scania471 0 Posted December 9, 2018 Share Posted December 9, 2018 (edited) I have a Windows 10 based desktop which works as a Plex/FTP/Print server at home. Yesterday, it was fine. When I connected to it today, i saw that all files of the external HDD are ADOBE files. The name of them contain an email address: supplng@protomail.com If I rename the files to the good format, it can’t open it. I had ESET Internet security installed but it wasn’t on the computer today. It was deleted or I don’t know. Now, I redownloaded the ESET and I’m running a virus scan now. It found the basic files of the malware or I don’t know what is that but my files are still locked. They are only movies (nearly), so no important data but is there any chance to unlock them? I don’t know the source of the virus as I didn’t use the server today. It started at 8 a.m but I didn’t use it. The FTP port is different from the 21, the password is strong. It’s using FileZilla. The interesting thing is that on the drive C, everything is fine but only on the Movie HDD, the files are “locked”. Some basic programs were deleted like Firefox, PowerISO but like TeamViewer, Pulseway were not deleted. Please help. Anything which can help. In the holidays, I can reinstall and reconfigure the system but I will have to redownload every movie, song, media files and this is my DIY server, so it would take days to reconfigure. UPDATE: The scan has finished and didn’t find anything, only the base virus files. UPDATE 2: I know, Windows is a bad choice for a server, so I'm planning to use Linux. I will be only available to upload a locked file tomorrow. Now, I'm not next to the server and I don't want to turn it on as maybe it can damage other computers, too. (in fact, there are not other Windows pcs, only a Mac but it can't be infected, I hope) UPDATE 3: I uploaded a locked file. https://www.mediafire.com/file/b4xuckaeoq1lr9r/The.Grand.Tour.S02E04.Unscripted.720p.Hungarian.srt.id-4C1A7783.[supplng@protonmail.com].adobe/file Edited December 10, 2018 by scania471 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 10, 2018 Administrators Share Posted December 10, 2018 Please read https://forum.eset.com/topic/17810-eset/. Files were encrypted by Filecoder.Crysis, ie. decryption is not possible. If you had ESET installed at the time of infection, most likely an attacker remoted in via RDP and disabled or uninstalled ESET prior to running the ransomware. It is crucial that you secure RDP since it's a typical infection vector in case of Filecoder.Crysis and no security program will be able to protect you 100% if an attacker manages to get in with administrator rights. Last but not least, never underestimate the main rule to always back up crucial files on a separate drive and avoid connecting it to already infected systems. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted December 10, 2018 Most Valued Members Share Posted December 10, 2018 Disconnect the machine from the network if you are afraid that it could spread across your network so you can try to see what happend If you didn't touch the machine when it got infected then someone somehow was able to take control of your PC somehow , through a port that your PC is listening to while gaining access and being able to run the malicious files that could encrypt your system Or as Marcos said if you do use RDP and it's not secure then someone could have jumped on that RDP and did what he wanted to do. Or it could have been a mistake of running a malicious file which was the Crysis in your case. Link to comment Share on other sites More sharing options...
scania471 0 Posted December 10, 2018 Author Share Posted December 10, 2018 So maybe the problem was the Microsoft Remote Desktop service? Because I used the server remotely. And there is no chance to recover the media files? If they used that Remote Desktop service, how did they managed to connect to it remotely? It works only in LAN, or not? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 10, 2018 Administrators Share Posted December 10, 2018 I'm gonna drop you a personal message with instructions how to check the server for vulnerabilities. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted December 10, 2018 Most Valued Members Share Posted December 10, 2018 (edited) 3 hours ago, scania471 said: So maybe the problem was the Microsoft Remote Desktop service? Because I used the server remotely. And there is no chance to recover the media files? If they used that Remote Desktop service, how did they managed to connect to it remotely? It works only in LAN, or not? Depending on your setting if it was only to allow LAN only or accept from everywhere , for now there is no way to decrypt the files because there is no decryption key. It could help you if the files have any kind of "Previous Version" in the Properties area of the file , or any kind of a backup or a restore. Edited December 10, 2018 by Rami Link to comment Share on other sites More sharing options...
scania471 0 Posted December 10, 2018 Author Share Posted December 10, 2018 Alright, thank you very much for your help. In the future, I won't use this utility. In fact, after that, I'm not going to use Windows anymore on my server. I will try to use Ubuntu. As I know, there are no viruses for Linux. I deleted everything, so I can reconfigure everything... But I have learned a lot of this mistake. Fortunately, the data on it was not important and they are replaceable. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted December 10, 2018 Most Valued Members Share Posted December 10, 2018 22 minutes ago, scania471 said: Alright, thank you very much for your help. In the future, I won't use this utility. In fact, after that, I'm not going to use Windows anymore on my server. I will try to use Ubuntu. As I know, there are no viruses for Linux. I deleted everything, so I can reconfigure everything... But I have learned a lot of this mistake. Fortunately, the data on it was not important and they are replaceable. Keep in mind that also for Linux there are viruses but not like Windows because Linux is less targeted for malware/viruses , you also need to secure your Linux. You could set the Firewall to only allow your address to connect to the server in remote access and deny all of the other incoming ports that you don't use , keep the one that you do use in order to make the service work for sure There are a lot of Articles about Hardening the Linux server , search for them in Google. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 10, 2018 Administrators Share Posted December 10, 2018 We have at least 16 Filecoder families for Linux so while Linux is basically a safer OS, it doesn't mean it can never get infected. The main problem was that an attacker remoted in via RDP (Remote Desktop) and uninstalled ESET. If a Windows system is properly secured, the chances of getting infected can be minimized. Also had ESET been password protected and detection of potentially unsafe applications enabled, it wouldn't have been possible to uninstall or disable ESET easily. Link to comment Share on other sites More sharing options...
Recommended Posts