Jump to content

Infected by Ransom.Phobos

dishiestquilll
 Share

Recommended Posts

dishiestquilll

dishiestquilll

Posted
Posted

Hi!

This morning it has come to my attention that my unraid server's files were all encrypted and the extension renamed to .id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
After some research i found out that this was done by a ransomware virus called Phobos.

I've added the malware scan log as an attachment.

The attacker gained access through remote desktop on a vps with windows installed where a network share to a unraid server share was still attached.
This vps was created for testing purposes and was going to be removed at a later date hence why i used a very simple password.
The vps's virtual disk file is encrypted aswell so i cannot reboot the vps.

I couldn't find any free decryption tools and wanted to ask for help here.
I don't mind removing the vps but obviously i do want all my files restored :)

Any help would be very much appreciated.

 

scan.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along. 

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Thanks for the reports.   I am very sorry to see that this pc has been hit by a ransomware.

If this system had had Malwarebytes for Windows Premium it would have stopped this ransomware.

 

Backup is your best friend.  Restoring the system from a very recent Backup image that was done Before the infection, would be the best way to restore.

 

Keep in mind that ransomwares do delete all Windows System Restore points & they disable the System Restore service, as well as the Windows Volume Shadow copy service.

 

 Please also understand,  we cannot fix or recover any corrupted files.   Malwarebytes has no decrypter.

Q:  Do you have a recent full backup of this system somewhere ?

 

.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

.


 I would like to have you upload these files
C:\Program Files (x86)\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce

C:\Users\Public\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce

up to the IDRansomware site so it can do analysis on it.   Upload one at a time, and Save the result & post that result with your next reply.

https://id-ransomware.malwarehunterteam.com/

 

Please relay back the  resulting analysis.

 

Malwarebytes has no decrypter.

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

I'd make sure that you set the Windows File Explorer to show all folders.

What you note about the encrypted files is odd.   According to the reports you provided,

There are many .DEUCE files all over, including the Desktop, Downloads folder, & Documents.   AND note that a goodly number were set as System files & Hidden files

Here are a few

2019-10-27 15:23 - 2019-10-27 15:23 - 000000530 ___SH C:\Users\Public\Documents\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
2019-10-27 15:23 - 2019-10-27 15:23 - 000000418 ___SH C:\Users\Public\Downloads\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
2019-10-27 15:23 - 2019-10-27 15:23 - 000000418 ___SH C:\Users\Public\Desktop\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
2019-10-27 15:23 - 2019-10-27 15:23 - 000000418 ___SH C:\Users\Public\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
2019-10-27 15:23 - 2019-10-27 15:23 - 000000418 ___SH C:\Users\desktop.ini.id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce
2019-10-27 15:23 - 2019-10-27 15:23 - 000000290 ___SH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start

 

NOTE the attributes above, SH  ..... S  stand for System,  H stands for hidden.

I  would suggest, if you have the value in your messed-up files, to make copies of them on offline media and stash that copy away.

In the hopes that perhaps in future, someone ma comes out with a decrypter.

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the txt file.  Is that the verbatim report from Id-Ransomware portal?

As far as your Windows System & File Explorer,  double check to see that it is set to show ALL

Press the Windows-key on keyboard,  then use the search box

2.    Type
folder

in the search box, then select   ( click on ) File Folder Options from the search results.
3.    Select the View tab.      <<---<


4.    Under Advanced settings, select Show hidden files, folders, and drives, and then  click on APPLY  & then click OK.

 

.

This next procedure is a custom scripted search to find all files with a .deuce  as the filename extension.

It is only to do a list of what it finds.   It makes no changes.

You can gather a report-list of all .DEUCE files by using this custom script.

Save the file I have attached with this reply named search-script.txt   to either the Downloads folder  ( or else to your Desktop ).

Next, do a right-click on the file and select RENAME

and rename it to search-script.bat

Next, lets run it.  Right-click on search-script.bat  and select RUN as Administrator

and reply YES  when prompted by Windows  in order to proceed with the script process.

When all completed, see the text file named ksearch_results.txt   on your DESKTOP.

This file is for your benefit.

.

Ransomwares do turn off the System Restore service & the Volume Shadow Copy service & they delete previous Restore Points.

 

For sure, make sure that the Windows System Restore service is ON.

https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html

 

Also be very sure that Volume Shadow Copy service is ON  ( enabled)

Run MSCONFIG   (  press Windows-key +R key   and type in MSCONFIG)

scroll thru and be sure that Volume Shadow Copy has a check-mark  on the right side.

next

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 

Scroll down the list. Look for "Volume Shadow Copy"  is listed there, with a Startup type of Manual.

.

Backup is your best friend.  Make regular backups of your system on offline media.  It is best if you would keep 3 generations, with one of those kept outside of your regular location   { perhaps on a cloud location, such as Onedrive  or even Google drive ) .

.

I am listing below 3 possible ways to try to see if your files can be recovered.  These are things you can try.  But first, I need to re-emphasize some things.

There is no known current decrypter tool.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

 

 

Restoring from backups is the best way to recover files.  Backup is your best friend.

If you have made backups from before the infection, use backup to do restores.

If you have no prior backups, see one of the other ways below.

 

You may try what follows on some of your files with the .deuce   extension  to see if Windows "may" have a old copy.   Note none of these can “fix” the encrypted files.

 

Remember that each new file you create or save on your machine may well over-write the space used by a old deleted file.

[ 1 ]

Pick one file that has the .deuce in its file-name.    you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to.

See if that works for you.   If it works on one file, then try another.

If not, see # 2 & # 3 below;   as well as the summary notes at bottom.

 

[ 2 ]

Try using a program named Shadow Explorer.

Shadow Explorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service.

See the about page   https://www.shadowexplorer.com/

Download page   https://www.shadowexplorer.com/downloads.html

Here is one how – to  guide ( article ) on Shadow Explorer

https://www.linglom.com/it-support/recover-deleted-files-on-windows-with-shadow-explorer/

 

[ 3 ]

It may be possible to use a file recovery tool like Recuva to recover some files. There is no guarantee it will work.  But worth trying.

Recuva can help in finding older deleted copies of your files.  Note, it cannot “fix” encrypted files.

https://www.ccleaner.com/docs/recuva/using-recuva

 

This link is to a generic  video guide on Youtube   

 

 

This link is a generic written guide  

https://www.howtogeek.com/howto/2216/restore-accidentally-deleted-files-with-recuva/

 

 

 

search-script.txt

Link to post
Share on other sites
dishiestquilll

dishiestquilll

Posted
  • Author
Posted

Hi thank you for your reply.

 

The thing is the windows is a vps which runs on my unraid server.
The attacker had access to my unraid shares due to a network share that was still attached to said vps.

Because of this he was able to also encrypt the windows vps vdi file (the actuall harddrive of the windows vps).
I really dont care about the windows vps and the files on the vps at all since i created it so a friend (who i trust) of mine could configure some servers on my network via rdp (annoying nat situation). I was going to remove it a few days later after creation anyway.

As a result i removed the windows vps because i coulldnt even restart it and actually had to reinstall my unraid server aswell since the attacker encrypted pretty much everything vps startup related.

I did backup all the encrypted files and put them in a zip file hoping a decryption tool will be available in the future.
And i protected every share on my unraid server aswell! :) 

So, this thread can be closed, the problem is not solved but i will wait untill a tool is released at some point in the future.

 

Thank you for your time to assist me :) 👍

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the status update.  I am going to list a few articles about securing RDP access

https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-security-explained/

 

https://www.solarwindsmsp.com/blog/rdp-encryption-techniques

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

I wish you all the best.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.