2015-06-10 15_59_50-cryptolocker - Google Search - Internet ExplorerAfter experiencing Ransomware a few times during the past months in our corporate setup I decided to scribble down some cleanup notes and things you can do to combat this.

This guide is seen from the point of a sysadmins and thus not from an enduser, however some tricks may apply even so (depending on various factors). In addition, this guide focuses on the cleanup of the server and not the client computer, which in my opinion always should be reinstalled after an incident like this.

This guide also assume that you have Shadowcopy enabled on your server; if not then you will need to go for a restore from backup (this however also loosely covered in the guide).  See the good thing about Shadowcopy is, that as the server is not infected nor is the servers shadowcopy – you thus have quick access to non-corrupted data from here quite easily and quickly.  Client wise things are different as most ransomeware clears the shadowcopy locally to ensure against easy cleanup locally, I heard that this may fail if the user is not a local administrator on his/her pc, so you may still have a straw to cling to if this is the case for recovering the local data easily.

Background.

First, let me sum up what this ransomware is all about.

Ransomware is a special type of malware, opposed to a regular virus it is not as much aimed at spreading but more focuses on its area of business (to extort users to pay to regain access to their data).  Ransomware is often spread via phishing mails, you may receive a mail stating that you have a package at the post office (just one example) and that you need to download and open the linked file to get the details.  Once you download and run the file from the phishing mail, it will execute the ransomware software, which will run in the background encrypting your files without you noticing it (to begin with).

It is very hard protecting against malware like this, as the makers of this type of malware keep changing the software to avoid detection.  Furthermore, antivirus is only of limited help as it cannot restore files that has been encrypted.

Ransomware usually starts by encrypting local files first and then move on to server shares.

Ransomware is actually not a new thing; it has existed since the MS-dos days in some form or other. I recall a very old virus that infected your boot sector, and upon the trigger event (could be a date or a number of boots) it would delete your fat table and bring up a slot machine, if you won the game you would get your FAT table back if not everything was lost.  Same but different.

How to get your data back after it being encrypted?  Well best bet is backups, hopefully you have either backups on some USB disk or in the cloud, if not you are likely in serious problems.  You can also choose to pay the ransom and have your data de-crypted, the price for this is usually around 100€ or 100$ depending, and from what I have heard it should work quite well and reliable to get your data back this way – some of the ransomware vendors should even have kind of customer support to assist you if you have problems – but supporting organized crime hardly seem like a good idea in the long run.

Anyhow, let us move on to the “fun” part, how to clean-up a file server after a visit from a client infected with ransomware.

So you have been struck by Ransomware (Cryptolocker, Cryptowall, Cryptodefence etc etc etc), “congratulations” and welcome to the club 🙁

Let us go through some steps to get things back on the road.

Important tip;

If you are using Shadowcopy on your server, DO NOT START CLEANUP BEFORE DATA HAS BEEN RESTORED – you may just waste storage space from your shadowcopy pool and thus be able to restore less data.

 

Step 1 – Stop the disaster from escalating.

You need to figure out which user is infected and stop this users pc from encrypting more files on your servers, if you are not fast to react your server will quickly look like this (the white is the infected files, it’s a mess).

Step 1.1 – how to identify the user

There are obviously different tactics for this, but two obvious once are;

1) look at an encrypted file and determine the owner – now to my surprise this did not work on the last server I looked at, here all the files for some reason was set to be owned by the local administrator group.

2) Look at the home folder for your users – most ransomware drop files on how to decrypt your data and these may serve as tell tail signs of “infection”.

2015-06-10 15_33_47-mRemoteNG - confCons.xml2015-06-10 15_29_46-mRemoteNG - confCons.xml

Thus, the user with all the “decrypt” files in his homedrive will be the user you are after.  Simply search the user’s folder for files with the word “decrypt” in it. The ransomware normally also targets the users local drives first, thus you may catch a lucky break if you like us have redirected the “My Documents” folder to the users home directory on the server, in our cases this meant that the infected users had tons of these files on his home share.

Step 1.2 – Shutdown the user’s computer

Shutdown the user’s computer and change the password of the user (as the user has malware on his/her computer his/her passwords (all of them) are likely now compromised.

 

Step 2 – Assess the damage

You now need to look at the server to determine how much data have been encrypted. How to determine the “infection” rate, well that depends – different ransomware uses different tactics, however at least for now they seem to share these tactics.

1) The ransomware will encrypt files, then add some extension to the file to show that it is encrypted (the extension may vary, but could be .encrypted or .iufasee or something totally different/random – but still the same for all encrypted files).

