Ransomware infected work computer and shared network hd

[bball1523]

This past week a form of cryptolocker ransomware called Teslacrypt infected a work computer or two and infected a shared network hard drive. A lot of the files on the shared network hard drive and some on one of the computers has a ".ecc" file extension. The Teslacrypt private key will be destroyed at a certain time tomorrow morning.

I'll find out more later on if we had backups of the files that were changed to .ecc, but for now I don't know.

I have a few questions if anyone is able to help:

1) Does anyone have any advice on fixing this issue and getting the files back to a normal extension without any infection?

2) Also, after the private key is destroyed, does anyone know if the files can still be decrypted?

3) Can we still use the infected PC and it's internet without any further infection of non-infected files and without the infection spreading to other computers on the server?

Thanks

Thread moved to security, from general computer help. -Admin DrPizza

 

[redzo]

1) The back-up is the only chance you've got if you want to recover those files. Of course, as long as the files were backed-up before the encryption process has taken place.
2) Decryption occurs when you own the key. Craking the encrypted data is impossible.
3) As long as you are sure that the system is now disinfected, I do not see any reason why you can't use the system, but it is safer to do a system OS re install.

Pretty much all data encrypted with modern crypto ransomeware is impossible to crack because they throw away the key/destroy it, or send it over the internet to some obscure location. If you ask for support at your favorite commercial security app, they will tell you that the data is lost forever and that they can help/assist you only with the disinfection of the affected system.

 

[XavierMace]

Nuke the system from orbit then restore from last backup prior to the encryption.

Then smack whoever infected the system.

 

[mikeymikec]

http://yro.slashdot.org/story/15/04/28/1431252/teslacrypt-isnt-all-that-cryptic

 

[bball1523]

Thanks for the advice everyone.

The problem was resolved some way and I think we had backups or something.

 

[corkyg]

Great! But, Xavier Mace's comment stands! Someone got that by visiting an unauthorized web site. Tighten the discipline!

 

[PliotronX]

Someone got that by visiting an unauthorized web site. Tighten the discipline!

Not necessarily. Flash needs to die like ASAP.

 

[denis280]

always make back up no matter what.

 

[corkyg]

Not necessarily. Flash needs to die like ASAP.

OK, and just where did the Flash pick it up? Well disciplined companies do not allow personal flashes or other media to be used.

This thread really belongs in the Security Forum. You had an excellent comment there oin the same subject.

 

[WilliamM2]

OK, and just where did the Flash pick it up? Well disciplined companies do not allow personal flashes or other media to be used.

This thread really belongs in the Security Forum. You had an excellent comment there oin the same subject.

He is talking about Flash on websites.

We had one of our salesmen infect his laptop with ransomeware, he got it through an email attachment. I would say getting it from a website, authorized or not, is far less common.

 

[corkyg]

Understand - email attachment should always be screened. It's just being "street smart." As for things like Adobe Flash sound, very few businesses have any need for that.

 

[Elixer]

Understand - email attachment should always be screened. It's just being "street smart." As for things like Adobe Flash sound, very few businesses have any need for that.

True, all businesses should immediately uninstall flash, or at the very least, lock it down.

Rule #2 is always have multiple levels of active backups done remotely.
(in other words, keep a history of the file(s) in question)

Rule #3, strip all attachments from e-mail except for plain text, and maybe some documents depending on what they are from.

Rule #4 each employee should be running in a VM, so, if they do screw up, the damage is mitigated to their machine, or run linux

 

[corkyg]

Echo those rules. I really like #4!

 

[Zodiark1593]

Echo those rules. I really like #4!

Agreed, most buisness computers have support for hardware VM acceleration, why not abuse it?

 

[KeithP]

Not necessarily. Flash needs to die like ASAP.

Not a fan of Flash either but in that particular example, you had to be running an outdated version of Flash (according to Malwarebytes). They also appear to be running an older version of IE.

