Recovering After Ransomware

0
2080

Ransomware is a computer malware virus that locks down your system and demands a ransom in order to unlock your files. Essentially there are two different types. Firstly PC-Locker which locks the whole machine and Data-Locker which encrypts specific data, but allows the machine to work. The main objective is to exhort money from the user, paid normally in a cryptocurrency such as bitcoin.

Identification and Decryption

You will firstly need to know the family name of the ransomware that has infected you. This is easier than it seems. Simply search malwarehunterteam and upload the ransom note. It will detect the family name and often guide you through the decryption. Once you have the family name, matching the note, the files can be decrypted using Teslacrypt 4.0. Firstly the encryption key will need to be set. Selecting the extension appended to the encrypted files will allow the tool to set the master key automatically. If in doubt, simply select <as original>.

Data Recovery

If this doesn’t work you will need to attempt a data recovery yourself. Often though the system can be too corrupted to get much back. Success will depend on a number of variables such as operating system, partitioning, priority on file overwriting, disk space handling etc). Recuva is probably one of the best tools available, but it’s best to use on an external hard drive rather than installing it on your own OS drive. Once installed simply run a deep scan and hopefully the files you’re looking for will be recovered.

New Encryption Ransomware Targeting Linux Systems

Known as Linux.Encoder.1 malware, personal and business websites are being attacked and a bitcoin payment of around $500 is being demanded for the decryption of files.

A vulnerability in the Magento CMS was discovered by attackers who quickly exploited the situation. Whilst a patch for critical vulnerability has now been issued for Magento, it is too late for those web administrators who awoke to find the message which included the chilling message:

“Your personal files are encrypted! Encryption was produced using a unique public key… to decrypt files you need to obtain the private key… you need to pay 1 bitcoin (~420USD)”

It is also thought that attacks could have taken place on other content management systems which makes the number affected currently unknown.

How The Malware Strikes

The malware hits through being executed with the levels of an administrator. All the home directories as well as associated website files are all affected with the damage being carried out using 128-bit AES crypto. This alone would be enough to cause a great deal of damage but the malware goes further in that it then scans the entire directory structure and encrypts various files of different types. Every directory it enters and causes damage to through encryption, a text file is dropped in which is the first thing the administrator sees when they log on.

There are certain elements the malware is seeking and these are:

  • Apache installations
  • Nginx installations
  • MySQL installs which are located in the structure of the targeted systems

From reports, it also seems that log directories are not immune to the attack and neither are the contents of the individual webpages. The last places it hits – and perhaps the most critical include:

  • Windows executables
  • Document files
  • Programme libraries
  • Javascript
  • Active Server (.asp)file Pages

The end result is that a system is being held to ransom with businesses knowing that if they can’t decrypt the files themselves then they have to either give in and pay the demand or have serious business disruption for an unknown period of time.

Demands made

In every directory encrypted, the malware attackers drop a text file called README_FOR_DECRYPT.txt. Demand for payment is made with the only way for decryption to take place being through a hidden site through a gateway.

If the affected person or business decides to pay, the malware is programmed to begin decrypting all the files and it then begins to undo the damage. It seems that it decrypts everything in the same order of encryption and the parting shot is that it deletes all the encrypted files as well as the ransom note itself.

Contact the Specialists

This new ransomware will require the services of a data recovery specialist. Make sure you inform them of any steps you have taken to recover the data yourself. This may be important and will no doubt effect the success rates.

Source by Aran Pitter