Quad9 the free secure DNS service is in trouble and need our help.

Quad9 - Wikipedia

https://www.quad9.net/letter-of-support-for-quad9-and-freedom-of-dns-resolution/

Explainer

If you dont know what Quad9 is, then here is a short explainer. Quad9 is a free DNS services much like Googles well known 8.8.8.8 and 8.8.4.4, Quad9 (9.9.9.9 and 149.112.112.112) however add a very cool FREE security layer to the solution (a bit like Ciscos Umbrella, just not quite as customizable). If you use Quad9s DNS as your DNS service and you get infected by malware (eg. ransomware etc.) then chances are that the malware will try to “phone home” to its command and control server – Quad9 will blocks communication to known command and control DNS addresses thus disrupting many botnets or ransomware “providers”.

Anyhow, Sony has in Germany started a court case to force Quad9 to censor DNS resolution, Sony want Quad9 to block access to pages that Sony claim contain copyright protected content. In Denmark (where I live) we have a similar DNS blocking mandatory for national DNS services, it was originally introduced to block access to child phonography (something all of us could support) – but quickly the music industry and other rights owners/lobbyists saw this as a golden opportunity to block whatever they did not like and succeeded in convincing courts to add to the blocklist.

I support working against crime and child phonography however I do not think DNS blocking is the solution (perhaps against terrorism, pedophilia and violent crimes – but not for immaterial rights), experiences have shown, that what starts as a noble initiative quickly become a tool for lobbyists and huge enterprises to suppress whatever they dont like on the internet.

In general I think that more police, and more crossborder police collaboration is the way forth – not letting Sony and other dictate what is on the internet.

I supported the DNS blocking back in the days when the goal was to protect children against misuse, but now when it is a tool for mega companies and lobbyists my respect is gone.

Did you know:

Quad 9 offers free DNS services with malware filtering – to use just set your DNS (and or DNS servers) to query 9.9.9.9 and 149.112.112.112, then block all other DNS traffic outbound and presto you added a free additional security layer to your setup (company or personal). It is important to add the blocking for other DNS queries in your firewall as malware otherwise could easily bypass your protection. Read more here: https://www.quad9.net/service/service-addresses-and-features

Backblaze has something similar – here you use 1.1.1.2 (blocks malware like Quad9) and 1.1.1.3 (blocks both malware and pornography).
Read more here; https://blog.cloudflare.com/introducing-1-1-1-1-for-families/


To whom it may concern:
We believe that the act of recursive DNS resolution is not within the justifiable legal boundaries of control by rightsholders during infringement litigation. In order for the DNS to remain a stable, secure, and trusted platform, we would urge policymakers and regulators to clarify and reiterate the long-standing understanding that recursive resolution is a neutral technical function that should not be subject to blocking demands imposed by private parties based on data that has not been ruled upon by a suitable and fair court process.

Further, we believe that systems that are designed for providing cybersecurity (be they DNS-based or otherwise) should not be made available to be repurposed for other goals against the interest and intent of the service operator or the end user. This type of corruption of core internet infrastructure risks eroding the trust in both the operators and a technology that is core to the continued well-being of the internet and that of the citizens who use it.

We support Quad9 in their objection to the ruling of the Hamburg Court of (Case 310 O 99/21), and hope that the court finds in favor of the defendant.

#BlockAutoUpgradeToWindows11

So, at long last someone did something smart with Winwows 10 update.. Not exactly breaking news as it happened a year or so ago, but hey -now I needed it…

Anyhow, it is now possible to freeze a Windows 10 build – you COULD (to some degree) do this before also, but it was anything but trivial.

Anyhow, what you need to do is to upgrade your ADMX (Group policy templates) to 21H1, you do this by downloading them from here;

https://www.microsoft.com/en-us/download/details.aspx?id=103124

after unpacking (installing) them, copy them to your DC (most likely here);
c:\Windows\SYSVOL\domain\Policies\PolicyDefinitions

And now we are ready to rock’n roll.

Open: “Group Policy Management Editor”.

Navigate to: Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update – Windows Update for Business

Here you select: “Select the target Feature Update version”

Now you can set the “Target Version”:

I would expect this to freeze Windows 10 at the 21H1 version and hopefully block automatic upgrades to Windows 11 – but after the Windows 10 bonanza, who knows.

