*I DID NOT know whether to put this in hacking or HDDs & SSDs so feel free to move it where you think it goes best. I'd be lying if I said I didn't realize the added benefit of the amount of traffic the general discussion page gets.
I'll try to be as concise as possible. My main rig currently contains 3 drives. 1 SSD (We'll call it WIndows drive), a 1TB WD Blue (1TB Mass storage (everything not windows(including pictures, documents, etc))) and then what is a failing 1TB Samsung HDD (Master Backup Drive).
- Windows Drive
- 1TB Mass Storage
- Master Backup Drive
It was brought to my attention a few days ago by a family member who ghetto backed up their IPhone pictures to my pictures folder on 1TB Mass Storage that the files were showing up as "encrypted." I chalked it up to something they did wrong or something built into Apples IOS files, etc. but did not further investigate as I didn't have the time.
That brings me to today when I did have the time and upon getting on my PC after a few weeks I have come to find almost my entire 1TB Mass Storage HDD to have had its files encrypted with my Master Backup Drive HDD not even showing up in disk management. I pulled the internet cable and the Master Backup Drive out and conducted some research.
Turns out ransomware is a thing and I seem to have gotten it. Inspected all my usual folders and downloads and installed programs and found nothing to be out of place. I haven't received the wallpaper change or the automatically running executable file that says something along the lines of "pay withing 72 hours to be given your encryption key or it will be deleted" I suspect this is because all of my files are not yet encrypted.
THIS IS THE PART I NEED HELP WITH:
I ran MalwareBytes and a few others that just finished scanning the entirety of the two drives still in my PC (C/D(SSD/Mass storage)) and it shows 0 threats after its deepest scan running for almost an hour. SO WHERE IS THIS MALWARE? As I understand it since my SSD only runs Windows the Malware originated from the 1TB Mass storage in some form before it begin to encrypt the other mapped drives (SSD seems 100% normal though as does a external 1tb USB HDD).
Question 1 isn't important in that I am going to completely format multiple times my SSD and 1TB mass storage as soon as Recuva finishes analyzing the drive to see if I can still pull off any documents or pictures that were temporarily put their (quite a few gigs worth in my case). Why it is important is because I need to understand how the malware spreads. I took the MASTER BACKUP drive and for just under a min hooked it up to a different computer to see the status of the files (I only found one folder that had encrypted files while most other stuff was still intact). I'd like to backup this drives remaining files to a backup server I know ironically have the time to put together but will the malware come with it? Same question applies to my external 1TB drive? Will the malware come with those files?
I'm sure there were more questions but I think this a start.
Sorry for the long post
if you truly have a cryptowall on your machine you are pretty much screwed, the encrypted files are gone, a lot of antivirus have not caught up to all of the different variants of the ransomwares. You're best bet is to use a linux machine and pull of all the data that is not encrypted and reformat all the drives.
If it is a true cryptowall it will attempt to encrypt anything you attach to the computer as a share or mapped drive.
there are a lot of good threads on www.reddit.com/r/sysadmin about cyrptowalls and how to deal with them.
Yeah, I pretty much realize the 256-bit AES encryption is breakable (I knew that when I typed "why are my files encrypted " in a search engine.)
Even if I booted a linux distro and backed up files how would I know if I'm inadvertently pulling the cryptoware with it onto a new HDD? I don't really know how it functions when we're talking about it's spread to other drives ... does it copy itself over to the new drive or does it stay on the source drive and just loop its original commands?
Generally the encrypting is done via javascript, an .exe, a word, excell macro and does nto spread like a worm it just runs on the host machine till it encrypts everything it can. You should be fine as long as you do not just select all things and copy them look at the file names and also look at their date modified.
Man .... People suck .... a lot.
1 Like
Yep, some of the more popular variants dump HELP_DECRYPT.html and similar files all over the place vs the newer one pay by x days or price goes up one. that is actually the newest one that runs on javascript.
they also tend to run in the internet temp folders with random file names you can look there as well to see if a cryptowall is what you got or if you have something else.
A few programs you can try to see if they find it are:
avaira
eset
AVG
bitdefender
if you find a strange file you can test it online at www.virustotal.com
See, I clear that quite often and the problem with that is the first drive to be totally encrypted is the 1TB Mass Storage drive but my temp internet files are my C drive/SSD that seems to have nothing encrypted at the moment?
I don't really know I mean anything could have happened, hell your friend could have encrypted it somehow by mistake.
I posted this thread on the LinusTechTIps forum as well and someone just suggested that someone using my PC may have enabled Bitlocker but it's disabled and no one but immiediate family has access to this PC ... The only thing I'm upset about is losing all my pictures from recent events ... sigh .... should've built that backup server earlier.
Although I can't give any guarantees, I can tell you what my first steps would be. (Granted I have these things prepared already so you will need access to another computer.)
From now on, keep everything backed up externally. I have external dives that I place in Ziploc bags and then put those in a portable fireproof safe (Yes I know it's not perfect)
Use a Linux pen drive (I like Ubuntu, Mint is easy too.) to access your files and copy them.
Install malware bytes on a flash drive and then run it on the infected computer.
I hope this helps, sorry man, that sucks.
I have a bunch of scrap parts lying around and recieved the HDD I purchased a few weeks back to build an external server that never connects to the internet but I haven't had the time to build it until today. What are the chances, right?
The SSD does't have anything but the windows install and the 1 TB Mass Storage that I used in tangent with it has important documents, essays, and pictures from the last 2ish years that don't have another copy but they got encrypted so it's too late for them.
3.I ran malware bytes and 2 others and they cant find anything on any drive which is why I'm extremely confused. I have no idea what caused this so I can't avoid it on my next Windows install.
P.s. I am typing this from my laptop, I took that PC off the network as soon as I figured it out.