How to Fix: Computer / Network Infected with Ransomware (10 Steps)

Dennis Faas's picture

Infopackets Reader Robert S. writes:

" Dear Dennis,

I have a network of computers I use for accounting purposes. Suddenly, many of my desktop icons started appearing to have strange names, such as '1HjgN1BdTZE3OIqorcj2E5b6CXIE=gdFae89IWgo0RrVfPbCHt851oogccs.ssimpotashka[at]gmail.com'. When I try to open these files, Windows warns me the file may be malicious. When I look in my Documents folder, I see more files similarly named to the one I just mentioned. Some of my .PDF files won't even open. On the desktop there is a text document that says 'HOW TO DECRYPT YOUR FILES.TXT' - when I open this file it says my computer has been encrypted and I must pay money to decrypt the files. I don't know what to do. It is the middle of tax season and I can't access my client files. Can you PLEASE HELP? "

My response:

I asked Bob if he would like me to connect with him using my remote desktop support service to have a closer look, and he agreed. That was about 5 weeks ago. I have been dealing with Bob's ransomware infection ever since.

Below I will explain this case study in brief, followed by step-by-step instructions on how I was able to stop, prevent, and clean up the attack.

IMPORTANT: if you are reading this right now and your machine(s) are infected with ransomware, you can contact me for remote support assistance. After that I suggest you shut down all the machines on your network, as ransomware is designed to spread across a computer network very quickly, encrypting files as it spreads. Also note that you will need access to email on a clean machine (or smartphone) so you can communicate with me without the worry of the ransomware spreading to your device.

Mitigating a Ransomware Attack: A Case Study

The ransomware infected four main machines Bob uses for his accounting practice; each computer had unrestricted read / write access to the other. This is a very bad security practice (I'll go into more about that later). Bob only had one of his machines backed up recently, so as you can imagine, having his client files encrypted and not accessible was incredibly devastating.

When Bob first hired me to look into the issue, he was also paying for an active subscription to Norton Antivirus. Surprisingly Norton did not identify, nor prevent the spread of the infection, but did alert him of some suspicious activity. Since Bob was paying for an active subscription AND he was infected with malware, Norton support was able to put together a "team of investigators", which then logged into his network and stopped the spread of the ransomware.

I asked Bob if the Norton "team" was able to determine where the ransomware initially came from. He said that they did not investigate the source of the infection - they only stopped it. I warned Bob this would be a huge problem. Not surprisingly, a few days passed and his machines were infected again. At this point Bob hired me to investigate each machine on his network to figure out where the ransomware was coming from and to prevent further infections from occurring.

After analyzing each machine independently, I was able to identify the source of the ransomware - it was a VNC Server connection which was enabled on two of his machines. VNC is a remote access program that Bob had set up to allow one of his employees to remotely enter in data onto a computer on his network. Research suggests that remote access such as VNC and RDP (remote desktop protocol) is a very big attack vector for ransomware infections.

About two weeks later, I was also able to decrypt over 70,000 files that were infected on Bob's network. The majority of the encrypted files were on one machine that had the VNC Server enabled (and firewall disabled), which lead me to believe the original infection came from this VNC connection. The other 3 machines only accounted for a few hundred encrypted files. Bob's particular ransomware strain known as the 'scarab' ransomware.

Below I will describe what I did to stop and prevent the ransomware, including how to decrypt ransomware files. Since each ransomware infection is different, I will provide a general approach to resolving this problem.

How to Fix: Computer, Network Infected with Ransomware

Dealing with ransomware on a corporate network (or any network for that matter) requires quite a bit of thought, given that the nature of the malware is to spread as quickly as possible.

  1. The first thing to do is to stop the spread of the infection. This can be very tricky because the ransomware could have come from anywhere on the network, and it's very possible to be reinfected again. If you are dealing with a network of computers, the first thing to do is to shut down all of the machines and only work on one machine at a time. This will prevent the ransomware from encrypting more files and spreading further.
     
  2. Next, scan the machine for an infection. I suggest using Malwarebytes Antimalware (free) and your favorite (free) antivirus program to do a FULL antivirus scan of the machine, including any option to scan for rootkits.
     