2) After encrypting a complete folder ransomware will often add 2-4 files that pertain to how to decrypt data, these files could be named “HELP_DECRYPT.TXT” / “HELP_DECRYPT.BMP” / “HOW_DECRYPT.TXT” / “!Decrypt-All-Files-iufasee.bmp” or anything like that.

2015-06-10 15_29_46-mRemoteNG - confCons.xml

NOTE: the ransomware is quite clever as not to change the creationdata/last modified date as this makes it hard to just look for files changed in the past 24h – however, as I mentioned in step two then the ransomware often creates “how to decrypt” files/pictures/links in the folders and these may be used to spot the “infection”.

My suggestion is;

  1. Try to determine the file extension using the tips above.
  2. Use Windirstat to get an idea of the scope of the incident (you can see an example below) http://windirstat.info/
  3. See screenshoot (the white is the encrypted/infected data).

cryptolocker

 

Step 3 – Restoring data (the non-encrypted files)

See we had a special challenge with restoring data as we use online backup, and the restore hence will take a LONG time seeing that the data need to come from the WAN restoring gigabytes of data would take a LONG time, so we had to get creative to make the cleanup as fast as possible.

You first need to determine the time for the last backup/shadowcopy snapshot before the “infection” occurred.

If you have shadow copy, then go back through the snapshots to find the time where files had their original extension. You may get best results if you look at the infected users home folder, this is likely the first folder to be “infected” (you can also look at the creation date/time of the “how to decrypt” files which may give you a lead).

2015-06-10 15_29_46-mRemoteNG - confCons.xml

If you have local backup it is quite easy I guess, just restore more or less all data (with the do not overwrite newer/changed versions option set) and then proceed to delete the encrypted data and the “help files” (the once on how to decrypt) – see section below on how to cleanup.

If however you cannot easily restore data from backup (like e.g. if you use “online backup” like we did), then move to shadowcopy (which you hopefully have enabled on the server).

You could of cause restore one file/folder at the time from shadowcopy, this will take forever especially if users have worked on the folder structure meanwhile. So why not make it fast and easy by using robocopy (yes it is actually possible to use Robocopy, we found a cool way to do this).

Restoring non encrypted data via ShadowCopy and Robocopy.

  • Determine the “last good” shadowcopy, the one just before files started to be encrypted.

 

    1. On the server list the shadowcopy snapshots using the dos command, you do this to get the “identifier” which we will need in a moment.Start an administrative command prompt and issue the command;
      vssadmin list shadows
      (you may need to change drive to the drive you want to see)This will give you a long list of available snapshots, see screenshot.
      2015-06-10 15_00_00-mRemoteNG - confCons.xmlLook for the creation time and find the block just before the incident occurred.

      In this block “Contents of shadow copy set ID {…….}” look for the line “Shadow Copy Volume”, copy this line to a notepad starting with \\

      In this example;
      2015-06-10 14_56_13-mRemoteNG - confCons.xml

      \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107
      NOTE: the number at the end will be different for you.

      IMPORTANT! Now add a “\” to the line in notepad: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\

      Finally add a prefix of “mklink /d c:\restore ” to the line in notepad.
      So the final line should look like this;
      2015-06-10 15_12_14-mRemoteNG - confCons.xml

      mklink /d c:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\
      (note: the c:\restore is a folder/name YOU choose, it can basically be anything you choose, the name must NOT exist before you run the command)Now run this command from the administrative command prompt.
      2015-06-10 15_09_35-mRemoteNG - confCons.xml

      It should give you a feedback much like;
      symbolic link created for c:\restore <<===>> \\?\GLOBALROOT\Device\HarddiskVolum eShadowCopy107\

      2015-06-10 15_13_13-mRemoteNG - confCons.xml

      Now if you write;
      dir c:\restore
      you will have a historic view of how the disk looked at the time of the shadowcopy snapshot, you could get the same via properties “previous version”… but this is much neater as you can access and script it.

  • Now we have the snapshot mounted we can run a robocopy job restoring any data that is not more recent or changed.In this example the command would be something like;ROBOCOPY C:\restore D:\ *.* /XC /XO /E /LOG:d:\restore.log
    2015-06-10 15_18_12-mRemoteNG - confCons.xmlYou will need to suit it to your environment.

    Things to make a note of are the /XC /XO command switches which ensures that we do not overwrite files modified after the “infection”. As the encrypted “infected” files have a different extinction this is not a problem.

    After the restore you can review the restore.log file to see if anything went wrong and see how much data was restored.

    Note, you MAY run into the problem that not everything was in shadowcopy in which case you have to revert to backups, in the incidents we have had “only” 10-20 gb of data was “infected” and our shadowcopy could easily accommodate this.

 

 

Step 4 – CleanUp

Final step is to clean up the encrypted files and the decrypt instructions.

