I got hit by Ransomeware

reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
Hello everyone,

bad news today as 1 of my shop office got hit by a Ransomeware.

I had Kaspersky IS17 installed.

I was using Macrium Reflex to backup my C:\ on an external HDD but it also got hit, sadly :(


I am looking for a better way to protect myself with backups. What would you recommend?
Crashplan? Synology NAS? On top of Macrium Reflex of course...
 
  • Like
Reactions: given and Weebarra
P

plat1098

I am VERY sorry this happened. Damn ransomware, I wish a giant hose would come out of the sky and flush all the purveyors into the nearest sewer.

OK! You will probably get many opinions. Mine?

1. Invest in an external storage device.
2. Discipline yourself to move crucial data off connected drives onto external storage device on consistent basis.
3. Disconnect external storage from machine when finished, like turning off the lights. Keep it OFFLINE.
4. Scan machine with EEK, K, HitmanPro, etc to remove remnants/malware.
5. Cleanly install OS with external media (disinfect USB first).
6. Take image with Macrium, EaseUS, or whatever you use.

Backup imaging software is mainly for restoring an OS corrupted by update malfunctions, drivers, etc, no? I mean, you can use it but why complicate an already upsetting event?
 
  • Like
Reactions: given, Venustus, Weebarra and 1 other person
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
plat1098 said:
I am VERY sorry this happened. Damn ransomware, I wish a giant hose would come out of the sky and flush all the purveyors into the nearest sewer.

OK! You will probably get many opinions. Mine?

1. Invest in an external storage device.
2. Discipline yourself to move crucial data off connected drives onto external storage device on consistent basis.
3. Disconnect external storage from machine when finished, like turning off the lights. Keep it OFFLINE.
4. Scan machine with EEK, K, HitmanPro, etc to remove remnants/malware.
5. Cleanly install OS with external media (disinfect USB first).
6. Take image with Macrium, EaseUS, or whatever you use.

Backup imaging software is mainly for restoring an OS corrupted by update malfunctions, drivers, etc, no? I mean, you can use it but why complicate an already upsetting event?
Click to expand...

I already have an External HDD. My shop has a Server and POS clients, that update the server ALL the time with the stuff they sell. I had Macrium Reflex to automatically backup my MAIN drive to the external one, daily, at night. I can not plug and unplug the HDD every single day, not a solution!

The ransomware html they left for instructions said that if i try to disinfect the files they can get corrupted. I really don't know what to do!
 
  • Like
Reactions: given
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,155
gmaister- Are you absolutely SURE that the Macrium Backups were effected? Check on your external drive for the .mring files.

Further- what extension did the ransomware give the encrypted files? And do you see this changed extension for the macrium images?
 
  • Like
Reactions: XhenEd, roger_m, given and 1 other person
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
cruelsister said:
gmaister- Are you absolutely SURE that the Macrium Backups were effected? Check on your external drive for the .mring files.

Further- what extension did the ransomware give the encrypted files? And do you see this changed extension for the macrium images?
Click to expand...

Yes i am 99% sure that they got hit, it says that the file is corrupted when i try to open them.
I am not sure i recall the extension atm but i recall the email that had as extension: .{mixifightfiles@aol.com}BIT thats the one i think


It's not normal that the image files are effected?
 
  • Like
Reactions: given and Weebarra
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
I uploaded a file back at the office here: ID Ransomware

It says:
GlobeImposter 2.0

This ransomware has no known way of decrypting data at this time.
 
  • Like
Reactions: given
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,155
It is HIGHLY unusual (like never) that the mrimg files also got hit. What I want you to do is this:

1). Check the external backup and absolutely positively verify that the mrimg files also had the bogus extension.

2). if not, use a Macrium Boot Disk and try to restore the image.
 
  • Like
Reactions: XhenEd, given, Venustus and 2 others
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
cruelsister said:
It is HIGHLY unusual (like never) that the mrimg files also got hit. What I want you to do is this:

1). Check the external backup and absolutely positively verify that the mrimg files also had the bogus extension.

2). if not, use a Macrium Boot Disk and try to restore the image.
Click to expand...

I am sure that they had the extension, im like 99.99% sure, i just cant check it right now at home, but i tell you, im 99.99% sure

The Macrium Boot Disk can be created on another PC right?
 
  • Like
Reactions: Sunshine-boy, given and Weebarra
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,426
I would personally first identify the issue: how did this happen? Of course either you or employees were not correctly trained on how to work/surf on internet. First things first, to avoid from happening again, teach the office/shop the basics. RoboMan's Do's and Don't's for browsing safety

Then, i would opt for an anti ransomware software standalone, like AppCheck. This continuosly creates backups of the data to keep it safe. Disable Windows Script Host.
 
  • Like
Reactions: Weebarra, XhenEd, given and 2 others
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
RoboMan said:
I would personally first identify the issue: how did this happen? Of course either you or employees were not correctly trained on how to work/surf on internet. First things first, to avoid from happening again, teach the office/shop the basics. RoboMan's Do's and Don't's for browsing safety

Then, i would opt for an anti ransomware software standalone, like AppCheck. This continuosly creates backups of the data to keep it safe. Disable Windows Script Host.
Click to expand...
Its an office PC, nobody touches it other than me and couple more. We have static IPs and stuff, somebody connected remotely.
 
  • Like
Reactions: Weebarra and given
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
gmaister22 said:
Also need an image to use with it and they are affected.
Click to expand...

They would not be effected if on a seperate CD or USB drive is all I am saying. I been testing malware for a very long time and Know how MF works. Only way they could be infected is if they were plugged in at time of infection. Also the newest MF has anti Ransomeware features.
My images are on a 256 GB USB 3 stick and it works well.
 
  • Like
Reactions: Weebarra and given
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
boredog said:
They would not be effected if on a seperate CD or USB drive is all I am saying. I been testing malware for a very long time and Know how MF works. Only way they could be infected is if they were plugged in at time of infection. Also the newest MF has anti Ransomeware features.
Click to expand...

Obviously since CD is read only and u cant write.

I have 10 backups, last 10 days, on USB from Macrium plus a backup from the Windows Restore Tool. All of them are affected....I don't know how and why, but they are. Ofc they were plugged in. The PC auto backups everyday at 02.00 the morning, the backup USB is always plugged in, in order to backup itself...
 
  • Like
Reactions: Weebarra and given
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
gmaister22 said:
Obviously since CD is read only and u cant write.

I have 10 backups, last 10 days, on USB from Macrium plus a backup from the Windows Restore Tool. All of them are affected....I don't know how and why, but they are. Ofc they were plugged in. The PC auto backups everyday at 02.00 the morning, the backup USB is always plugged in, in order to backup itself...
Click to expand...

WEll of course I can not write but can you read? I said basicly as long as you keep your USB plugged in that is was a no no. The Ransomeware had full access to all your drives. You should never leave your backups plugged into your computer or this is what happens. The purpose of a backup is to keep it off your computer. Never tied to the internet. anyway since I can't write , I will leave this conversation.
 
  • Like
Reactions: Weebarra, roger_m, given and 2 others
You must log in or register to reply here.

Similar threads

A
  • Locked
UDLA - I´m I the only one infected?
Replies
1
Views
291
Windows Malware Removal Help & Support
nasdaq
nasdaq
H
    • Like
Advice Request Backup and Recovery Tools with Built-in Ransomware Protection
Replies
26
Views
2,712
Backup and recovery
simmerskool
simmerskool
H
    • +Reputation
Norton AntiVirus Plus - Ransomware protection
Replies
0
Views
926
Norton
HarborFront
H

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top