The above settings will trigger these registry settings on the target machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

I am not quite sure how these new settings work with existing Windows Update (and or wsus) settings, as you may see we have some WSUS settings below.

One question you may ask yourself, with Windows 11 comming why bother? Well, there is a reason I am looking at this now, and that is precisely Windows 11 – as you may have heard Windows 11 is about to hit-the-fan around October 2021, and we DONT want company machines going berserk upgrading left and right.. So looking for ways to combat automatic upgrades (you may remember the horrific Windows 10 upgrade circus – where Microsoft did anything but to put a gun to your face to trick you into clicking upgrade-now). The above policy ought to help block this (if Microsoft is true to the spirit of the policies).

So what does these new settings mean?

TargetReleaseVersion DWORD

Well the “TargetReleaseVersion” is more or less a toggle switch that tell Windows you wish to control the Windows Version/build. Whereas the “TargetReleaseVersionInfo” tell Windows WHICH version you are aiming at.

TargetReleaseVersionInfo STRING

If you enter a “TargetReleaseVersionInfo” that is higher than the currently installed build, windows will attempt to upgrade to this build. If you set a version number that is NOT the latest, Windows will attempt to upgrade to this and will stay there at least until “end of service” – it is unclear if Windows will autoupgrade to a later build after “end of service” is reached, but I would not suspect so.

Where can I read about Windows builds available and their status (end of service dates)?

aka.ms/ReleaseInformationPage

or this link: https://docs.microsoft.com/en-us/windows/release-health/release-information

Anyhow, dont take my word for it alone, here are links to a few other sites on the subject..
https://www.ghacks.net/2020/06/27/you-can-now-set-the-target-windows-10-release-in-professional-versions

https://www.tenforums.com/tutorials/159624-how-specify-target-feature-update-version-windows-10-a.html

Did you remember ot backup today? if not then you are likely not alone, but you REALLY should.. like REALLY REALLY REALLY should..

A Danish booking service for hotels was recently hit by ransomware, they took the unusual approach and live blogged about the attack – it is scary reading, and it leads back to – did you remember to backup today?

Link to liveblog

As their blog likely will dissapear in time, below is a copy of the story so far..

