Recovering from ransomware

HELP! I got infected with ransomware!

The following story is true. The names have been changed to protect the innocent. All screens have been scrubbed from personal data, but everything else is exactly as I saw it, including the dates / times.

It wasn't a good day when I got the email followed up by a phone call - an employee at a client I help with various computer items called and said there was a message on their screen demanding money in order to get their files back. I'll call him Q to keep things anonymous for the person, and C for the company they work for.

Q wasn't happy, there were years of work on this system and its external backup drive and they tried a few recovery options but none of them seemed to work. They shipped the laptop and its external drive to me and I broke out my analysis toolbox to see what - if anything - I could do to recover their data.

Quote
Click Here for Press Release

What is ransomware?

Ransomware is software that encrypts various files on your system and then extorts you for money. There are many different strains of it out in the wild and the simple fact is it makes a whole lot of money for the authors and distributors. As in "Millions of dollars" for very little effort. The concept behind the program is simple - by using built-in encryption present in the system and via the dark web and untraceable blockchain based currency (like Bitcoin) they hold your data hostage unless you pay them money. I don't want to re-hash what you can read all over the web, but that is a very brief summary in case you didn't already know about ransomware. You can read more at the article here.

Analysis

My goal was to see how the ransomware worked after the fact, tracing its actions back in time to see what it did and when it did it, and by doing so possibly find something it didn't do right which would let me get Q's files back from Crypto Hell. So this will be technical, but hopefully not so deep that non-tech folks can follow along.

All the pictures are thumbnails - click for a full-size version

This was the user's desktop background. This file also existed in every directory along with an HTML type instruction list with more details. All the events take place on 1/30/2017.

3:31 PM:

Q said he was on a web site doing normal work stuff and couldn't provide too many details. The evidence supports this - something was downloaded into the system, detected as malware by the AV software, moved to C:\QUARANTINE, crashed Internet Explorer which restarted, a couple more files were downloaded and also moved into C:\QUARANTINE, and something called system.dll which was likely a working "grappling hook" which proceeded to get the real ransomware executable.

It is tough to say exactly what was downloaded or how it got there. There are many tricks evil people use, here are a few I found and saved over the years:

This is a fake Adobe Flash update - look at the URL up top, clearly this is NOT from adobe!

This one is even better - using the real graphics and stuff from Adobe, it looks even more real. Yet the URL still screams out to the observant how this is not the flash update you are looking for!

I can show hundreds more examples of how the evil people try to socially engineer you into clicking, but that would be an article all to itself. If you want, ask me and if I see enough interest I'll write it!

However it got in, it continued - we are only seconds into the infection, still at 3:31 PM and the system immediately started encrypting files on the external attached backup hard drive:

This continued for almost 30 minutes, finishing up at 3:57 PM when the last bits of data Cerber wanted to encrypted were completed:

3:57 PM: Immediately upon finishing encryption on the external drive, it began encrypting the internal C: hard drive - Client uses GP Accounting and there were years of documents in the GP Documents directory, all now encrypted:

The system finished encrypting data files on the C: drive at 4:20 PM:

Meanwhile, the ransomware was filling up the hard drive - this causes the operating system to start deleting shadow copies of important operating system as well as user data files for "previous versions" to prevent their recovery:

Shadow copies were deleted to make room at 3:58 PM, 4:03, 4:06, 4:08, 4:12, 4:14 ... then at 4:16 PM, the system threw its hands up and gave up making shadow copies because the disk was too full:

This is really quite smart of the evil cerber people - previous versions of cerber didn't do this, so you could recover your files from the 'previous versions' tab! Unfortunately, they "fixed" this "problem" with this newer release of cerber. So beware of this from sites claiming to be able to recover your files - they are likely saying that about a previous version of cerber, not the current version!

If you have ever filled up your C: drive, you know how much it impacts your system's performance. Q likely did a hard power down to reboot the system as it wasn't very responsive, causing the event logs about being powered on without a proper shutdown at 4:31 PM.

4:30-5:07 PM:

Here we can see that Q tried to fix this with SuperAntiSpyware ... unfortunately, this isn't spyware and the data was already encrypted:

I received both Q's computer and the external hard drive via FedEx and started looking at / documenting / researching Cerber's ransomware to see what if anything I could do for Q's files.

The internet history was completely wiped out:

There were no previous versions of files as all the shadow copy data was wiped out to make room when the disk was filling up.

cerber - shadow copies gone

Since they wrote over the entire not-used area of the drive, all deleted files were also overwritten which eliminated the chances of undeleting older versions and recovering that way.

Short of finding the encryption key magically written to some place on the drive, chances are this data isn't coming back. With a copy of the original ransomware, tools could be used to watch what the system is doing during the infection and possibly detect this event. Without knowing exactly where the ransomware came from or if it is even still on the drive, I would be shooting completely in the dark trying to find it.

