Ransomeware Adage

[mayowa 1]

Dear All, 

Please anybody with experience removing adage virus ransomeware, even when EFSW 7.1 is installed and updated but still encrypts documents 

Regards 

[itman 1,543]

This appears to be Phobos ransomware. Check out this thread: https://www.bleepingcomputer.com/forums/t/699816/ive-attacked-by-ransomware-file-extension-adage/ . There appear to be a few versions that may be decryptable. Otherwise, you're out of luck.

Edited July 18, 2019 by itman

[itman 1,543]

Also, beware of the type of attacker you are dealing with if you decide to pay the ransom:

Quote

They gave just all the keys just for my particular infection. Thing is, for my infection, there are more than 1 keys. Promised me for everything. Then gave only one key. Then asked me for more $ because there are a total of 7 more keys to unlock all files. In the end, gave me 2 keys, where only one key worked to unlock everything

https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-help-topic-phobos-phoboshta/?p=4823841

[Marcos 4,718]

Most likely this is what happened:
- an attacker logged in with administrator privileges (stole an admin password, guessed it or brute-forced it) via RDP
- ESET was not password protected so they paused or removed the AV
- the attacker ran a ransomware to encrypt files
- the attacker re-enabled AV protection.

First of all, make sure that RDP is properly secured and a lockout policy is set to prevent brute-force attacks. For improved security, use 2FA. If you don't need RDP, disable it.

To improve AV self-defense, set a password to prevent unauthorized users from disabling or uninstalling the AV. Also we recommend enabling detection of potentially unsafe applications so that hackers cannot use legitimate tools to circumvent protection.

I'd suggest the following steps:
- collect logs with ESET Log Collector
- put a handful of encrypted files (ideally Office documents) along with the ransomware note (payment instructions) into an archive
- submit both archives to samples[at]eset.com and wait for further instructions.

[novice 20]

On 7/19/2019 at 1:19 AM, Marcos said:

Most likely this is what happened:
- an attacker logged in with administrator privileges (stole an admin password, guessed it or brute-forced it) via RDP
- ESET was not password protected so they paused or removed the AV
- the attacker ran a ransomware to encrypt files
- the attacker re-enabled AV protection.

This is the "convenient" story but  why the attacker would re-enable protection after encrypting the whole PC????

What about more logical story : EFSW 7.1 even installed and updated couldn't prevent the encryption.

If you browse the forum, wouldn't be the first time.

Edited July 20, 2019 by novice

[itman 1,543]

Unless the OP replies back with specific details on the staging events of the attack, we will never know what they were. Unfortunately, most will never do so because disclosure of these events could very well cost them their employment.

[novice 20]

12 hours ago, itman said:

specific details on the staging events of the attack .... we will never know what they were

You are absolutely right.

So why the fantasist explanation about "an attacker who brute-forced  the password, disabled ESET, encrypted everything, enabled ESET back and left"?????

 

[itman 1,543]

1 hour ago, novice said:

So why the fantasist explanation about "an attacker who brute-forced  the password, disabled ESET, encrypted everything, enabled ESET back and left"?????

As far as the first three reasons given, it's a fair assumption.

In prior endpoint attacks where logs or specific details were provided, RDP was always the attackers entry point into the network. Once in the network, he could easily access any device where Eset was installed. Even if password protected, it could be bypassed via keystroke capture using a keylogger or other credential capture means.

Further, there has been at least one forum poster who was been repeatedly attacked via RDP despite being initially warned and advised on how to properly secure it.

To set the record straight, the vast majority of ransomware incidents posted in the forum involved business networks. The individual user postings I have seen are from those seeking help or a decrypter and don't even have Eset installed. Or, they naively installed Eset after the ransomware incident in belief it could both remove the ransomware and decrypt their files.

Edited July 21, 2019 by itman

[itman 1,543]

I will also add that Sophos has a simple mitigation recommendation that will eliminate most RDP brute force password guessing attacks while at the same time not permanently locking out a user's workstation:

Quote

• Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 × 3 = 36 passwords an hour, which makes a brute force attack impractical.

 

https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/

Edited July 22, 2019 by itman

[novice 20]

7 minutes ago, itman said:

I will also add that Sophos

So why Sophos and not ESET?  Doesn't seem to be rocket science....

[itman 1,543]

Just now, novice said:

So why Sophos and not ESET? 

The option has nothing to do with either. Both gpedit.msc or secpol.msc are Windows policy/security utilities only available on the Pro+ versions.

[novice 20]

7 minutes ago, itman said:

The option has nothing to do with either. Both gpedit.msc or secpol.msc are Windows policy/security utilities only available on the Pro+ versions.

What do you mean by "the option has nothing to do with either"????
You just said " Sophos has a simple mitigation "

[Marcos 4,718]

They have an article with suggestions how suggestions how to improve protection against RDP attacks. We have a similar one (https://www.eset.com/int/ransomware/).

[peteyt 364]

On 7/20/2019 at 11:08 PM, novice said:

This is the "convenient" story but  why the attacker would re-enable protection after encrypting the whole PC????

What about more logical story : EFSW 7.1 even installed and updated couldn't prevent the encryption.

If you browse the forum, wouldn't be the first time.

Enabling the protection makes you think nothing happened. If the user sees its still enabled they may not realisle what actually happened. 

Again as posted without logs and knowing the actual setup no one can know, you even agreed with this so theres no point in blaiming eset either. But as stated it usually comes down to a RDP attack. People need to remember an AV is only one part of security and should never replace patches and general safe procedures

[itman 1,543]

14 hours ago, novice said:

You just said " Sophos has a simple mitigation "

Next time I will be more specific in my replies to you. What I inferred was "Sophos has a simple mitigation recommendation." It appears you obviously have no Microsoft training in how to properly secure a business computer network. As such, it would be prudent to reflect a bit on your comments prior to posting them.

It is not Eset's or any other AV vendor's software responsibility to ensure that a business network is properly secured against not only external unauthorized access/breaches but also internal like activities. It is however the organization's IT/security administrator responsibility to ensure that Microsoft's "best practices" to do so are implemented  and enforced.

Edited July 22, 2019 by itman

[novice 20]

7 hours ago, itman said:

It appears you obviously have no Microsoft training in how to properly secure a business computer network.

You are right assuming my lack of experience in securing a business computer network . However I overcompensate with common sense. If:

" Most likely this is what happened:
- an attacker logged in with administrator privileges (stole an admin password, guessed it or brute-forced it) via RDP
- ESET was not password protected so they paused or removed the AV "

why doesn't ESET , by default, ask the business network administrator to implement a password during install with a certain strength. So, the vulnerability of having an unprotected ESET will disappear.

How complicated could be to implement this?  Is already implemented on various forums where you are asked for a password with upper characters, lower characters , numbers, special characters, certain strength...

 

The down part of this would be that ESET cannot blame the user anymore...., not good!

 

[itman 1,543]

2 minutes ago, novice said:

why doesn't ESET , by default, ask the business network administrator to implement a password during install with a certain strength. So, the vulnerability of having an unprotected ESET will disappear.

Hum ..... Why did I anticipate you were going to state this?

Most brute-force RDP attacks are against the network server. In other words, they have guessed the network admins password and are now in the "Holy of Holies " to do whatever they want. This would include the ability to log into an endpoint Eset GUI even if was password protected. Even better, just disable all  Eset GUI password protection on all endpoints at once, run the ransomware, and then re-enable password protection on all endpoints.

Actually, the damage an attacker can do when he has gained access to an admin server is limitless.