Also remove the “directory link” to the shadowcopy snapshot if you used that (see previous section), you can just use “RD <directory name>”.

2015-06-10 15_13_13-mRemoteNG - confCons.xml

I used SearchMyFiles from http://www.nirsoft.net/ as it is easy and very customizable to use to find files, I suggest you take not more than 10.000 files at the time as deleting many files takes quite some time.

2015-06-10 16_41_29-2015-06-10 10_41_17-mRemoteNG - confCons.xml.png - Windows Photo Viewer

 

Mitigation strategy

  • On fileservers, try to limit access as much as possible – if nothing more than look at making data read-only wherever possible as this alone will protect you greatly.
  • FSRM – File Server Resources Monitor, set this up to detect and trigger alarms on new files where the word decrypt is part of the name – decrypt as part of a filename is uncommon enough to give only limited false alarms – I will create a separate article on the configuration of this later.
  • Supporters / super users – instruct them to react FAST to tell tail signs of ransomware, the faster you manage to stop the “infection” the less to clean up.

 

Tools that may be useful;

Decrypt Cryptolocker (this most likely will not work, but give it a go anyhow just in case).
https://www.decryptcryptolocker.com/

Windirstat                                     http://windirstat.info/
SearchMyFiles                              http://www.nirsoft.net/

Read more about Cryptolocker; http://en.wikipedia.org/wiki/CryptoLocker

Thanks to:

Torben Slaikjer for finding that link on how to mount shadowcopy snapshot as a directory, this made the job vastly easier.

OfficialAchievementCertificateA friend of mine just joined an online Android course at the University of Meryland, from what he tell me it is actually really good.  So I did some peeking and ended up finding a source of online courses;

Among the courses I managed to find one of personal interest, it’s in Crypto – sadly it had already finished, but that turned out to be a Blessing in disguise as this let to a preview of the course videos;
https://class.coursera.org/crypto-preview/lecture

Other courses can be found here;
https://www.coursera.org/courses?orderby=upcoming&stats=upcoming&lngs=en

Below is another source (more just free videos and thus maybe not the same leauge, but still).

http://thenewboston.org/tutorials.php

 

 

WordFence

You are likely familiar with WordPress, if not well – interesting 😉  anyhow, you may also have heard about the recent attacks on wordpress blogs by a worm like virus/malware?  Attacks on WordPress installations is not something new, it has always been there as it’s such a popular platform however time has revealed some not so smart features with wordpress security, one thing is that you can try to log in as many times as you like without any action being taken – hence there is nothing to stop a brute force attack on your wordpress installation’s login!?

Well Wordfence to the rescue, a simple plugin you install on your wordpress installation that all of a sudden offers you a ton of cool security features, I will just mention a few here – for the complete listing visit their website..

Features;

  • Login limiter – limit how many incorrect passwords/usernames are accepted
  • Site and theme scanner – scan your wordpress blog for changes
  • Block unwanted IP’s from accessing your site
  • Manage crawlers (search engine index bots)
  • and many many many more cool features

You can define what the reaction to different attacks, eg. block IP/Lock account for xx min/throttle traffic.

Wordfence1

Now a thing like that must cost a fortune you say!?  well no, there is a TOTALLY FREE version with basic functionality (enough for most I would say) and the deluxe version which cost a bit.

Now after adding this you should also add Two Factor Authentication, eg using “WordPress Google Authenticator Plugin” – http://wordpress.org/extend/plugins/google-authenticator/screenshots/ Or one of the other TwoFactor authentication solutions out there.

So, what are you waiting for 🙂 protect your WordPress blog now 🙂

This is quite clever (as long as you are vigilante);

http://supergenpass.com/

You know the deal, you need to create a new account and have to supply username, email and password to do so.  You may have learned or heard that it is NOT a good idea to use the same password for different sites (if one gets compromized ALL your logins would thus be vaunerable), but also you really can’t remember 1031 different passwords…  well SuperGenPassword.com CAN help you with this!?

What is does is quite simple you enter sitename (the url/site you are creating the login for) and password (your generic/master password) into SuperGenPassword and viola it provides you with a “unique” password for the site – the clever part is that you wont have to remember this password!?  You simply remember the generic/master password, and next time you visit the site you use SuperGenPassword to generate the password you need for the site..  This is done simply by hashing (http://en.wikipedia.org/wiki/Hash_function) the site/url salted (http://en.wikipedia.org/wiki/Salt_(cryptography)) with your generic/master password.

Lets take an example;

Password on url test.dk become l5zuZo0qa2
Password on url test.com become eipalNBj0T
Secret on url test.dk become nY8BEihJsR
Secret on url test.com become dXt1E8tILH

As you can see the same password makes a different hash depending on the url.

