Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Korean Ransomeware Attack


damurcute
 Share

Recommended Posts

I recently got my hard drives and usb backup encrypted by ransomware. They used SSL certificates from Symantic and Free Parking. Spyhunter did not notice it and it highjacked avira which spread it. Every folder on my pc contained their ransome notes and some residual files made me suspect it was of asian origin. I had made a disc image backup 2 weeks earlier which had failed. It took a week to get it pieced together but my PC was back to normal. I installed Malwarebytes Ransomeware, Malwarebytes and Bitdefender. I had some issues between Bitdefender and Malwarebytes but it eventually worked and a few false positives. Yesterday I noticed there were only folders in most of the Programe Files folders, only Bitdefender remained although the services were still running. I went online and ran scan via ESET, Trend & F-Secure and none found a virus, I ran Microsoft Tool but by the time it may have found it I had removed it. It wrote in the registry Korean for Lady gaga baby etc. It had infected and spread via Windows Search, appeared to arrive via updates to Apps on Windows 8 and remotely logged in using Windows System login, despite all Remote Access being disabled in Registry, windows settings and group policy. I restored the files but noticed Bitdefender turning its own settings off. It was highjacked. As soon as I went online MRB alerted me I had been highjacked and rebooted. It hung with a message about user profiles. I guessed I had been hacked as well and this was confirmed when the hacker used part of my password which I found in the registry. I had disabled all other accounts except mine to try to stop the remote access but he has now changed my password. I cant tighten my firewall anymore than it is as cant get online. Logged on with Hiren and really impressed that the drive is not yet encrypted, there are some files collected but I pulled the plug on him part way through. What should I do now?

Link to post
Share on other sites

Hello Damurcute and :welcome:

Please create the following zipped archives for developer team analysis:

Create a zip archive of the directory C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware\
Create another zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\

Please attach the above zipped archives to your next reply.  When you mentioned Malwarebytes, are you referring to Malwarebytes Anti-Malware (MBAM)?  If so, please relate the full version number and edition.  Have you given any thought to adding Malwarebytes Anti-Exploit (MBAE) to the system's defense arsenal?

Thank you for beta testing MBARW and your valued feedback.

Link to post
Share on other sites

"What should I do now? "

I think the OP wants to know how to proceed fixing his system...

You might try downloading and running ShadowExplorer and see if you have any Volume Shadow copies that might have files that are not corrupted.

http://www.shadowexplorer.com/downloads.html

Keep your backup device(s) offline, and/or copy them to a second device and keep that offline.

Link to post
Share on other sites

  • Root Admin

As the system is under attack already either by RAT or Trojan it's best you obtain help from one of the Experts in how to cleanup/recover from this.

Though you could certainly try ShadowExplorer or System Restore in most cases the current crop of encryption attacks now fully disable and remove all means of recovery like that but as we're not sure what you have at this point we cannot say. If you have data backups do not connect them to the computer at this time. You could risk losing them as well.

I'd try to see if an Expert can help you clean up the computer or not. If there is data that is for certain encrypted but no known recovery is available you could remove the drive and hold onto it for a period of time. In a few cases keys or means to recover have been found but only for a few attacks.

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thank you and good luck.

Please also read the following.

The complexity of finding, preventing, and cleanup from malware

 

Ron

 

Link to post
Share on other sites

Cheers for your advice. Malwarebytes Ransomware stopped the virus but then it crashed at which point I turned off the machine. It deleted the Malwarebytes Ransomware Folder but I recovered any logs I could for Malwarebytes, I will upload for your info once I finish installing the system. I reformatted my drive in the end then used a disc image from last year but have not gone online with it yet.

Link to post
Share on other sites

Hello damurcute:

Unless you have not already done so, please create another .zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\, and attach it in a reply to this topic.

Thank you kindly for all the data!
 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.