Ransomware Attack

Ask questions and give answers about computers, mobile devices, game boxes, PC security and all manner of geeky stuff.
Post Reply
User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Ransomware Attack

Post by Kellemora » 01 Apr 2017, 11:36

Everyone laughed at me and my redundant backups, and the fact I still kept a manual backup I had to tote between the office and the house.

We were HIT with a Major Ransomware Attack!

It took out all of the image and some data files on the frau's Windows 10 computer, all of the image files on three external hard drives connected to her computer, and on a backup drive connected to an old Windows computer up here in the office.

After finally getting the frau to back-up her files each time she added to pictures, she still ended up losing all of her pictures again, because she backed up to an external drive connected to her computer. Sad she is, and angry.

I have a shared external drive up here, formatted as NTFS and connected to an old Windows XP computer, I use as an intermediate storage area for files before I manually copy them to the normally disconnected manual back-up drive.
So I lost all the files on that drive. Fortunately, I don't delete any file I place on it, until after it has been stored on the backup I carry back and forth from the house.

So on the bright side, I've not lost any data, namely our Master Photo File of over ten thousand images.

I was up until 2 am cleaning out the frau's Windows 10 computer and getting it up and running again.
To make sure the external hard drives are totally clean, instead of doing a quick format, I did the long slow format which writes zeros to the entire hard drive, then reformatted it again, back to NTFS so they can be read on the Windows machines. It took 3 hours to do a little 250 gig drive, which I copied some files to from my manual backup drive.

The other two external drives, I did the little one the frau uses this morning, and the large 1 terrabyte is still running doing the full reformat writing zeros, been running now for about four hours and is only 20% done.

I ALMOST put my manual backups on the LAN to simplify things. If I had, we would have lost everything.
So, once again, a lesson is learned. Only backup what you know is good, and do it manually, and keep it disconnected from anything.

There is no way I would PAY a hacker to get the Key to decrypt the files they encrypted.
Besides, I hear the program they sent to decrypt doesn't always work very well, if they even send it at all.

So, now who is laughing at my redundancy? Or my doing manual backups?

I didn't have much on the NAS yet, but to be safe, I will reformat it as well. I disconnected it, but have not yet had time to see if it was hit. I found some files that would not open, but they did not have the Ransomware files other folders had on the frau's computer and on the external drives.

By the way, one of these backup drives was password protected, and the ransomware still encrypted it.

Grrrrrrrrr..........

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 01 Apr 2017, 13:22

Hello Gary

This news about your ransomware attack is very disturbing. You have my sympathies. I'm pretty confident about the security on my LAN and Windows machines, so confident that I do not bother to install or run antivirus software. Windows 10 does by default and if I could I would disable that. I do check for malware on a regular schedule, and I do backup everything manually. I'm not running a business here so that I am able to create redundant backups to USB memory sticks. The beauty of that, of course, is that it's easy enough to disconnect when backups are not in progress.

I try to keep up on the latest attack vectors and feel pretty confident that I can handle most of them with little or no permanent damage. However, the one thing I am VERY concerned about is ransomware. They have become highly sophisticated with their delivery and is not always preventable. For example the latest generation only requires you to view a web page. The payload is delivered automatically and the binaries are self-extracted in such a way that it does not raise any flags in your AV software. I'm convinced that it's just a matter of time before I too am hit which is why I run my operation here under the assumption that I will lose everything some day. Off line encrypted backups seem to be the only defense at the moment.

Your experience raises a few questions in my mind. Most of what I know about ransomware is theory written about by strangers. You are the first person I know who actually has to recover from such an attack. Thus, I have a few questions if you don't mind answering them.

1) Do you know how the ransomware software was delivered? What did you or your wife (or you) do to initiate the attack? I'm assuming it attacked via Windows 10 Home edition. Let me know if it was something else.
2) Do you know the name by which your specific ransomware goes by?
3) What data file extensions were attacked? If they are too numerous to mention, what software created the datafiles?
4) What format were you using on the external hard drive that was password protected? Was it merely password protected, or was it encrypted too? If encrypted, did you use Microsoft's BitLocker, or a third party variant?
5) Kindly let me know if anything on the NAS was attacked. I am particularly interested to know if any Linux generated files were affected, i.e. anything in an ext2-3-4 file system. Also, if NAS was affected, was it only the Windows share?
6) Were any of your mobile devices (tethered to your WiFi) also attacked?

