Anti-Child Porn Spam Protection ransomware

[morbidpete]

Awesome! If its a nas, You should be able to access the data via SMB or NFS, File system shouldn't matter on a nas

[RaisinCain]

Just dealt with a customer that was infected with this. I booted into Safe Mode and ran Process Explorer. Killed the running process and deleted the offending files using CCleaner. Rebooted again into Safe Mode and ran ComboFix. I then installed MSE and scanned- removed a bunch of crap. I then ran UnHide and everything is back to normal.

[Philip]

The backup is on some Seagate NAS with blown 12v power supply, and a 1TB drive... The drive itself is out of the NAS, it will be put on a linux box to transfer the files. Alternatively, he'll swap the power supply on the NAS.

[YeOldeStonecat]

Ken and Philip..(and others)...some more info on this malware...including how it attacks, and what it does.
http://blog.emsisoft.com/2012/04/11/...ndows-servers/

[RaisinCain]

I firmly believe that having Acrobat, Flash and Java up to date is critical in avoiding this type of infection (as well as the obvious).

[morbidpete]

Ken and Philip..(and others)...some more info on this malware...including how it attacks, and what it does.
http://blog.emsisoft.com/2012/04/11/...ndows-servers/

Thanks for the info Cat, After reading on BC that he uses RDP, I imediatly disabled it on my clients. I use TV anyways so no need to have it enabled.

[YeOldeStonecat]

I firmly believe that having Acrobat, Flash and Java up to date is critical in avoiding this type of infection (as well as the obvious).

Usually never installed on a server in the first place. This "problem" doesn't happen to a server because the end user is surfing the 'net...it's a direct attack against the server via port 3389 tcp.
The guy is hacking into systems using the DUBrute tool against remote desktop...selecting common user names (Admin, Administrator, Root, Sales, Support, Scanner, Test1, Test2...basically a list of 25 or so very common user names that will be in AD (active directory users)...and then grinding against them with dictionary and smart guess passwords. Eventually getting into systems where the "guessed" usernames are present, and the passwords are simple and able to be overcome by the DUBrute tool.

[YeOldeStonecat]

Just dealt with a customer that was infected with this. I booted into Safe Mode and ran Process Explorer. Killed the running process and deleted the offending files using CCleaner. Rebooted again into Safe Mode and ran ComboFix. I then installed MSE and scanned- removed a bunch of crap. I then ran UnHide and everything is back to normal.

Then it was not //this// particular ransomware that you were dealing with....please read (and importantly...understand) this particular exact topic. The files are not RASHED...they are all packaged in an encrypted file, and the originals are completely and utterly erased. Combofix and typical geek squad malware removal tools are BB'guns on an elephant hunt for this particular subject.

[RaisinCain]

Then it was not //this// particular ransomware that you were dealing with....please read (and importantly...understand) this particular exact topic. The files are not RASHED...they are all packaged in an encrypted file, and the originals are completely and utterly erased. Combofix and typical geek squad malware removal tools are BB'guns on an elephant hunt for this particular subject.

My bad. Yes I have ran into this one and have had no success in dealing with it on a personal basis (please don't compare me to GS).