Trying to pay

There are tons of examples of people that were infected being screwed over and paying then not getting their files back, or paying and the system that holds the encryption keys was taken down by law enforcement so the keys don't even exist anymore, hospitals being extorted and paying only to be held ransom for still more money, ... and on the flip side, there are also ransomware victims that are getting their files back by paying the ransom. I'm not here in this article advocating one way or another, just giving you some data and pointers at the end to help you make up your mind.

So in the best interest of my client, I asked what would it take for them to have a chance at getting their files back by paying the ransom? As in 'How much?' ... so I followed the instructions and tried to get to the web sites, but ALL of them were down:

Another path to the ransom payment site was via the Tor browser and the "dark web", details you can read about at the links. Evil people do this so they can't be found.

I finally allowed the system to connect back to the internet via an isolated network in case it was still actively trying to infect other systems and connected to the evil extortionists to see how much they wanted. The sequence of events is here:

How nice! They support multiple languages!

Clicking english, for strange reasons they wanted me to prove that I wasn't a bot... so they had this captcha:

Over and over again, I kept picking and apparently kept getting it wrong...

On and on this went... so many I stopped capturing all the screens. This was beginning to look like a cruel joke or social experiment in "How badly do they want their files? The more they click, the more they want their files, the more we can charge them!"

(ransomware authors: If you use that idea, please send me a commission check!)

Eventually I got here:

This went on in a lather-rinse-repeat cycle a few more times before I gave up for the night.

Next day, tried again - more times than I care to admit - and eventually got here:

And at long last:

I don't get it - are bots attacking the ransomware sites? Why else would they need some complex captcha?

So for this week and this week only, you can have your files back for the sale price of a bit over $604. Wait 4 days and the price goes up to a bit over $1209.

Other paths traversed

This was just the analysis of what happened. I poked at it with many other tools and many other searches, but nothing proved fruitful.

If you search, you will find a whole lot of sites that claim if you buy their product they can help you decrypt - but I'll bet they can't. If encrypted data was that easy to crack, then the ransomware business wouldn't be making millions of dollars weekly.

The best site I found with varous decryption tools is here: https://www.nomoreransom.org and they link to other anti-malware companies that have developed tools for certain strains of ransomware. If you are here because you got bit, then maybe they have a tool for you!

Another set of tools is here at Trend Micro (full disclosure: I am a Trend Micro reseller / partner, but I get nothing out of you going there to see if their tool can decrypt your files!). They have a cerber decrypter but it doesn't work on this latest version.

WARNING: There is a lot of click-bait out there! There are also a lot of products that claim they will get your files back if you send them money, but there is no reason to believe they can unless they are connected to the original malware authors and have the decryption keys!

For the technically inclined, there is a deep dive into the internals at the malwarebytes blog (WARNING: Assembly language content! Do not read unless you own a propeller beanie and are not shy about wearing it in public!) but this is for the version 1 of the Cerber tool - cerber 'red' is at least version 5. They stopped numbering their malware in a publicly visible way.

Recovery

The best option for recovery is restoring from a not-connected-to-the-computer backup.

This ransomware encrypted the externally connected drive before attackig the internal drive. So if your backup is always plugged in, it is going to be encrypted.

I've advocated and preached backups forever due to the fragility of the data on hard drives since they were invented. Every hard drive will fail someday, and it will try to take all your data with it. The question is how will you recover that data?

Thus the backup.

In this case, due to some legal orders and a company sale they had a copy of the hard drive as it existed in September of 2016. So while a little over 4 months of files were lost, they had everything from that point backwards. Plus everything in the mail server (thus documents that had been sent or received via Email) were all recoverable. Much of the accounting work could be pulled out of GP.

So while a lot was encrypted, a good portion of it came back - due to a disconnected backup.

Without that backup, this would have been a situation where the only data recoverable was stuff sent to other user's computers at various points of time.

Moral

Back up your data! If not everything, at least what you hope to recover if your computer is stolen or catches fire.

Think about that for a minute - if your main computer vanishes, what will you need in order to become whole again?

If your backup strategy doesn't have something that will help you in that situation, then you are going to find yourself helpless in the face of a ransomware infection as well.

If you found this helpful (or not), please send me a brief email -- one line will more than do. If I see people need, want, and / or use this kind of information that will encourage me to keep creating this kind of content. Whereas if I never hear from anyone, then why bother?

I can be reached at:
das (at-sign) dascomputerconsultants (dot) com

Enjoy!

CryptoLocker Ransomware

Analysis of CryptoWall from years back

Even older analysis of CryptoWall 2.0

Popcash malvertising leading to Cryptowall infection

David Soussan