.2?

GANDCRAB 5.2 is ransomware-type program used by developers (cyber criminals) to encrypt data stored on victims' computers and to keep it in that state until a ransom is paid. This program creates a ransom message and generates a random name for it. For example, "DSEWRBG-DECRYPT.txt". GANDCRAB 5.2 does the same with the extension, which it adds to each encrypted file. For example, "1.jpg" becomes "1.jpg.dsewrbg". It also changes the victim's desktop wallpaper. GANDCRAB 5.2 is one of many variants of GANDCRAB ransomware.

In the "DSEWRBG-DECRYPT.txt" ransom message (its name can vary), cyber criminals urge victims not to delete this text file until the data is recovered (decrypted). They state that deleting it might cause decryption errors. They claim that the only way to decrypt data is to purchase a decryption key from them. To proceed with data decryption, GANDCRAB 5.2 victims are encouraged to download and install the TOR browser and then to open the link provided in the ransom message. The website contains a deadline that, unless met, will double the cost of decryption. Therefore, if the initial cost of a decryption key is $1200, after a certain period of time has elapsed, it will increase to $2400. To make payment, victims must use the DASH or Bitcoin cryptocurrencies and transfer it by clicking a link that leads to a cryptocurrency wallet address. Before making payment, these cyber criminals offer free decryption of one file. This is common to ransomware developers who offer this 'proof' that they are capable of providing tools or keys required for successful data decryption. Recently, a malware security company called Bitdefender released a decryption tool that is capable of restoring files that were encrypted by previous versions of GANDCRAB ransomware. Therefore, it is very likely that these cyber criminals (GANDCRAB 5.2 developers) have released a new version in response. There are no tools capable of GANDCRAB 5.2 file decryption free of charge (at least not at the moment). Therefore, people with computers infected by this ransomware can be blackmailed and are forced to contact the developers. Most cyber criminals use cryptography algorithms (symmetric or asymmetric) that make decryptions without using a specific tool impossible. Unfortunately, only ransomware developers have these tools. If a computer is infected with GANDCRAB 5.2, the only free way to recover data is to use a backup and restore everything from there.
Many cyber criminals develop ransomware-type programs, however, most are very similar. GANDCRAB 5.2 shares similarities with many other malicious programs of this type such as Shadi, Cammora, and Heets. Most of these infections encrypt data and keep it in this state until the ransom is paid or decryption tool is purchased. Main differences are usually cost of tool and cryptography algorithm used to encrypt data. Encrypted files can be decrypted only if the ransomware is not fully developed, contains bugs/flaws, and so on. Therefore, we recommend that you maintain regular backups and keep them on remote servers or unplugged storage devices. These backups are then protected from being encrypted with other data.

 

[systemlord]

I've never actually had ransomware but I have had a few emails claiming it's there and they've been using my web cam to record my online porn viewing and they will email that video of me watching it and me 'ahem' to all my email contacts if I didn't pay the Bitcoin. At first I was worried because they knew an old password of mine which I hadn't used in ages and that it didn't matter if I'd changed it as the virus would inform them of the new one.

The giveaway was, first I have a piece of black tape covering my laptop webcam, and second, I only watch porn via my 55inch TV in another room as a second monitor which doesn't have any web cam. Suffice to say, I didn't hear from them again.