Operational messages
16-06-2021 07:29Update this morning! We are still re-installing the servers. We still continue to transfer the hotel data.
15-06-2021 18:13Tonight team 1 will continue re-installing the servers. We have installed 29 servers today. Team 2 will be installing a cluster with hotel files. We will NOT go live tonight and I doubt about tomorrow. Hopefully we will go live this Thursday.
15-06-2021 14:00NO: Det er stadig utfordringer for brukerne og sende mail fra Picasso. Teknikere jobber med det.
15-06-2021 13:46We have now 5 teams working. Two teams are re-installing new servers and one team is transferring data from IBAS discs to Techotel SAN disc. This process will take time. We will publish a new update later.
15-06-2021 12:31Berlingske had this Sunday two pages, about the ransomeware attack which has hit us. Today in Berlingske Business section on page. 11, they have written a page about ransomware attacks, in which they explain our situation and others.
15-06-2021 12:26Update! We have received the hotel data from IBAS. We have an Eagle Shark consultant to advise us, on how we can restore 28 Terabyte ASAP – as soon as we get the new clean servers running.
15-06-2021 11:23Support Yield Planet PL: support@yieldplanet.com. Phone: +48 22 769 38 09. YP Support in DK: 3619 2131 ( Bettina )
15-06-2021 11:07Update! We have just been in contact with Yield Planet. Yield Planet Polen has informed us, that they can still see reservations by mail to your hotel – you thereby don’t need to close your YP allotment. Furthermore, YP reduces your allotment when you receive new reservations. So, you might be able to get your availability from YP + by using excel. We will shortly publish an email and support number to YP Poland. You are also welcome to contact Bettina from YP DK support.
15-06-2021 10:05Second update! Last night we re-installed the SQL1 cluster for Sweden, and SQL2 cluster for Denmark and Ireland. We still needs to re-install the hotels .exe and user files.
15-06-2021 08:59Update! IBAS hotel data / reservations and the NAS boxes should be in DHL Denmark’s custody by now. We expect the data to arrive today, very soon. Please be calm, we need to reinstall the whole hosting. We will come with a new update soon.
15-06-2021 08:55We have installed 3 new Domain Controllers last night. However, we need to re-install all of our servers to be sure, that we don’t have any hidden virus files.
15-06-2021 06:18We went to sleep at 03.00 – 06.00. We need to get some sleep for some hours. I expect we will have a new update at 09.00-10.00.
14-06-2021 15:20We don’t have any real news! However, we are now formatting and re-installing all of our RDS servers and tonight we will further re-install our new hybrid clusters which is 4 month old. This is all being done, to be 100% sure that we don’t have any hidden ransomware virus anywhere.
14-06-2021 12:45Further update, we have just been in contact with one of our customers – who asked us how long time it will take before Picasso were running again. Now that we have got all the information regarding the data that can be recovered. We told our customer, that we expect to be live again this week, but we don’t know for sure which day yet.
14-06-2021 12:17IMPORTANT INFO FOR DK, SE, IE! After Techotels filling of the information to the Danish Data Protection Agency, it has been agreed with the agency that no individual hotel – Data Controller (Dataansvarlig) should make any fillings themselves to the Danish Data Protection Agency. Techotel have informed the agency and provided them with all the information needed concerning all the hotels. This covers ALL hotels in Denmark, Sweden and Ireland.
14-06-2021 10:02More information regarding the latest update. Now we will be focusing on re-installing many of the servers to make sure that we doesn’t have any virus. We will also be cleaning other servers. I don’t think any of the hotels will go live today.
14-06-2021 09:58Here is the latest update for DK, SE and IE. IBAS has confirmed that we will get a 100% recovery of all our data. IBAS has also confirmed that the hotel data is readable and NOT encrypted. The data will be flown to Denmark tonight.
13-06-2021 20:23We have some good news, IBAS have informed us that they can read the files from the backup and the files is not encrypted, at 3 of the backup files which were found by NAS. This means, that we can complete the backup from IBAS. I will be calling IBAS again tonight.
13-06-2021 19:04Regarding GDPR, you are welcome to receive a copy of the information that has been sent to the Danish Data Protection Agency. Just write a mail to techotel.hdw@gmail.com and then we will get back to you 🙂
13-06-2021 18:45The Eagle Shark team is still working on decrypting the files. We haven’t heard form IBAS yet, but the last information we got from them were positive. Since, they can read the data from the backup drives.
