Jump to content

Infected by Kryptik.GMNQ trojan Any chance to restore files?


Recommended Posts

I have a Windows 10 based desktop which works as a Plex/FTP/Print server at home.

Yesterday, it was fine.

When I connected to it today, i saw that all files of the external HDD are ADOBE files. The name of them contain an email address: supplng@protomail.com

If I rename the files to the good format, it can’t open it.

I had ESET Internet security installed but it wasn’t on the computer today. It was deleted or I don’t know. Now, I redownloaded the ESET and I’m running a virus scan now. It found the basic files of the malware or I don’t know what is that but my files are still locked. They are only movies (nearly), so no important data but is there any chance to unlock them?

I don’t know the source of the virus as I didn’t use the server today. It started at 8 a.m but I didn’t use it. The FTP port is different from the 21, the password is strong. It’s using FileZilla.

The interesting thing is that on the drive C, everything is fine but only on the Movie HDD, the files are “locked”. Some basic programs were deleted like Firefox, PowerISO but like TeamViewer, Pulseway were not deleted.

Please help. Anything which can help. In the holidays, I can reinstall and reconfigure the system but I will have to redownload every movie, song, media files and this is my DIY server, so it would take days to reconfigure.

UPDATE: The scan has finished and didn’t find anything, only the base virus files.

UPDATE 2: I know, Windows is a bad choice for a server, so I'm planning to use Linux. :D

I will be only available to upload a locked file tomorrow. Now, I'm not next to the server and I don't want to turn it on as maybe it can damage other computers, too. (in fact, there are not other Windows pcs, only a Mac but it can't be infected, I hope)

UPDATE 3: I uploaded a locked file. https://www.mediafire.com/file/b4xuckaeoq1lr9r/The.Grand.Tour.S02E04.Unscripted.720p.Hungarian.srt.id-4C1A7783.[supplng@protonmail.com].adobe/file

Edited by scania471
Link to comment
Share on other sites

  • Administrators

Please read https://forum.eset.com/topic/17810-eset/.

Files were encrypted by Filecoder.Crysis, ie. decryption is not possible. If you had ESET installed at the time of infection, most likely an attacker remoted in via RDP and disabled or uninstalled ESET prior to running the ransomware.

It is crucial that you secure RDP since it's a typical infection vector in case of Filecoder.Crysis and no security program will be able to protect you 100% if an attacker manages to get in with administrator rights.

Last but not least, never underestimate the main rule to always back up crucial files on a separate drive and avoid connecting it to already infected systems.

Link to comment
Share on other sites

  • Most Valued Members

Disconnect the machine from the network if you are afraid that it could spread across your network so you can try to see what happend

If you didn't touch the machine when it got infected then someone somehow was able to take control of your PC somehow , through a port that your PC is listening to while gaining access and being able to run the malicious files that could encrypt your system

Or as Marcos said if you do use RDP and it's not secure then someone could have jumped on that RDP and did what he wanted to do.

Or it could have been a mistake of running a malicious file which was the Crysis in your case.

 

Link to comment
Share on other sites

So maybe the problem was the Microsoft Remote Desktop service? Because I used the server remotely. And there is no chance to recover the media files? 

If they used that Remote Desktop service, how did they managed to connect to it remotely? It works only in LAN, or not?

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, scania471 said:

So maybe the problem was the Microsoft Remote Desktop service? Because I used the server remotely. And there is no chance to recover the media files? 

If they used that Remote Desktop service, how did they managed to connect to it remotely? It works only in LAN, or not?

Depending on your setting if it was only to allow LAN only or accept from everywhere , for now there is no way to decrypt the files because there is no decryption key.

It could help you if the files have any kind of "Previous Version" in the Properties area of the file , or any kind of a backup or a restore.

Edited by Rami
Link to comment
Share on other sites

Alright, thank you very much for your help. In the future, I won't use this utility. In fact, after that, I'm not going to use Windows anymore on my server. I will try to use Ubuntu. As I know, there are no viruses for Linux. I deleted everything, so I can reconfigure everything... But I have learned a lot of this mistake. :D Fortunately, the data on it was not important and they are replaceable. 

Link to comment
Share on other sites

  • Most Valued Members
22 minutes ago, scania471 said:

Alright, thank you very much for your help. In the future, I won't use this utility. In fact, after that, I'm not going to use Windows anymore on my server. I will try to use Ubuntu. As I know, there are no viruses for Linux. I deleted everything, so I can reconfigure everything... But I have learned a lot of this mistake. :D Fortunately, the data on it was not important and they are replaceable. 

Keep in mind that also for Linux there are viruses but not like Windows because Linux is less targeted for malware/viruses , you also need to secure your Linux.

You could set the Firewall to only allow your address to connect to the server in remote access and deny all of the other incoming ports that you don't use , keep the one that you do use in order to make the service work for sure

There are a lot of Articles about Hardening the Linux server , search for them in Google.

Link to comment
Share on other sites

  • Administrators

We have at least 16 Filecoder families for Linux so while Linux is basically a safer OS, it doesn't mean it can never get infected. The main problem was that an attacker remoted in via RDP (Remote Desktop) and uninstalled ESET. If a Windows system is properly secured, the chances of getting infected can be minimized. Also had ESET been password protected and detection of potentially unsafe applications enabled, it wouldn't have been possible to uninstall or disable ESET easily.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...