I'm also presuming the ransom attack took control of the login account used by your wife. The default account has administrative privileges which makes me want to ask if she was logged in with an account that is not administrator.

I'm in no hurry for this information. Do what you need to do to recover your own operation first.

May the Force be with you.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 02 Apr 2017, 13:21

Hi Yogi

I'll start by saying Ransomware is not detected by any virus detection program.
Debi is running msDefender and Avast I think it is, and neither of them caught it.
I ran ClamAV on all of my computers and on the already infected hard drives and it found nothing either.

1) Do you know how the ransomware software was delivered? What did you or your wife (or you) do to initiate the attack? I'm assuming it attacked via Windows 10 Home edition. Let me know if it was something else.

It was delivered by the image of a couch Debi saved using copy from her Yahoo e-mail account and pasted to her desktop. This was on her Windows 10 computer, running as USER, not as Administrator.

2) Do you know the name by which your specific ransomware goes by?

I forget all of what the recovery files said, and now they are all erased and those drives formatted. But the name the name of the ransomware used was Cerber. From a line that read, your files have been encrypted by Cerber, etc.

3) What data file extensions were attacked? If they are too numerous to mention, what software created the datafiles?

This is going to be lengthy, due to the different types of drives.
On Debi's computers internal drive, every document file .doc .docx .txt were encrypted, along with all image files saved as .jpg, and all video or movie files of any file extension. Plus whole folders were encrypted as well, so we couldn't even open the folder to see what was in it.
All of the external hard drives affected were formatted as NTFS.
I have one external that refuses to format, that was connected directly to Debi's computer. It has been changed to Read Only, and the only file that would show was the one from the hackers to get the unencrypt program. I've since got into this drive to reformat, but am still having problems which I will ask about later.
On the two external drives down at the house, connected through a USB hub, not directly to Debi's computer, all data and image files were encrypted, except for .tif image files. For some reason these were not encrypted.
On the three external drives in my office, one was connected to a Windows XP Pro MCE machine, the other two to Linux computers, both running Debian.
The external connected to the Windows machine suffered the same damage as the ones connected to the USB Hub down at the house, and rendered read only. I was able to reformat and write all zero's to this external.
Of the two externals connected to the Linux boxes, only one was using Windows Share, the other is not Shared.
The shared one only had all .jpg and .doc files encrypted. No other files were affected.
The one that was not shared was not affected at all, that I know of.
All externals are formatted NTFS.
The internal drives on my Linux boxes are all formated ext3 or ext4, and were not affected.
What program created the files does not seem to matter, as it was an attack on the storage devices.

4) What format were you using on the external hard drive that was password protected? Was it merely password protected, or was it encrypted too? If encrypted, did you use Microsoft's BitLocker, or a third party variant?

The external I used a password with, was one I manually copy the days files to, over the LAN. Not the manual copy I carry back and forth to run backup to.
I do not encrypt my hard drives because the time I tried it, when I changed computers, I could no longer access the data, even with the keys. The old computer died, the mobo fried. I tried everything to read this drive. Thankfully, it was just a backup so I lost no data.

5) Kindly let me know if anything on the NAS was attacked. I am particularly interested to know if any Linux generated files were affected, i.e. anything in an ext2-3-4 file system. Also, if NAS was affected, was it only the Windows share?

I checked out the NAS this morning and found no files encrypted yet. However, I have over 1,000 folders to go through before I know for sure. I just started using the NAS as a backup for some of my major files that Debi needs access to.
When I set up the NAS, I went through all the security settings following the instructions. I have no idea what file system is in use on the NAS. I tried to figure it out by checking properties on it, and all I get is permission denied, hi hi...

6) Were any of your mobile devices (tethered to your WiFi) also attacked?

Not that we know of.


I'm also presuming the ransom attack took control of the login account used by your wife. The default account has administrative privileges which makes me want to ask if she was logged in with an account that is not administrator.

No Debi did not lose access to her computer, although most of the files on her internal hard drive were encrypted. But nothing inside of the system file folders, only data she stored in folders. None of the files stored on her Desktop were encrypted, but almost everything under Documents and Settings, and all other user folders were encrypted.
Although she logs in as USER, when I looked under the Administrator account, any .doc or .jpg files there, not associated with system files were encrypted, and she had not logged in as administrator since late in 2015 when we set up the computer.