13-06-2021 17:37Regarding GDPR, last night we filled out the breach information with the Danish Data Protection Agency. We have informed that the breach information includes customers in Denmark, Sweden and Ireland. The National Data Protection Agencies in Sweden and Ireland has received information about the filing in Denmark. We have filed it out, as Data Processor without identifying the Data Controllers in the relevant questions. Please note that you may have your own obligations as Data Controller.
13-06-2021 15:31DK: We have not heard from Eagle team yet. IBAS har informed us that it look positive, that they can fix the backup drives. But they need more time to be sure. We will write again af 18.30. Your hotel will not get live today.
13-06-2021 13:34Sorry but Eagle team still we are working at decryption hotel files. IBAS has let am message contact the now. I dont think we will go live today. We han 14 skilled technical persons working at th project.
13-06-2021 10:54Not much to say Eagle team stil work with decrypting. IBAS has as expected not answered yet. I will come in 2 hours
13-06-2021 06:51Morning. Technicals worked late and are sleeping until 08-08.30. Today Eagle team will continue focus to get hoteldate decrypted, with the new keys. We will inform when we succeed, IBAS NO team will report status of repairing the damaged backup later today.
12-06-2021 21:20Last update until DK Time 06.30. Team1 will be finished scanned the most of the servers for keys at DK time 02.00. We have got more keys to unencrypt. We hope to get the keys for the hoteldata. This will tage the hole night.
12-06-2021 20:11Techotel Sweden: Hej alla, som våra kollegor i Danmark informerar om fortsätter vårt arbete med att se till att få systemen upp att köra så fort som möjligt. Vänligen fortsätt följa oss här på driftinfo!
12-06-2021 18:38It is going forward for both teams. Team 1 are scanning all the 250 servers for virus and keys. Team 2, which focus is the IBAS data recovery, are trying to fix the hotels backup. However, the systems will not be ready tonight. I will give you all more information later during this evening, but we need more concrete results, before we know when we will go live.
12-06-2021 16:58Update from the Eagle Shark team. The scanning is running better now. Next Update 19.00.
12-06-2021 15:51Update from the Eagle Shark team. They are not finished scanning the servers after keys. There is an issue with user rights. Next Update 18.30.
12-06-2021 15:15Info from IBAS: Nu har jeg fået første status fra ingeniørerne, og nogen af diskene skal blive færdige med udkopiering af rådata i løbet af i aften, mens nogen er færdige i morgen eftermiddag. Men det betyder i hvert fald, at vi så småt kan begynde at komme med mere brugbar info i løbet af morgendagen.
12-06-2021 13:22I Just talked with the Eagle team and they are not finished with scanning the servers. I will come with a later update at 15.30. NB! the system will not go live today, when we get the right codes, It will take many hours to uncrypt the files.
12-06-2021 13:02IBAS just gave us an early update about the recovery. I got the news that we can use most of it.
12-06-2021 12:33I just got new information from IBAS data recovery. I need to login and read more about it. Sorry, we thereby delay the update to 13.00 DK Time
12-06-2021 09:44Explanation to the two lines below. We follow two traces to get the data, but only one of the traces need to succeed to get access to the hotel data. I will make an update around 12.30 or if I get news.
12-06-2021 09:40A morning status: Eagle Shark Team has found one more key last night, which will be tested soon. We will the next hours scan all 250 servers to find all keys. Thereafter, we need to test if the keys we found can be used to uncrypt the hotel data.
12-06-2021 09:32We will contact IBAS Norway at DK time 09.15 to get a status of the project with recovering the damaged data. We hope to give you more information at 09:45 DK time.
12-06-2021 06:15The E H developer have been up working the most of the night. At DK time 09:30 we will contact the developer for more information, on how far they are with finding more keys.
12-06-2021 06:10This afternoon the backup NAS discs were flown to Oslo, to IBAS the world best company to read damaged data. IBAS will work at the NAS discs this whole weekend. It was not a good evening.
11-06-2021 22:44The bandits gave us keys to uncrypt the files, but the keys does not always function, so we don’t have access to the hotel data yet. To night an Eagle Shark consultant writes a program to scan all 259 servers for more keys.
11-06-2021 22:34The bandits gave us keys to unencrypt the files, But the keys does not function always, so we dont have access to the hoteldata yet. This night an Eagle Shark consultant writes a program to scan all 259 server for mere keys.
11-06-2021 14:54The interesting question is when will your hotel system go live again. The Bandits are actually helping us with cleaning the system. We think that the chances to go live tonight is smaller, than going live this Saturday. We will work the whole weekend until your system is running again 🙂
11-06-2021 14:46Update: It is very difficult, Team 1 are writing scripts to find the files to uncrypt. Team 2 are working with uncrypting the SQL hotel data. Team 3 are uncrypting mail servers. Team 4 are sending the backup Nas to NO to be recovered. IBAS are working this weekend.
