Category: Computer Virus

Wannacry Ransomware..what is this?

Some of you may have heard of this virus.  On May 12th, 2017 this Virus attack began.  It infected almost a 1/4 of a million computers in around 150 countries.

Windows XP and Microsoft Server 2003 were the most vulnerable but since there are not many computers running those operating systems.  Most of the computers impacted were running Windows 7.  Since the outbreak (in fact within 4 days) patches were applied to windows computers which slowed further infections down dramatically.

A infected computer will have a message displayed on their computer stating that their files have been encrypted.

A demand is made for a payment in “Bitcoin” to the value of $300 and if not paid within 7 days, this amount is raised to $600.  By the end of May 2017, around a little under $130 thousand dollars had been transferred to the Bitcoin Wallet or address.

What can you do to protect yourself?

  1. Backup your data
  2. Backup your backup  (Keep multiple backups)
  3. Keep an “Airbridge” between your computer and your backup.  i.e disconnect the backup once it is complete.
  4. Test your backups work.
  5. Get some decryption tools. There are available for most of the main antivirus companies.  The issues here is that sometimes they need a copy of for example a image file that was encrypted to have as a comparison to the encrypted file.  See what has changed on this file and then work out how to decryped the image file.  This does not always work but worth having.
Advertisements

Ransomware Impact

A week or so ago a client of mines office was attacked by a new variant of the Ransomware Virus.  This Virus spread across multiple office computers and also all USB drives connected to the infected computers.

Not all the computers had current anti-virus protection.  (Mcafee was running on one of the computers while another had an expired antivirus subscription ).

There was no backup in place on any of the computers.

End result is.  Most of the companies important data was lost.  MYOB data could be recovered from 2 months ago from the accountant.  Managed to recover around 10 gig worth of data from one infected computer.  This consisted of Excel Files, Work Documents, PDF Documents, Images.  Over 16,000 files were encrypted on 1 of the computers.

Even drop box started to sync the encypted files to the cloud.

The files were changed by having a 6 character random suffix added to the end of each encrypted file after encryption.

A warning message was displayed on screen as a changed desktop wallpaper image.

Where each file was encrypted a text file explaining what had happened was saved together with a HTML file providing links to get your data decrypted providing a ransom was paid in BITCOIN currency.

ransomware-cerber-message

I attempted to get data decrypted using a number of online tools from the major antivirus companies.  None of them could fix the data.  Since each file had a different suffix name added to the file, it was next to impossible to decrypt based on the name of the extension.

Cerber Virus description

cerber

 

BACKUP BACKUP BACKUP!!!

 

Contact me and I can put something in place to minimize the risk to you or your business.

0414405007  (Natan)

Odin Ransomware

Odin Ransomware

On the 3rd of October 2016 I received an urgent call from one of my customers. They had started one of their computers in the office and this triggered what landed up being the “ODIN RANSOMEWARE Virus”.  It quickly spread to their Server infecting files on both computers.  It appeared that a file called payment_receipt_contact_235142.zip contained a java script file (js) which contained the virus.

Read this article from   Sophos ODIN Ransomeware Virus article

payment-receipt-file

I immediately told them to disconnect their backup drive which was connected to the server in the hope that it had not yet spread to this device.  Fortunately the drive was not infected.  Very lucky!!

I determined once I was able to pickup the two infected computers, that the Antivirus that was “Running” on the first computer had been a trial version which had expired so was not updating itself.

expired-trial-tm

Computer 1 had over 3000 infected files and the server had over 9000 files infected.  Infected files were renamed  filename.odin.  Like the Viking God.

In addition when the computer started up, the following message was presented.

locky-virus

So, what had to happen from here.

The two infected computers did not have recovery disc’s or any record of the windows software licenses.  I did determine that there was, what is called a recovery Partition on the computers hard drive.

recovery-partition

I triggered a rebuild of the computers using this recovery partition which resulted in windows being reloaded.  (No windows 10 pro product key required)

All other software would now need to be reinstalled.  Office, Adobe, Chrome, Firefox etc.

I downloaded and installed a 30 day trial copy of Trend Micro Maximum 10 antivirus which could be activated within 30 days.  This protected the two newly rebuild computers until activation would happen.  The Workstation (i3 CPU) took over 10 hours to perform the rebuild and the Server (i5) took closer to 4 hours.

I have recommend that multiple backups be implemented with there always being a current backup which is not connected to the system/network.  This is what is called a “Air Bridge” to prevent it from getting infected.

I have also recommended having a Full Image taken of each computer in the office and stored on a separate drive (Ideally two drives) to cover for a system crash or a drive failure where you would lose the recovery partition also.  Easier to recover from this image.

It might be strange to say this, but it would have been so much worse.

  • No backup or infected backup.
  • Corrupted recovery partition or recovery partition.
  • More computers could have been infected in the office if not detected as soon as it was.  Other machines were turned off so not impacted.

Cryptolocker or Torrentlocker Virus

I spent an hour today 7-7-2016, participating in a Webinar from Trend Micro, discussing the treat from Torrentlocker and the like.  Australia is being hit particularly hard with these viruses.  They come in the form of an email purporting to be from AGL, Australia Post, Australian Federal Police and a few other.

Virus Emails

Do not follow the instructions in the email to enter a CAPTCHA code to download something.

From Trend Micro

If you are a Trend Micro customer:

  • Make sure web reputation is on
  • Must have IP reputation on at least QIL level 2

At the present we have seen 70 compromised websites redirecting traffic to the TorrentLocker landing page:
hxxp://silver-gold-arbat.ru/FgP5XIzvmqGu/9GKsCc8pDIMPA.php?

hxxp://divorcefinancehelp.com/XCEUx/OJ0vid81.php

They are using landing pages such as:
hxxp:// aglbill-tracker2.net

We advise IT Managers:

  • Put such landing pages into firewalls for protection of other servers / devices
    (noting that they will rotate through multiple landing pages). They have changed tactics – and now the landing page is delivering malicious JavaScript rather than using a public download site.

We advise users:

Not to enter Captcha codes to any energy / bill related websites.

AGL1 AGL2