Clients data encrypted, no idea of source ... any tips?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,368
I have a rather larger client who over the weekend had all of their data on their mapped drives encrypted with the usual text file with a contact email for bitcoin.

Thankfully we do have backups and I am working on restoring about 2TB of data which is taking quite awhile because I want to make sure the encrypted bad data is backed up before I erase it in case I need it.

So my plan is to backup all of the bad encrypted data onto an external, then restore from backup to another external then copy it back into place, the whole process I'm expecting to take about 24hrs.

The worst part about this is that I have not located the culprit and I am afraid of the data getting re-encrypted once it's back in place. I've manually checked all PC's and Surface's. I've done full scans on all computers most of which came up with nothing or just some bad chrome extensions. All PC's had AV specifically Emsisoft (full scans clean). Usually it's easy to spot the culprit because the offending PC would have it's local contents encrypted but none of the PC's local data was encrypted. They do have people remoting in through RDS but I've checked all of those logins and everything looks fine. Ran through the task manager on all PC's and saw no strange looking processes.

It's literally just the mapped drives whose data was encrypted. Luckily their ACT database and the QB database weren't affected, but I don't think they usually get targeted anyways.

It looks like the encryption began around 6PM yesterday, but no one claims to have been in the office, then there is a burst of files encrypted this morning around 8AM. So maybe this thing was sitting dormant for days/weeks?

I explained this is usually from a fake Fedex or UPS email that someone clicks on and downloads an executable but of course no one would fess up to that.

Any tips here?
 
This is the text file:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - kof12@tuta.io or kof13@tuta.io
and tell us your unique ID - ID-5WYUVFED


lol ... dear friend.
 
Porthos said:
After you back up.

I always nuke the current install "just" in case. I don't trust a compromised computer after a ransomware attack.
Click to expand...

Yeah normally I would if I can find the offending computer. There is some info online of this particular ransomeware having the ability to brute force it's way through RDS ... I changed all passwords for remote users and disabled the unused ones.
 
Searching for those email addresses yielded two links related to that domain, both different vectors.

https://sensorstechforum.com/decrypt-heinekentuta-io-files-free-cryptconsole-virus/
https://sensorstechforum.com/_relock001tuta-io-files-virus-remove-restore-data/

How did you do the scans? Personally I never use the in place AV solution. If something happened then it did not do it's job so it's of little use.

To start I'd try to find when this started via metadata. As in last modified date which might help. I'd also try to narrow it down as to which machines have access to all of those files vs some of those files.

Then evaluate the site. Are they providing any services from the site? Such as VPN. Having been only on the "server" points to that box as a starting point.

Some things I'd do.

1. Build a bootable AV distro and scan the server.
2. Scan a couple of local workstations.
3. Do a full reset on all browsers on all machines.

To be honest this situation would make me very paranoid.
 
thecomputerguy said:
Yeah normally I would if I can find the offending computer. There is some info online of this particular ransomeware having the ability to brute force it's way through RDS ... I changed all passwords for remote users and disabled the unused ones.
Click to expand...
Sorry, I just glanced at the topic and then reread and saw "server" Good luck.
 
Markverhyden said:
Searching for those email addresses yielded two links related to that domain, both different vectors.

https://sensorstechforum.com/decrypt-heinekentuta-io-files-free-cryptconsole-virus/
https://sensorstechforum.com/_relock001tuta-io-files-virus-remove-restore-data/

How did you do the scans? Personally I never use the in place AV solution. If something happened then it did not do it's job so it's of little use.

To start I'd try to find when this started via metadata. As in last modified date which might help. I'd also try to narrow it down as to which machines have access to all of those files vs some of those files.

Then evaluate the site. Are they providing any services from the site? Such as VPN. Having been only on the "server" points to that box as a starting point.

Some things I'd do.

1. Build a bootable AV distro and scan the server.
2. Scan a couple of local workstations.
3. Do a full reset on all browsers on all machines.

To be honest this situation would make me very paranoid.
Click to expand...