11-06-2021 12:30A reminder. Mailadresses from and to domains techotel.se and techotel.dk are NOT in use. Please use other contactmethods. But please follow this page for further information.
11-06-2021 11:14NO: Dette påvirker ikke bruk av Picasso for våre kunder på norsk hosting, eller kunder med egne servere, men Picasso Online og Yield Planet er fremdeles nede. Dere kan legge inn eventuelle bookinger fra Channel Manager manuelt selv, husk da å legge til alt.res nummeret
11-06-2021 10:43This is technical info: The encryption of some of the files have been conducted over maybe 4 times. This is very complex to uncrypt. Team 1 are in contact with the bandits, to get the right codes. Team 2 are trying to involve other specialist.
11-06-2021 06:17Team 2 just finished the extra backup of all hotel reservations. They go to sleep now. Team 1 cannot be sure when, but we focus to get the hotels reservations decrypted. More to come.
11-06-2021 04:00We need to sleep now. We are not live, but will continue Friday at 10.30.
10-06-2021 22:51We have now got the decryption keys and are working on decrypting them in this moment. We are working in two teams. It is difficult to inform when we will be live. I dont think we will be live within the next 7 hours.
10-06-2021 19:52Just now we got the final code til clean til cryptatet files. We will continue the hole night
10-06-2021 18:28We got some tools to decrypt the hotel files with. We have meeting at 19.30 to come
10-06-2021 16:34We have got the bitcoins and are now transferring them to the bandits. We expect that the bandits soon will decrypt the files.
10-06-2021 15:46We have signed an agreement regarding the bitcoins for 30 minutes ago and we expect that the bitcoins will be transferred to the bandits very soon.
10-06-2021 14:12If everything goes as planned, we will have the bitcoins within an hour and be able to pay the bandits directly and further be able to start the system again.
10-06-2021 12:51We and Eagleshark continue the discussion with the bank and other consultants, of how to get the bitcoins and thereby to get our data released. More to come later.
10-06-2021 11:38We and Eagleshark will continue the meetings with the bank and we are now closer to find a final solution. However, is is not a financial issue, it concerns the complications regarding money laundering regulations.
10-06-2021 10:20We and Eagleshark are still working on getting the necessary Bitcoins, we have been in meetings with the bank to get the transfer done in 2 hours now……
10-06-2021 06:27Status this morning: We and Eagelshark.com were informed about the amount we have to pay, it is much more than we expected! We have pay in Bitcoins to get access to the data. It is large sum that we need to transfer. I will update when we know more and how long it will take to complete the transfer and restore Picasso today
09-06-2021 17:08You can read more about the Crypto attack on us and other companies tonight on TV. Read on regarding yours and ours current situation. We expect the hotels to open Thursday noon or evening!
09-06-2021 16:51Dear all, we Techotel group expect that tonight at DK/SE time 21.00(20:00 Irish time) to be contacted by an Eagleshark negotiator informing us the amount, we are going to settle for recovering us from the attack. But the bandits do not accept bank transfer so we need to change the amount to Bitcoin. This will take us 3-7 hours. The bandits will then send us a program to decrypt the files. To fix the situation it might take 5- 10 hours
09-06-2021 13:57I don’t think we will be live in the next 2-4 hours. Please check your email at the hotel. Picasso is sending an arrival list to your email the evening before
09-06-2021 13:29The specialist from https://www.eagleshark.dk/, we are using, is the best at this work. The attacker has not responded. Technical staff for us are cleaning server from virus
09-06-2021 11:35Technicians are still working.
09-06-2021 09:51Hi Nothing New just now. The specialist are now isolating the servers, that are not attacked from the serves that are under attack. I cannot say if we are live today, yet. People producing virus should be in jail!!
09-06-2021 07:56NB: Techotels mail also are attacked and cannot be used. Please follow the update at the homepage
09-06-2021 07:50We are hit by ransomware. You have to be prepared to not have access to your date the next hours. Before we get opened access to files again. NB this is not an Techotel error.
09-06-2021 06:59In your main mail setup in Picasso if so, you should have an arrival for today, maybe before downtime/attack. Check the booking mail. Else check your digital report. I will write back at 08.00.
09-06-2021 06:52We have been atacked by virus. Nothing is wrong with our cloud. We will work together with antivirus specialist to solve this.
09-06-2021 06:01Sorry for delay and disturbance. Our Domain Controller the effect several functions. We will inform you futher, we will try to update info approx. 06.40
09-06-2021 03:53We have problems with Danish, Swedish and Irish Picasso . Our technical staff is looking at the issue. We will update information later.

