Scarab Ransomware

[classiccor83 0]

Hello, 

 

I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix.

 

I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up.

 

I 1st noticed the issue when my computer was logged out this morning  as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled:

• teamviewer
• ESET Nod32
• Malwarebytes

Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders.

I have read in a few support forums that ESET have developed a Scarab decryption tool, how can I get hold of this to recover my files?

I am currently a paid user of Nod32 Antivirus.

[Marcos 5,070]

Please continue as follows:

- With ESET installed and activated with a paid license, collect logs with ESET Log Collector
- prepare a couple of encrypted files, ideally Office documents
- prepare the ransomware note with payment instructions

Compress all the stuff into a single archive and email it to samples[at]eset.com.

[classiccor83 0]

9 hours ago, Marcos said:

Please continue as follows:

- With ESET installed and activated with a paid license, collect logs with ESET Log Collector
- prepare a couple of encrypted files, ideally Office documents
- prepare the ransomware note with payment instructions

Compress all the stuff into a single archive and email it to samples[at]eset.com.

The email has been sent to the email address as requested. What are the next steps?

[itman 1,659]

58 minutes ago, classiccor83 said:

The email has been sent to the email address as requested. What are the next steps?

Wait for an e-mail reply from Eset support.

Were all your backup files on the NAS storage? Backups need to be created on storage that is off-line and disconnected from your PC.

[classiccor83 0]

2 minutes ago, itman said:

Wait for an e-mail reply from Eset support.

Were all your backup files on the NAS storage? Backups need to be created on storage that is off-line and disconnected from your PC.

Unfortunately my backups were compromised on my NAS storage as well. I will be picking up a newer NAS that supports SMB 3 soon and starting from scratch, also I believe they managed to get on to my HTPC and encrypt a few files on there but I have shut that down and not had chance to look at it just yet, that simply has my ripped movie collection for viewing around the house via DLNA. 

[Nightowl 202]

16 hours ago, classiccor83 said:

Unfortunately my backups were compromised on my NAS storage as well. I will be picking up a newer NAS that supports SMB 3 soon and starting from scratch, also I believe they managed to get on to my HTPC and encrypt a few files on there but I have shut that down and not had chance to look at it just yet, that simply has my ripped movie collection for viewing around the house via DLNA. 

Just general questions for your RDP compromise ,

You didn't firewall your RDP to specific IP Addresses ? , So the attackers did brute-force your RDP , shutdown your Firewall and then your AV services , and then infect your system and then the NAS?

Did you use weak password?

You can ignore all of these questions if you don't want to reply

[classiccor83 0]

On 7/16/2019 at 10:50 AM, Rami said:

Just general questions for your RDP compromise ,

You didn't firewall your RDP to specific IP Addresses ? , So the attackers did brute-force your RDP , shutdown your Firewall and then your AV services , and then infect your system and then the NAS?

Did you use weak password?

You can ignore all of these questions if you don't want to reply

I'm not totally sure how they got access to my password, I have now changed to a more complex password all round.

I'm not totally sure what you mean by firewall your RDP to specific IP addresses, the only way I access this computer when out and about is via Teamviewer, so that itself may have been a way for them to gain access. I haven't reinstalled it since.

[Nightowl 202]

9 hours ago, classiccor83 said:

I'm not totally sure how they got access to my password, I have now changed to a more complex password all round.

I'm not totally sure what you mean by firewall your RDP to specific IP addresses, the only way I access this computer when out and about is via Teamviewer, so that itself may have been a way for them to gain access. I haven't reinstalled it since.

In settings your teamviewer is set to only accept connections from you?

[Marcos 5,070]

15 hours ago, classiccor83 said:

I'm not totally sure how they got access to my password, I have now changed to a more complex password all round.

Don't know what password you used, however, attackers can perform brute-force dictionary attacks and try dozens of thousands of commonly used passwords within a relatively short time.

Therefore it's important to use a lockout policy, 2FA, limit RDP connections to specific IP addresses on a firewall, etc. Ideally use VPN for connections from outside and allow RDP only within your local network.