Because so many files on Debi's computer were messed up, and we made a copy of Restore after it was all set up the way she wanted it, on a small backup drive designed for that purpose. I reformatted the HD in her computer and then ran the Restore. She still has to reload programs she installed after the time we made that backup, so she is POed about that, and losing all of her camera photos which were saved only on the external drive. She lost hundreds of games she bought that were stored on the external also.


OK, now for my question:
All of the external hard drives except one, I was able to reformat the slow way, writing zero's to the disk to make sure it was wiped totally clean. I did this using a special disk formatting tool in Linux. Then I used GParted to create a new single partition on each drive as msDOS and NTFS or aka Master Boot Record, not GPG or whatever the new system is for large drives. So these drives are all now perfectly clean and restored to use.
Except for the one that was locked as Read Only.

I was able to go through this stubborn drive and delete all the file folders, but could not write to it since it was changed to Read Only.
When I went to Format the drive using the special disk formatting tool, it would not let me, said read only. Or actually gave me IO errors with a coded reason. The coded reason defines the drive as Read Only. GParted could not even read from this drive.
On one of the forums, I ran across someone with the same problem, and they said they finally got theirs formatted by using Linux Mint and the same special disk formatting tool I was trying to use on Debian. It just so happens I have Linux Mint on one of my partitions, so loaded it up and was able to Format the drive, I tried formatting it as ext4, then ext3 and finally NTFS. However, it is still unusable, and was still Read Only.
I figured the reason being is that I had to be in Root to force it to format. I could not write zeros to it like the others.
After a couple of hours of messing with it, I finally got it formatted and partitioned to a single NTFS partition. However, I can only read and write as Owner. Even as Root it will not let me change the Permissions of the drive. Not even using Command line instructions to do so. Get the error Read Only for User and Guest. If I try changing it, it changes right back to Owner only can read and write.
I even tried connecting it to a Windows XP computer to see if I could format it again from there, no luck, Windows can't see it at all.
Back to Linux, and tried it on all of my machines. Each machine will mount it, and let me make a folder and put something in the folder. But it will not allow me to change permissions, once again, not even as Root.
If I do put a file on it, like to use it only for long term backup and keep it unplugged, if I move it to another computer with the exact same log-in, it will read but not write. If I put it on a computer with a different log-in, like my accounting computer, it sees it, but says you do not have permission to view this file.

I may have lost a few current files that were not yet backed up on my manual backup drive. But at least all of my master photo files, which includes genealogy pictures and old pictures each sorted by person, is intact, and now backup up to all the externals again. I'm not hooking up the backup of my main backup until I'm sure I'm rid of this ransomware.

From what I understand, it does not linger and reactivate itself. It does it's dirty deed of encrypting, and then goes about trying to get you to send them money. Which I won't of course, not even if I lost everything. There are ways of getting files back, not easy and time consuming. But at least I had backup that were not connected to anything. I think I'll also make some new DVD backups since I haven't done so in several years now.

Have a great day Yogi, and laugh at me pulling out the rest of my hair, hi hi...

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 03 Apr 2017, 09:25

Gary

First of all I want to thank you for sharing all that information about the Cerber ransomware attack. I realize it isn't much of a consolation, but Windows is not the only target for such misdeeds. Cerber seems to focus on everything Windows, but I have read about corporate attacks on their Linux and Unix servers; not likely from Cerber, but ransomware nonetheless. The sophistication of this software is amazing. I'm giving you a link to see exactly how Cerber works, but I don't expect you to understand the technical details. I certainly don't. But I do know enough to be amazed at what these criminals are capable of doing:
MALWAREBYTES CERBER ANALYSES: https://blog.malwarebytes.com/threat-an ... ut-mature/

As you would expect, a lot of people want to know how to fix the problem and eliminate the virus. I read about a tool from Kaspersky a long time ago, but apparently the crooks updated their attack vector so that this method has not been successful lately. You may find various downloads to help with the decryption, but my guess is that if a solution is generally available, the bad guys have a work around. About the safest way to go about it is to restore Windows from a recovery disk and then restore those redundant and clean backup files you save in multiple off line media:
RANSOMWARE REMOVAL: https://www.pcrisk.com/removal-guides/9 ... ransomware