So, some of the summer vacation went on relaunching my blog – not quite rocket science but still it is not something I do every day, so I had to do a bit of dusting to get up to speed.

By today your blog need to be SSL/HTTPS, I must admit that I dont quite get why – I could understand it if you were hosting sensitive stuff or allowing people to post sensitive data like creditcard info etc, but for a general technical blog?? But who am I to teach google what to do 😉 So obviously I had to upgrade to HTTPS as well, fortunately these days most providers offer LetsEncrypt certificates so I thought I was in for a breeze…

After enabling a certificate for my site, I browsed to the site just to see:

Your connection to this site is not fully secure

wtf :-O

ok well, a bit of googeling turned up a few SSL checker sites;

https://www.sslshopper.com/ssl-checker.html?hostname=readmydamnblog.com

This first link will check the certificate, so it is only checking that the certificate itself is valid for your site/url – but still a good place to begin..

Well that part turned out ok.. so nothing wrong with the SSL cert.

The next step, there might be links to your own site on your site that use HTTP and NOT HTTPS, this is bad and will cause the page to fail HTTPS checks in Google Chrome and other browsers..

I found mention of a tool to traverse your site for just such links and tell you which pages on your site have problems.

https://www.jitbit.com/sslcheck/

Meanwhile though I ended up doing something very simple, I right clicked on my site in google chrome and chose “view page source”

then I searched for “HTTP:” and sure enough the logo on my wordpress blog had a direct link to the logo starting with HTTP: – after fixing that everything is now A-OK.. So my suggestion to you if you run into this problem, inspect the page source looking for HTTP: – this should help you hunt down problem links..

As an ironic twist it turned out that I have a lot of HTTP links, so looks like I will need to do some cleanup of the database to get rid of all those legacy links.. Aint IT grand 😉

2015-06-10 15_59_50-cryptolocker - Google Search - Internet ExplorerAfter experiencing Ransomware a few times during the past months in our corporate setup I decided to scribble down some cleanup notes and things you can do to combat this.

This guide is seen from the point of a sysadmins and thus not from an enduser, however some tricks may apply even so (depending on various factors). In addition, this guide focuses on the cleanup of the server and not the client computer, which in my opinion always should be reinstalled after an incident like this.

This guide also assume that you have Shadowcopy enabled on your server; if not then you will need to go for a restore from backup (this however also loosely covered in the guide).  See the good thing about Shadowcopy is, that as the server is not infected nor is the servers shadowcopy – you thus have quick access to non-corrupted data from here quite easily and quickly.  Client wise things are different as most ransomeware clears the shadowcopy locally to ensure against easy cleanup locally, I heard that this may fail if the user is not a local administrator on his/her pc, so you may still have a straw to cling to if this is the case for recovering the local data easily.

Background.

First, let me sum up what this ransomware is all about.

Ransomware is a special type of malware, opposed to a regular virus it is not as much aimed at spreading but more focuses on its area of business (to extort users to pay to regain access to their data).  Ransomware is often spread via phishing mails, you may receive a mail stating that you have a package at the post office (just one example) and that you need to download and open the linked file to get the details.  Once you download and run the file from the phishing mail, it will execute the ransomware software, which will run in the background encrypting your files without you noticing it (to begin with).

It is very hard protecting against malware like this, as the makers of this type of malware keep changing the software to avoid detection.  Furthermore, antivirus is only of limited help as it cannot restore files that has been encrypted.

Ransomware usually starts by encrypting local files first and then move on to server shares.

Ransomware is actually not a new thing; it has existed since the MS-dos days in some form or other. I recall a very old virus that infected your boot sector, and upon the trigger event (could be a date or a number of boots) it would delete your fat table and bring up a slot machine, if you won the game you would get your FAT table back if not everything was lost.  Same but different.

How to get your data back after it being encrypted?  Well best bet is backups, hopefully you have either backups on some USB disk or in the cloud, if not you are likely in serious problems.  You can also choose to pay the ransom and have your data de-crypted, the price for this is usually around 100€ or 100$ depending, and from what I have heard it should work quite well and reliable to get your data back this way – some of the ransomware vendors should even have kind of customer support to assist you if you have problems – but supporting organized crime hardly seem like a good idea in the long run.

Anyhow, let us move on to the “fun” part, how to clean-up a file server after a visit from a client infected with ransomware.

So you have been struck by Ransomware (Cryptolocker, Cryptowall, Cryptodefence etc etc etc), “congratulations” and welcome to the club 🙁

Let us go through some steps to get things back on the road.

Important tip;

If you are using Shadowcopy on your server, DO NOT START CLEANUP BEFORE DATA HAS BEEN RESTORED – you may just waste storage space from your shadowcopy pool and thus be able to restore less data.

 

Step 1 – Stop the disaster from escalating.

You need to figure out which user is infected and stop this users pc from encrypting more files on your servers, if you are not fast to react your server will quickly look like this (the white is the infected files, it’s a mess).

Step 1.1 – how to identify the user

There are obviously different tactics for this, but two obvious once are;

1) look at an encrypted file and determine the owner – now to my surprise this did not work on the last server I looked at, here all the files for some reason was set to be owned by the local administrator group.

2) Look at the home folder for your users – most ransomware drop files on how to decrypt your data and these may serve as tell tail signs of “infection”.

2015-06-10 15_33_47-mRemoteNG - confCons.xml2015-06-10 15_29_46-mRemoteNG - confCons.xml

Thus, the user with all the “decrypt” files in his homedrive will be the user you are after.  Simply search the user’s folder for files with the word “decrypt” in it. The ransomware normally also targets the users local drives first, thus you may catch a lucky break if you like us have redirected the “My Documents” folder to the users home directory on the server, in our cases this meant that the infected users had tons of these files on his home share.

