classiccor83 0 Posted July 14, 2019 Posted July 14, 2019 Hello, I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix. I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up. I 1st noticed the issue when my computer was logged out this morning as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled: teamviewer ESET Nod32 Malwarebytes Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders. I have read in a few support forums that ESET have developed a Scarab decryption tool, how can I get hold of this to recover my files? I am currently a paid user of Nod32 Antivirus.
Administrators Marcos 5,468 Posted July 15, 2019 Administrators Posted July 15, 2019 Please continue as follows: - With ESET installed and activated with a paid license, collect logs with ESET Log Collector - prepare a couple of encrypted files, ideally Office documents - prepare the ransomware note with payment instructions Compress all the stuff into a single archive and email it to samples[at]eset.com.
classiccor83 0 Posted July 15, 2019 Author Posted July 15, 2019 9 hours ago, Marcos said: Please continue as follows: - With ESET installed and activated with a paid license, collect logs with ESET Log Collector - prepare a couple of encrypted files, ideally Office documents - prepare the ransomware note with payment instructions Compress all the stuff into a single archive and email it to samples[at]eset.com. The email has been sent to the email address as requested. What are the next steps?
itman 1,809 Posted July 15, 2019 Posted July 15, 2019 58 minutes ago, classiccor83 said: The email has been sent to the email address as requested. What are the next steps? Wait for an e-mail reply from Eset support. Were all your backup files on the NAS storage? Backups need to be created on storage that is off-line and disconnected from your PC.
classiccor83 0 Posted July 15, 2019 Author Posted July 15, 2019 2 minutes ago, itman said: Wait for an e-mail reply from Eset support. Were all your backup files on the NAS storage? Backups need to be created on storage that is off-line and disconnected from your PC. Unfortunately my backups were compromised on my NAS storage as well. I will be picking up a newer NAS that supports SMB 3 soon and starting from scratch, also I believe they managed to get on to my HTPC and encrypt a few files on there but I have shut that down and not had chance to look at it just yet, that simply has my ripped movie collection for viewing around the house via DLNA.
Most Valued Members Nightowl 206 Posted July 16, 2019 Most Valued Members Posted July 16, 2019 16 hours ago, classiccor83 said: Unfortunately my backups were compromised on my NAS storage as well. I will be picking up a newer NAS that supports SMB 3 soon and starting from scratch, also I believe they managed to get on to my HTPC and encrypt a few files on there but I have shut that down and not had chance to look at it just yet, that simply has my ripped movie collection for viewing around the house via DLNA. Just general questions for your RDP compromise , You didn't firewall your RDP to specific IP Addresses ? , So the attackers did brute-force your RDP , shutdown your Firewall and then your AV services , and then infect your system and then the NAS? Did you use weak password? You can ignore all of these questions if you don't want to reply
classiccor83 0 Posted July 19, 2019 Author Posted July 19, 2019 On 7/16/2019 at 10:50 AM, Rami said: Just general questions for your RDP compromise , You didn't firewall your RDP to specific IP Addresses ? , So the attackers did brute-force your RDP , shutdown your Firewall and then your AV services , and then infect your system and then the NAS? Did you use weak password? You can ignore all of these questions if you don't want to reply I'm not totally sure how they got access to my password, I have now changed to a more complex password all round. I'm not totally sure what you mean by firewall your RDP to specific IP addresses, the only way I access this computer when out and about is via Teamviewer, so that itself may have been a way for them to gain access. I haven't reinstalled it since.
Most Valued Members Nightowl 206 Posted July 20, 2019 Most Valued Members Posted July 20, 2019 9 hours ago, classiccor83 said: I'm not totally sure how they got access to my password, I have now changed to a more complex password all round. I'm not totally sure what you mean by firewall your RDP to specific IP addresses, the only way I access this computer when out and about is via Teamviewer, so that itself may have been a way for them to gain access. I haven't reinstalled it since. In settings your teamviewer is set to only accept connections from you?
Administrators Marcos 5,468 Posted July 20, 2019 Administrators Posted July 20, 2019 15 hours ago, classiccor83 said: I'm not totally sure how they got access to my password, I have now changed to a more complex password all round. Don't know what password you used, however, attackers can perform brute-force dictionary attacks and try dozens of thousands of commonly used passwords within a relatively short time. Therefore it's important to use a lockout policy, 2FA, limit RDP connections to specific IP addresses on a firewall, etc. Ideally use VPN for connections from outside and allow RDP only within your local network.
Recommended Posts