About the only comment I can make regarding detection is that Cerber goes to great lengths to remain undetectable. Windows Defender is useless here, and apparently Avast isn't any challenge for these guys either. The reason is that once the payload is delivered, the first thing it does is so check that the machine is not sandboxed or a virtual machine. Those two things can capture the binary so that forensic experts can analyze what it's up to. Cerber ends right there and never downloads it's payload if it detects a sandbox of any kind. So this is a hint about protection against future attacks. Run something like Sandboxie or, better yet, install VirtualBox on one of your Linux machines and run Windows in a virtual environment from there. I don't know how well Windows 10 works as a virtual machine, but I know Windows 7 has no problems. After Cerber does its dirty work, it erases all traces of itself aside from the ransom notes. Thus there is nothing for AV programs to detect. A lot of them claim they use heuristics to detect unusual activity, such as encrypting a lot of files, which is a good thing. I'm not sure how well Avast works in that regard but there is software you can install for that purpose.

You said that you had a question for me, but I did not see one. LOL I think I know what you intended to ask so that I'll answer your unasked question here. About the surest thing you can do to restore that R/O hard drive is to run a low level format on it. The best way is to go to Seagage, Western Digital, or whoever made the drive and get software for that purpose from them. They use it to format the platters for the first time and toss in a little coding for boot purposes. Writing all zeros to the platter will certainly clean the drive, but obviously it doesn't change permissions. I'm guessing your drive was password protected and that Cerber assumed root privileges to do it's thing. So, you now need to replace the firmware (which Cerber modified), and that's where the low level formatting comes in handy. It may be possible to do it from BIOS or UEFI, but these two articles think they have easy solutions you might be interested in:
FROM CDNET: http://download.cnet.com/HDD-Low-Level- ... 44788.html
FROM SEAGATE: http://knowledge.seagate.com/articles/e ... Q/203931en

I would be doing exactly what you are doing, i.e., trying to recover free access to the HDD. However, if your need for functionality of a hard drive is urgent, buy a new one. Work on recovering the contaminated one at your leisure.

It's scary out there, but I was not surprised at all that Yahoo was somehow implicated in your being infected. These are the guys who are trying to sell their company but nobody wants them. Well, maybe Verizon. They lost millions upon millions of data records to hackers and didn't bother to tell anybody for two years. Lovely people. I'm sure I don't have to remind you at this point, but the strategy of backing up important files to off line memory is the best. You can use USB memory sticks, pen drives, or attached external drives, but only have them active during the backup process. Disconnect them when not in use. I'm particularly interested in how well a Windows share on the NAS is protected because that is where I have a lot of backups on my LAN. My guess is that it is vulnerable as long as the drive is mounted. But, I'm not sure about that yet. I'm also not sure how well protected a cloud server would be. I'm thinking that whatever is mapped into the Windows OS is vulnerable. But, maybe certain devices under certain conditions are safe.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 03 Apr 2017, 11:50

Hi Yogi

I honestly don't know or understand what lies beneath how they do it. But from what I understand, you no longer have to physically download the program. Most e-mail programs open images that are in downloads and display them with the message. Or in the case of viewing your e-mail on-line like on Yahoo, the image is still transferred to your computer in order to display it on the screen. It is possible for them to get in this way.

However, Debi did not download the image she saw on her Yahoo e-mail. She did do a copy and paste of the picture of the couch to her Desktop. I'm not entirely certain that the ransomware came from this image, but for almost a minute after she pasted the image to her desktop, her computer bogged down to the point even her mouse would not move. Which makes me think this image was the culprit.

I found more damage yesterday and last night. I went to use my genealogy program and although it loaded and looked OK, some data was missing. So I went looking at the individual data files associated with the program. I have over 144,000 linked individuals in the database, and each of those individuals has folders if I added images or created notes.
Images uploaded into the genealogy database are saved as .tif which the ransomware did not encrypt. However, they encrypted other data in the folders which rendered the folder unreadable by the genealogy program.
I got out an older copy and started comparing my most recent relatives, only to find it was so long ago, not even my mom's death date or notes are in it, and hers is one of the files that the Notes folder was encrypted.
I made a new GEDCOM file of the older database and uploaded it to Ancestry.com. And will slowly go through the files and add what doesn't get included when using GEDCOM. GEDCOM is only a text file, and most proprietary genealogy programs do not follow the GEDCOM standard perfectly, so going from FTM or FTW to GEDCOM loses one heck of a lot of data, especially if you used some of their proprietary tags in the process.