Step 1.2 – Shutdown the user’s computer

Shutdown the user’s computer and change the password of the user (as the user has malware on his/her computer his/her passwords (all of them) are likely now compromised.

 

Step 2 – Assess the damage

You now need to look at the server to determine how much data have been encrypted. How to determine the “infection” rate, well that depends – different ransomware uses different tactics, however at least for now they seem to share these tactics.

1) The ransomware will encrypt files, then add some extension to the file to show that it is encrypted (the extension may vary, but could be .encrypted or .iufasee or something totally different/random – but still the same for all encrypted files).

2) After encrypting a complete folder ransomware will often add 2-4 files that pertain to how to decrypt data, these files could be named “HELP_DECRYPT.TXT” / “HELP_DECRYPT.BMP” / “HOW_DECRYPT.TXT” / “!Decrypt-All-Files-iufasee.bmp” or anything like that.

2015-06-10 15_29_46-mRemoteNG - confCons.xml

NOTE: the ransomware is quite clever as not to change the creationdata/last modified date as this makes it hard to just look for files changed in the past 24h – however, as I mentioned in step two then the ransomware often creates “how to decrypt” files/pictures/links in the folders and these may be used to spot the “infection”.

My suggestion is;

  1. Try to determine the file extension using the tips above.
  2. Use Windirstat to get an idea of the scope of the incident (you can see an example below) http://windirstat.info/
  3. See screenshoot (the white is the encrypted/infected data).

cryptolocker

 

Step 3 – Restoring data (the non-encrypted files)

See we had a special challenge with restoring data as we use online backup, and the restore hence will take a LONG time seeing that the data need to come from the WAN restoring gigabytes of data would take a LONG time, so we had to get creative to make the cleanup as fast as possible.

You first need to determine the time for the last backup/shadowcopy snapshot before the “infection” occurred.

If you have shadow copy, then go back through the snapshots to find the time where files had their original extension. You may get best results if you look at the infected users home folder, this is likely the first folder to be “infected” (you can also look at the creation date/time of the “how to decrypt” files which may give you a lead).

2015-06-10 15_29_46-mRemoteNG - confCons.xml

If you have local backup it is quite easy I guess, just restore more or less all data (with the do not overwrite newer/changed versions option set) and then proceed to delete the encrypted data and the “help files” (the once on how to decrypt) – see section below on how to cleanup.

If however you cannot easily restore data from backup (like e.g. if you use “online backup” like we did), then move to shadowcopy (which you hopefully have enabled on the server).

You could of cause restore one file/folder at the time from shadowcopy, this will take forever especially if users have worked on the folder structure meanwhile. So why not make it fast and easy by using robocopy (yes it is actually possible to use Robocopy, we found a cool way to do this).

Restoring non encrypted data via ShadowCopy and Robocopy.

  • Determine the “last good” shadowcopy, the one just before files started to be encrypted.

 

    1. On the server list the shadowcopy snapshots using the dos command, you do this to get the “identifier” which we will need in a moment.Start an administrative command prompt and issue the command;
      vssadmin list shadows
      (you may need to change drive to the drive you want to see)This will give you a long list of available snapshots, see screenshot.
      2015-06-10 15_00_00-mRemoteNG - confCons.xmlLook for the creation time and find the block just before the incident occurred.

      In this block “Contents of shadow copy set ID {…….}” look for the line “Shadow Copy Volume”, copy this line to a notepad starting with \\

      In this example;
      2015-06-10 14_56_13-mRemoteNG - confCons.xml

      \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107
      NOTE: the number at the end will be different for you.

      IMPORTANT! Now add a “\” to the line in notepad: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\

      Finally add a prefix of “mklink /d c:\restore ” to the line in notepad.
      So the final line should look like this;
      2015-06-10 15_12_14-mRemoteNG - confCons.xml

      mklink /d c:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\
      (note: the c:\restore is a folder/name YOU choose, it can basically be anything you choose, the name must NOT exist before you run the command)Now run this command from the administrative command prompt.
      2015-06-10 15_09_35-mRemoteNG - confCons.xml

      It should give you a feedback much like;
      symbolic link created for c:\restore <<===>> \\?\GLOBALROOT\Device\HarddiskVolum eShadowCopy107\

      2015-06-10 15_13_13-mRemoteNG - confCons.xml

      Now if you write;
      dir c:\restore
      you will have a historic view of how the disk looked at the time of the shadowcopy snapshot, you could get the same via properties “previous version”… but this is much neater as you can access and script it.