In the provided example the Malwarebytes folks were sensationalizing the infection without mentioning the details in which it could actually spread. I believe they did this to promote their own product while ignoring the fact that simply keeping your software up to date would have thwarted the malicious Flash ad.

-KeithP

 

[Kaido]

OK, and just where did the Flash pick it up? Well disciplined companies do not allow personal flashes or other media to be used.

This thread really belongs in the Security Forum. You had an excellent comment there oin the same subject.

Niche companies do that, but real-world companies do not. Imagine saying no media to a design company, a newspaper company, etc. With more millennials working now, there's more pressure to have a more socialized network where people can watch Youtube on their lunchbreak & so on, and if you're getting paid to do your job, you pretty much have to live within the rules that management sets, no matter how crazy they may be in terms of security protection. Sure, in a perfect world, users would be locked out of everything, and a few companies I work with actually do that (the best ones just do a stripped-down Terminal session of some kind, MS or Citrix or whatever, with a thin client...sooooo nice for IT management), but it's definitely not the bulk of businesses out there.

imo we as IT support shouldn't have to rely on users not making dumb decisions, because that's exactly what they do (at least from our perspective). They go to bad websites, they download bad things, they open bad emails. There's a fine line between limiting what they can do & having to have IT staff there to babysit them all day in case they need some new program installed or whatever. I had a private company with very high security get nailed with a zero-day Cryptolocker variation; fortunately they did full nightly backups off the network, so we nuked the offending computer, restored it using a master image, & did a quick restore on their file server, so that wasn't too bad...but it's just not possible to be 100% protected, and it gets to be a hassle when you over-do protection to the point where you have to manage every aspect of the user's desktop experience, especially when companies don't have the budget for that kind of manpower.

It's the best when you have employees go to multiple security training "don't do this" sessions, sign off on what they learned, & they go and download free screensavers & crap anyway

 

[Kaido]

Not a fan of Flash either but in that particular example, you had to be running an outdated version of Flash (according to Malwarebytes). They also appear to be running an older version of IE.

At most places I consult with, I remove Flash for IE & install Chrome. They can still use IE for specific websites that require ActiveX or other compatibility requirements, but at least with Chrome they get the auto-update feature that includes PepperFlash or whatever.

 

[debian0001]

Do you have shadow copy enabled on the file server? You can just restore an older version of the files. Otherwise, I hope you have backups.

 

[Zodiark1593]

Niche companies do that, but real-world companies do not. Imagine saying no media to a design company, a newspaper company, etc. With more millennials working now, there's more pressure to have a more socialized network where people can watch Youtube on their lunchbreak & so on, and if you're getting paid to do your job, you pretty much have to live within the rules that management sets, no matter how crazy they may be in terms of security protection. Sure, in a perfect world, users would be locked out of everything, and a few companies I work with actually do that (the best ones just do a stripped-down Terminal session of some kind, MS or Citrix or whatever, with a thin client...sooooo nice for IT management), but it's definitely not the bulk of businesses out there.

imo we as IT support shouldn't have to rely on users not making dumb decisions, because that's exactly what they do (at least from our perspective). They go to bad websites, they download bad things, they open bad emails. There's a fine line between limiting what they can do & having to have IT staff there to babysit them all day in case they need some new program installed or whatever. I had a private company with very high security get nailed with a zero-day Cryptolocker variation; fortunately they did full nightly backups off the network, so we nuked the offending computer, restored it using a master image, & did a quick restore on their file server, so that wasn't too bad...but it's just not possible to be 100% protected, and it gets to be a hassle when you over-do protection to the point where you have to manage every aspect of the user's desktop experience, especially when companies don't have the budget for that kind of manpower.

It's the best when you have employees go to multiple security training "don't do this" sessions, sign off on what they learned, & they go and download free screensavers & crap anyway

My viewpoint being if people want to look up their own personal stuffs or socialize, do it on their own devices, not company computers. Lock em down I says.

 

[Mide]

Nuke all systems, restore from backups. If no backups you're up a creek or pay the baddies.