  3. Now it's time to do some investigating to determine where the ransomware infection may have come from.

    IMPORTANT: If you don't know what you are doing in terms of investigating where the ransomware originated, or how to prevent further attacks, I suggest you hire a professional - such as myself - to do the investigating for you (contact link here). Malware / ransomware is designed to be stealthy by nature and can be very difficult to track down, stop, decrypt, eliminate and prevent.

    Here are some tips when it comes to investigating the ransomware infection:

    First, take note whether the firewall has been disabled, as this can be a good indication of where the ransomware originated. Next, look for any remote access programs enabled, such as VNC (UltraVNC, TightVNC, etc), RDP, Team Viewer, Goto Assist, LogMeIn, OpenSSH and the like and disable them for the time being.

    You will also need to look at your router firewall to see if there are any port forwarded services pointing to that device, as any open port is a potential attack vector. It would also be a good time to update the router's firmware as an unpatched router can allow hackers direct access to your network.

    Next, ensure that the system is current with Windows Updates, and antivirus is enabled.

    In Bob's case, the two machines that had the VNC server enabled also had their firewall disabled. Bob's router also had port forwarding enabled for these machines to bypass router security. Having an open VNC / RDP connection to the Internet is an INCREDIBLY BAD security policy as anyone on the Internet can try to connect to a machine and guess the password. Oftentimes this is an automated process using "bots", which are able to 'crack' the remote access password using a brute force technique. Once the password is cracked, the bot has access to the network; from there, cyber criminals (or more bots) can then plant ransomware or malware on the network.
     
  4. Once the machine has been scanned using antivirus / antimalware (Step #2) and you've finished your investigation (Step #3), move on to the next machine. Repeat for each machine on the network.
     
  5. IMPORTANT: Do NOT delete any of the encrypted files on the hard drive or any of the ransomware note(s). Inside the ransomware note is an identifier (pic) that is used to not only identify the strain of ransomware, but also used to decrypt files. Depending on the infection, there may be third-party tools available that can decrypt the files (described further down).
     
  6. Next, identify the ransomware. Upload your ransomware note and an encrypted file to the malwarehunter ransomware search engine. Once you know what ransomware you are dealing with, you can search the Internet for a decryption tool.
     
  7. Make a backup of all the computers on the network before attempting to decrypt any files. I suggest using a disk image backup, as these are the most robust. Based on my experience, one of the tools I used to decrypt the scarab ransomware on Bob's network did not work properly, and created a huge mess of "decrypted" files (which were not really decrypted). These files contained Chinese characters in the filenames and had no extensions, making it impossible to search and delete the files in an automated way. This was a huge mess to clean up - hence a proper backup is needed before attempting to decrypt the files.
     
  8. Start decrypting your files if you can find a proper freeware decryptor tool. If you have identified your ransomware strain, you can try testing the decryptor on one file at a time to see if it works. If so, you can point the decryptor tool to decrypt the entire C drive. Once again, you must be careful with this because if the files are not decrypted properly then you will have a huge mess of dummy files written to the drive.

    IMPORTANT
    : when a file is decrypted, a new file is created; the decrypted file is left in place. As such, you will need twice the amount of storage of the encrypted files available on your hard disk in order to decrypt the files.

    IMPORTANT: if you don't know what strain of ransomware you are dealing with, you won't be able to decrypt the files. If you need help with this you can contact me for remote support assistance.
     
  9. Once the files are successfully decrypted, delete the encrypted files. Based on my experience, this can be tricky. When I worked on Bob's machines, ALL of the encrypted files I attempted to delete resulted in an "Access Denied" error, meaning that they would not delete. To overcome this, I had to write a program to scan the entire C drive for encrypted files (for any file ending in *ssimpotashka[at]gmail.com), then move all those files into a single folder, reset permissions on that folder recursively, then delete the folder. This was the only way I could delete the files.
     
  10. Make another backup of the C drive after all the files have been decrypted and encrypted files deleted. Store this backup on an external hard drive. Don't delete your old backup (Step #7) in case the decrypted files don't work and you need to decrypt them again. As in Bob's case, some files were not fully decrypted but became corrupted. I suspect this was a result of the ransomware 'queuing' up the next files to be encrypted, leaving them partially encrypted and therefore corrupt. Once the backup is complete, store the external hard drive in a safe location in case you get infected again.