I usually use MBAM and Super Antispyware and manually comb through the machine. Yeah I'm super paranoid which is why I am doing everything the long and slow way of making sure EVERYTHING included bad data is backed up.
 
I'm going to drop a txt file in and see if it gets encrypted, that will tell me how I will fair when I put the data back. I would guess that the encryption would stop at some point otherwise they would be encrypting their own txt file.
 
thecomputerguy said:
I usually use MBAM and Super Antispyware and manually comb through the machine. Yeah I'm super paranoid which is why I am doing everything the long and slow way of making sure EVERYTHING included bad data is backed up.
Click to expand...

Great thinking!

thecomputerguy said:
I'm going to drop a txt file in and see if it gets encrypted, that will tell me how I will fair when I put the data back. I would guess that the encryption would stop at some point otherwise they would be encrypting their own txt file.
Click to expand...

I'd not do just a .txt. Using a different machine download some .doc, .docx, and .pdf that might be of interest like financial statements. Email them to a disposable email address, access same and then drop them in various folders on the server. Of course turn off that email.
 
If you think it might have come in via RDS, you should be able to check both the operational TS logs and probably user authentications on the DC. I'd also check for local user accounts on the TS box.

Beyond that, are the remote users connecting from static or pretty-static IPs? This can vary by region and carrier, Comcast in the Chicago area at least appears to have given up on rotating IPs on home connections but AT&T still changes them every week or so. If the remotes have mostly-stable IPs set up a whitelist on the router. Depending on your router's capabilities you may also be able to implement port knocking to whitelist remote IPs for a set period (I've used 4, 12 and 20ish hours depending on usage patterns).
 
Markverhyden said:
Great thinking!



I'd not do just a .txt. Using a different machine download some .doc, .docx, and .pdf that might be of interest like financial statements. Email them to a disposable email address, access same and then drop them in various folders on the server. Of course turn off that email.
Click to expand...

Well ... my txt file and my rts file weren't affected but my docx test was encrypted this evening ... I'm gunna shutdown the RDS server and try another test file.
 
Back towards the beginning of the year we had a local business get hit with a crypto virus.

We tracked it to a login on the server that was a remote for their restaurant software. An account had been setup to allow the company to remote in to support their service. It turns out, they never changed the password assigned to the account like they were supposed to.

This was all setup before my time, but apparently the account has been there with an easy password for years. Amazed they weren't hit sooner.
 
MichaelBits said:
We tracked it to a login on the server that was a remote for their restaurant software.
Click to expand...

That's basically what happened to a client of mine a few years ago, but (fortunately) it was crypto mining instead of ransomware and it was through the support account used by their EMR vendor (yes, a medical office). That's also where I found local accounts created on the terminal server by that same login.

The EMR vendor radically changed their processes for remote access to client systems shortly after that.
 
UPDATE: Well my 2nd test file did not encrypt after the RDS server was shutdown. So now I'm in the process of piecing their data back together and it looks like it should be fully successful but it's just going to take some time because data is coming from USB drives. Thankfully there's really only 1 user using the RDS server so for him I'll have to figure out some way after this is all done to get him into the network. I don't think VPN is an option because the main reason for him remoting is is to access their 1.5GB ACT database which I have a feeling won't work too well over a VPN.
 
I did a quick search and it looks like others are using VPN to access Act!. Unlike a document like Word or Excel it's probably not going to load the entire DB. Just make calls as needed. But I'd do some research on that just to be sure. Other DB's, like QB, can get corrupted over VPN.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
What is the correct process to transplant an encrypted drive to an identical system?
Replies
17
Views
1K
Sky-Knight
Sky-Knight
ThatPlace928
[SOLVED] Need Help Installing Windows 11 on New NVME
2 3
Replies
57
Views
870
fincoder
fincoder
Rosco
[SOLVED] G suite for Outlook sync tool
Replies
7
Views
511
callthatgirl
callthatgirl
frecklesnoot
Data Transfer
Replies
8
Views
941
Diggs
Diggs
thecomputerguy
O365 Migration Question
Replies
1
Views
310
YeOldeStonecat
YeOldeStonecat
Back
Top