Now SuperGenPassword even offers some clever scripting shortcut so you can generate these passwords automatically and insert them into the password field on web-sites, I would advice against this as the scripting they use has been proven to be vaunerable to interception by malicious sites/scripts which can thus obtain your generic/master password.  Instead use http://supergenpass.com/mobile/ their mobile solution and generate the password manually in a different tab and paste the password into the site you wish, a bit more work but a lot more security..  also a good trick is to pad the password with a “pin”, lets say the hash from the data you entered into http://supergenpass.com/mobile/ become dXt1E8tILH – then normally you would use this as the password – however if you add padding to the start eg. added TOAD to the beginning the “final” password would thus become  TOADdXt1E8tILH, thus even if someone found out you were using SuperGenPass and somehow got hold of your password then it would be useless for them as only you would know to add TOAD to the password generated by SuperGenPass.

Here is a YouTube video that explain a bit about SuperGenPass, note that he is USING the scripting which I advice you do NOT.. But you may get the idea a bit better though..

So DO NOT use the script, use http://supergenpass.com/mobile/ instead..

As you may have heard Dropbox suffered a major security breach this weekend, for almost 4 hours ALL dropbox accounts (including data) was accessible to ANYONE without password (or rather you were asked for a password, but it would accept anything)..

The major problem here is that ANYTHING in your Dropbox is unencrypted, and thus anyone that gets access to your Dropbox has access to your data…

This is, besides a major concern for Dropbox users, a wakeup call for users of cloud solutions – I totally have to agree with Steve Gibson (www.grc.com/securitynow) that we need PIE – Pre Internet Encryption, everything we store in the colud really NEED to be encrypted before it leave our servers/lan.

Obviously this Dropbox breach was not good 🙁  but never fear there is a solution, still in Beta but still very promising..  The solution is called SecureSync, it creates an encrypted folder in your dropbox and anything stored here is encrypted (you HAVE to access the folder via the “SecureSync” shortcut in MyDocuments though, if you look directly in the encrypted folder you will only get encrypted data – this however is quite clever as you can still syncronize with machines that do not have SecureSync installed, for Dropbox the encrypted data is merely data and is thus synchronized just as other data – however once you instal SecureSync on the target machine you can suddenly read the encrypted data via the “SecureSync Shortcut”.

SecureSync is free (at the moment at least) and still in Beta, but it seem to work fine although especially the install routine obviously will be improved.

Get it here;
http://getsecretsync.com/ss/getstarted/

It is stated in;
http://www.governmentattic.org/4docs/NSA_AmerCryptColdWarBk4_1999.pdf  (around page 11 in the PDF)

That the CIA in the 1980’s found an early version of what was basically a keylogger in US Typewriters (IBM Selectrics), it was suspected that these had been installed by KGB during their way through Russian or Polish customs, data collected from the typewriters was collected and emitted via radio transmissions.

With that in mind, I am afraid to think what is possible today with the technology we have now 🙂

You better stop using your girlfriends or the dogs name as password for your WPA key on your access point, German computer sciencetist Thomas Roth  has made a proof of concept on using Amazon’s EC2 cloud service for cracking WPA keys.  By using Amazon’s EC2 service the brute forcing of simpler keys are now within reach for anyone.

Read more here;
http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

http://stacksmashing.net/

Interested in Crypto?  then you should read this interesting blog post on Kryptos (see photo).
http://www.wired.com/threatlevel/2010/11/clue-kryptos/

Kryptos is a legendary “sculpture” with an embedded secret message hidden by the designer that has yet to be uncovered.
Read about Kryptos here; http://en.wikipedia.org/wiki/Kryptos

listenThe A5/1 encryption used to protect GSM phone conversations has long since been broken, actually just last year it was made possible to eavesdrop encrypted GSM in realtime – hence GSM telephony is today to be considered utterly insecure.  Scientists have thus begun working on the 3G variant A5/3, and it would appear that a “breakthrough” has been made, not quite allowing for realtime decryption but weakening the cipher quite considerably.

Read the scientific repport here;
http://eprint.iacr.org/2010/013

13851-250x161crop0According to the Danish online newsletter/magazine www.newz.dk (via link) Bitlocker encryption has been broken/cracked, or at least it has become possible to discover the passwords rather quickly using a third party tool Passware Password Recovery –  http://www.lostpassword.com/kit-forensic.htm

And sure enough if you visit their website you will find this statement;
“Recovers encryption keys for hard drives protected with BitLocker in minutes New”

Although this indeed sounds very interesting there seem to ba a catch, you need a memory image on which to apply the Passware Password Recovery utility.  Read more here