Back to CERBER... If you have a single shared folder on a drive that the whole drive is not shared, Cerber uses that single folder as the access point to the entire drive. It seems also it doesn't matter if the drive was password protected or not, due to the way Windows works.

This is one of those things I should have known, but forgot.
I format all of my external drives as NTFS so they can be accessed from a Windows computer, since after I'm gone, I doubt anyone will have or understand Linux to access my stored data.
However, a drive formatted as NTFS does not have the security features of one formatted as ext3 or ext4.
If a hard drive is formatted as ext3 or ext4 you have restrictions on who can view that hard drive. They are Owner, Group Member, and Guest. You can set these to Read & Write, Read Only, or NONE... The default is Owner can Read & Write, a Group Member can only Read, unless you give a specific group member by name Write privilege. Guest is usually set to NONE, so they cannot even view the drive.
If you plug an external drive formatted as NTFS into a Windows computer, it ignores the OWNER and gives the Windows Computer User Ownership status of the drive. Windows ignores Group and Guest entirely. If the Windows User is logged in as Administrator, they have Root access to the drive. Or in the case of Cerber, they are ROOT, so can do almost anything to anything.

Because all of my drives were formatted NTFS, it wasn't that they went through a Linux box per se. Because all of my machines are on the LAN, they could get to the external drives formatted NTSF even if they were not shared, simply because everything connected to a computer on the LAN can be discovered.
On the bright side, my internal drives on the Linux boxes are formatted ext3 or ext4 so the ransomware did not mess with those.

On the drive I thought I could not get working right, I finally managed to do so, after I remembered what I forgot.
The same program used to force format a drive that did not work on Debian, did work on Linux Mint. But it could be because I first forced it to create ext3 on the existing partition.
All of the IO errors I was getting, and when I said I could not set the permissions, was because it was originally NTFS. And yes, Cerber did something to the drive, like a Denial of Service attack on it.
But I asked myself, why it and not the rest of the external drives?
I thought about a low level format, but then after finally getting it to format ext3, I went back and formatted it again writing zeros to the entire disk. Then my last step was to use GParted to reformat as NTFS. Now it works on any machine, even on a Windows machine that could not see it at all before. My fear was not being able to change permissions, even trying to do so as root. That was before I remembered, you cannot do that if formatted NTFS.

Now that all is said, but not quite done, I still have tons of files to restore. Whether anyone else can read the hard drive or not, I'm taking a 2 terrabyte drive and making it ext3 and password protecting the entire drive. I will use this as my emergency on-line backup, and start by putting everything I do on it to get it loaded.

By my way of thinking, since I'm on Linux, I could use Rsync to copy my NTFS formatted external drives to the big drive formatted as ext3 as backup, but keep each of those folders separate as far as what drive the data comes from.

That was probably confusing. I now have an external HD connected to each computer, not shared. This is where I store my data I work with each day on that computer. I move a folder from the external to the Desktop while working on that folder, then when finished, copy it back to the external.
I can use Rsync to copy the external to the main backup. Or should I just copy the exact folder I was working on to the main backup? I used to work this way, just in case other files became corrupted, and I was copying corrupted files over good files on the backup.

I refuse to use an incremental backup system like I once used, so that old saved files were not overwritten. I wound up filling up hard drives real fast doing it that way, and found I did not have everything in the latest incremental backup, which meant I had to go through and compare every document in every incremental backup to see which ones were missing. It took me almost a month to do this. So never again, hi hi...

QUESTION:
I have DropBox with a little free space on it.
A DropBox folder resides on my hard drive, I guess this is considered a Mounted folder.
I checked every file in the DropBox folder and found no ransomware or encrypted files.
Since it is a Mounted Folder, and also External hard drives would be considered Mounted.
Either I'm lucky and Cerber didn't attack the DropBox folder, or they have some type of system in place to prevent an attack. I don't know which.
I know hackers are always attacking cloud storage places, but it seems they have some type of backup system so they never lose users data.
My question is, what do you think about trusting your data to the cloud, like my paying for more storage space and uploading my most volatile files to DropBox. My concern is by doing so, they are visible to any hacker. But would my files be safe, considering a DropBox folder resides on my own computers?

Have a great day Yogi. I'm getting back to putting files away!