  • Now we have the snapshot mounted we can run a robocopy job restoring any data that is not more recent or changed.In this example the command would be something like;ROBOCOPY C:\restore D:\ *.* /XC /XO /E /LOG:d:\restore.log
    2015-06-10 15_18_12-mRemoteNG - confCons.xmlYou will need to suit it to your environment.

    Things to make a note of are the /XC /XO command switches which ensures that we do not overwrite files modified after the “infection”. As the encrypted “infected” files have a different extinction this is not a problem.

    After the restore you can review the restore.log file to see if anything went wrong and see how much data was restored.

    Note, you MAY run into the problem that not everything was in shadowcopy in which case you have to revert to backups, in the incidents we have had “only” 10-20 gb of data was “infected” and our shadowcopy could easily accommodate this.

 

 

Step 4 – CleanUp

Final step is to clean up the encrypted files and the decrypt instructions.

Also remove the “directory link” to the shadowcopy snapshot if you used that (see previous section), you can just use “RD <directory name>”.

2015-06-10 15_13_13-mRemoteNG - confCons.xml

I used SearchMyFiles from http://www.nirsoft.net/ as it is easy and very customizable to use to find files, I suggest you take not more than 10.000 files at the time as deleting many files takes quite some time.

2015-06-10 16_41_29-2015-06-10 10_41_17-mRemoteNG - confCons.xml.png - Windows Photo Viewer

 

Mitigation strategy

  • On fileservers, try to limit access as much as possible – if nothing more than look at making data read-only wherever possible as this alone will protect you greatly.
  • FSRM – File Server Resources Monitor, set this up to detect and trigger alarms on new files where the word decrypt is part of the name – decrypt as part of a filename is uncommon enough to give only limited false alarms – I will create a separate article on the configuration of this later.
  • Supporters / super users – instruct them to react FAST to tell tail signs of ransomware, the faster you manage to stop the “infection” the less to clean up.

 

Tools that may be useful;

Decrypt Cryptolocker (this most likely will not work, but give it a go anyhow just in case).
https://www.decryptcryptolocker.com/

Windirstat                                     http://windirstat.info/
SearchMyFiles                              http://www.nirsoft.net/

Read more about Cryptolocker; http://en.wikipedia.org/wiki/CryptoLocker

Thanks to:

Torben Slaikjer for finding that link on how to mount shadowcopy snapshot as a directory, this made the job vastly easier.

ebook

A good friend of mine (www.silents.dk) gave me a link to a collection of free Microsoft e-books;

http://blogs.msdn.com/b/mssmallbiz/archive/2013/06/18/huge-collection-of-free-microsoft-ebooks-for-you-including-office-office-365-sharepoint-sql-server-system-center-visual-studio-web-development-windows-windows-azure-and-windows-server.aspx

 

A cool app for Android Phones, it allow you to configure what happens when eg. you plug in your headphones – eg. when you plug in your headphones your phone launches your podcast player..  This is really cool 🙂  Wish I had this for my iPhone 🙂

http://techotrack.com/archives/4846

If you ever find yourself scripting then this command must be added to your inventory;

NirCmd  http://www.nirsoft.net/utils/nircmd.html

It is a free dos util (about 30 kb) that will allow you to script a ton of different things, like;
Read/write from registry, dial ras, take screen shots, stop/start/restart/pause services, change displaymode, create shortcuts, set volume for the speaker, restart/shutdown windows (both remote and local) – and as if this was not enough you can even batch many of the commands eg. create a list/file with computer names that a command need executing on and then just point to this list/file.

Very powerful and easy to use.

If you have an original game cd/dvd and want to know which copyprotection was used on it – maybe to find a NOCD or whatnot  – I sometimes even find this interesting from an intellectual point of view, then this utility might just assist you in identifying what copyprotection that is keeping you from playing “Battlefield Bad Company 2” without the DVD inserted.  It won’t break/crack anything, just identify which copyprotection was used.  Freeware and all that jazz.

Get it here