Thursday, May 28, 2020

Ransomware

I am the victim of a ransomware attack. The ech0raix malware has encrypted all of the files on my computer. They are demanding $650 worth of bitcoin. My wife in in tears. The QNAP raid was our backup and I thought we were protected. All of our photos, including of our wedding, my entire life, and my dead father are on there. 1TB of files in all. It is irreplaceable.

The malware didn't touch music or movie files. It only encrypted pictures, Office files, and PDFs. 

I am looking for help in fixing this. I found a file on bleepingcomputers.com that claims to fix it, but none of the computers in the house will run it because they claim it is a virus itself.

I don't know what to do. I considered paying the ransom, but people online are saying that paying doesn't get you the decryption key.

7 comments:

Aaron C. de Bruyn said...

Paying will sometimes get you the decryption key. But you're trusting the person who infected your computer to be honest.

The FBI has a lot of experience in dealing with this stuff on a corporate level. You may want to try giving them a call and reporting it. Frequently they published decryption keys when they become available, or if they are able to seize the computers of the virus writer.

Joshua said...

Don't know if my previous comment got lost of if there is a delay. If this creates a double post please delete.

When infected with ransomware previously I was able to get around it by hard resetting/shutdown (holding the power button for 5 seconds to force a shutdown) and when restarting the computer during the "this device was improperly shut down what do you want to do" message selected the option to start in safe mode.

From there if you are able to try to restore your computer to a previously saved version from system restore. Sometimes the virus will try to delete saved versions and sometimes it will not but if it works then go for that and run all the malware scans and what not.

Aaron C. de Bruyn said...

I recommend against shutting down. The keys may be stored in memory and rebooting will hose them. If the FBI us unable to help, I recommend powering off the NAS that has all your data. Leave it off. For good. Eventually someone will come up with a decryption key or program or even find a flaw in the code that encrypted your files. It may be a few years, but in most cases someone will find a way to get the data decrypted. Heck--we've even seen some of the virus writers say "Well--we earned enough money and we're shutting this one down. Here are all the decryption keys."

If the FBI can't help, your next step would be to contact company that deals with cyber security. Explain what happened and see if they can help. Some of the security companies will respond with an insanely high price. Thank them for their time and move on. Find someone a company who is willing to look for free/minimal cost and charge you only if they are successful.

If you need help/advice on this, call me. My job is to protect data against this stuff. So far I've had about 75 clients get hit with cryptolocker (some multiple times) and we have *never* lost data. I can help you do that in the future if you're interested. If you want to chat, I think blogger shows you my email address.

Divemedic said...

It is the ech0raix malware

Aaron C. de Bruyn said...

If it were me, here's what I would do.

1. Do a complete backup of the computer and the NAS to another storage device. Do it "offline". (Pull the drives from your computer and storage device and make a bit-for-bit backup)

2. Boot your NAS and computer back up. Install antivirus and make sure it's up-to-date. Let it clean up your computer.

3. Install that file from BleepingComputer and let it run. If it trashes your computer and makes things worse, you have that bit-for-bit backup from step 1. If it fixes everything, count your blessings.

4. If things are fixed, *immediately* make an offline backup. It may require several external USB hard drives. Alternatively, use an online backup service. Tarsnap works really well and makes sure your data is fully encrypted before sending it to the provider...but it doesn't really run on Windows and it's designed for computer geeks.

5. The saying "Two is one and one is none" applies to backups. If you can do both an online backup and an offline backup, do it.

The ideal backup solution (i.e. money is no object) is to go buy a FreeNAS Mini from ixSystems. It provides "online storage" for your data, but it also does snapshots and keeps your data encrypted. Combine that with a handful of external USB drives. Back up to them nightly. Once a month, once a week, or whatever...disconnect them from your computer and take them to a safe place. Safety deposit box, fireproof safe, etc...grab the old ones from your safe place and bring them back and plug them in to your computer.

If you get something like a virus, you can usually roll back the FreeNAS box to an earlier snapshot. If the virus somehow destroys the data on your FreeNAS box, you have your locally attached USB backup drives. If the virus manages to attack both of them--or something stupid happens like bad electrical burns your house down... ;)....you can go to the safe place and grab your 'off-site, off-line' backups and plug them into a *known clean* computer to restore your data.

Divemedic said...

The bleeping computer file trips the antivirus on two different computers.

Aaron C. de Bruyn said...

Yeah. Most AV programs are terrible now-a-days. You can scan the file against https://virustotal.com/ and see what they say. VirusTotal runs scans using ~60 different antivirus tools.

Most of them say they think it's malicious or it "behaves like a virus". More than likely because the tool also scans through files and attempts to re-write them. Basically just like what the virus did, but in reverse.

But that's the reason I say you should get a 'bit for bit backup' of your drives. If this tool ends up actually being a virus...no big deal. You already have a backup of your system as-is (encrypted by one virus, not potentially two).