Cleaning up and Preventing Ransomware: Final Thoughts

Investigating a ransomware infection on a network requires a lot of time, skill and effort to not only defeat, but prevent from occurring again.

In Bob's case, his network was set up without access restrictions to files. For example, the C drive on every networked computer was shared with write permissions given to 'Everyone' on the network. This allowed the ransomware to spread like wildfire. Having unrestricted access to files on the network in this manner is an INCREDIBLY BAD security policy.

As such, I suggested Bob set up a central 'server' computer to restrict access to his files and folders, according to user and user password. This way, if a ransomware infection occurs again, it can only infect a small portion of files - rather than the entire hard drive / entire network. Since Bob is in the middle of tax season, he has decided to put this off for the time being.

I also removed the VNC from the two computers which I believe were responsible for the ransomware infection (and re-infection). This will be replaced with a virtual private network (VPN) when Bob has more time, as a VPN will provide 100% true private and secure connections to computers by remote using private key files on the server and client, which cannot be cracked. The VPN can then be used to 'tunnel' remote access programs such as VNC or RDP in a 100% encrypted, safe manner.

Additional 1-on-1 Support: From Dennis

As you can see, ransomware is no joke and you must investigate where the ransomware infection originated, or you are likely to become infected again. This requires expert skill and technical know-how.

If your computer or network is infected with ransomware, I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible. I am a senior systems administrator with 30 years computing experience, having written 6 books on MS Windows and security, published over 2,000 articles online. Click here to view my full resume online.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.1 (14 votes)

Comments

Stuart Berg's picture

Hi Dennis,
Are you familiar with Cybereason (https://www.cybereason.com/)? I wonder if Bob would have even gotten infected with this ransomware had he put Cybereason on each PC.
Stu

Dennis Faas's picture

Third party tools that say they can protect you won't do a lick of good if the malware can (a) get on your network and (b) spread like wildfire. The ONLY way to stay protected - similar to any malware infection - is to:

1. Use a supported operating system that receives security updates.

2. Ensure your Windows Update is working properly, firewall is enabled, antivirus / antimalware is enabled.

3. Make backups often; keep critical backups offline.

4. If you're using a network, ensure proper access restrictions are in place to prevent an infection from spreading.

5. Don't click on every link you come across; don't open email attachments; use common sense.

No single piece of software is going to be able to provide all of this for you, so don't be tricked into believing such a thing exists.

SteveMann's picture

What's your thoughts of using Oracle Virtualbox to isolate Ransomeware?

Dennis Faas's picture

Virtual machines are great for running tests on programs that you're not sure about. I do that all the time, so yes it comes highly recommended - though I think most users most likely would not use this approach.

That said, a virtual machine environment would also be ideal in an environment where a server was set up as central storage, and to host user desktops. Client machines in the network would then use remote desktop to connect to their "remote" desktop on the server, and the entire thing can be virtualized. Users could also use a VPN to connect to their remote desktop from anywhere away from the office. Backups on virtual machines take literally seconds to produce, so there is a huge advantage there. This type of setup is something I also suggested to Bob.

pctyson's picture

I worked as a mechanic at a company but having "played" with computers for quite some time, I had considerable experience in computers (both building them and operating systems). I had set up backups on the computer network. There were about eight computers on the network. I had it backing up to a simple D-Link NAS. I had set up a backup scheme on the server that backed up incrementally every day and then full backups on Saturday while no one was at the office. I also had a fairly old backup tucked away on a disk that was in a safe. I had set that up at least a year before the ransom attack and had just about forgot about it. I had not mapped the D-Link drive but was using a UNC path to it for the backup. I don't know if that helped or if we just caught it early enough. If it were not for those backups, the recovery process would have been a nightmare. It started from a link that was clicked on by someone who DEFINITELY should have known better. When told of the issue, I had them shut off the computers immediately. It resulted in 1.5 days of server down time but almost all data was recovered.