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 03 Apr 2017, 14:49

There is a simple fix for locking down most Windows systems. It's not perfect, but the idea is to create a user account that is not the administrator. By default the first account made by Windows has administrative privileges so that all a hacker need do is hijack that account and they have full access. Once the regular user is created, then make a second administrator account and delete the first one. Thus if that account is already compromised it will no longer be useful. From that point on never log in as administrator. If you need to do some task that requires admin credentials, the OS will ask for them automatically. This kills most virus attacks at its roots.

The above stops "most" attacks, but Cerber isn't like most attacks. The initial binary is not downloaded as an executable, and thus most AV software won't bother to check it's signature. As you discovered, picture files can be lethal. The binary needed to start the hijacking can be embedded into a .jpg file, for example, and will unpack and run when the image is viewed. I use the Mozilla mail client, Thunderbird, to shortcircuit this attack vector. By default it does not show any images in the preview pane. I'm sure there are others that do likewise. It seems as if Deb did indeed download Cerber unwittingly with that image from Yahoo. If she scanned it first, it might have been caught. But who scans photos anyway? Cerber does the system check I told you about previously and if all is clear it captures a stray system file (dll) and attaches itself to that. Being a system file it has root privileges. So, when the system calls the dll, the real payload from the hacking server is downloaded and runs. Everything gets encrypted, and Cerber deletes itself. Passwords are irrelevant in this approach to hacking.

It appears that Cerber looks for directories and drives that Windows can access. That is why the ext-x file system might be safe from attack. Windows can't read them normally. Since the attack is essentially carried out through system calls there is very little it cannot access. That is why I'm concerned about shares on a Linux box. Windows shares are in a gray area that may or may not be accessible. Plus, if you don't mount the share, Cerber won't know it's there. But then why have a share if you don't mount it?

By the way, permissions on directories and files can be manipulated exactly the same way as they can be changed in Linux. It requires use of the command line or Power Shell in WIndows 10. Windows, being Windows, doesn't use the same commands as Linux, but you should have no trouble changing permissions on anything if you are admin and using Power Shell. I never noticed a difference in that regard between NTFS, FAT, or DOS, but then I don't mess with permissions very often.

The short answer to your question is that I do not trust DropBox. It has been shown that it can be hacked. Yes, DropBox keeps your files even after you delete them, but all that means is that they will keep the encrypted files should you delete those. I'm as suspicious as you are about how Windows treats the DropBox drive. It is fully integrated and, as your recent experience shows, vulnerable.

Having said that about DropBox, I'd not discount it altogether. DropBox can be accessed via a browser which is how you should use it if you need it in Windows. If you install the desktop client, then it can be accessed like any other Windows OS directory. That means you will have to manually backup things to DropBox via the browser, plus not everything you may want to do can be done in the browser. The solution to that is to install DropBox on Linux and access the account directly from that environment.

Your overall backup strategy should include cloud storage. I'd want to use a lesser known third party service so that hackers would be less likely to attack. OR, you can go full power ahead and buy some storage from Azure or AWS if you got the spare dollars. At one time Amazon was offering a few gigs of free storage so that you may want to look into that. To my way of thinking cloud storage is the fallback and not the primary method. Removable media is a requirement in your situation and should only be attached to your LAN while backup is in progress. The ultimate paranoid would have backups in virtual machines that are not necessarily located physically on the LAN. If you go AWS for example, you will be able to save your backups into a virtual machine on Amazon's cloud servers. I'd pay the ransom if Cerber were that good to find it there. LOL

You can always backup Windows files from within your Linux environment. FTP to your NAS would be one way I can think of off the top of my head. In that case you would be making the NAS your own personal cloud storage.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 04 Apr 2017, 10:37

I did what you said about Administrator back when we bought Debi's computer.
I made two accounts for her, I jokingly used Boss Debi (as Administrator), and Peon Debi (as User), then deleted the original Administrator account.
Now when she installs a program, unless it must go into the Administrator folder, then she only installs in her User folder.
Some programs, like msOffice, should be installed in the Administrator folder so all Users have access to it.

If Cerber used a dll file to do their dirty work, I'm glad I did a total erase and reinstall on her machine.

Just in case you were curious, the Synology DS109 uses the Linux ext4 file system for the internal drive.
This is why nothing on it was lost or even touched.
That being said, the only reason I found a corrupted file was because Debi uploaded a folder that contained pictures from her camera for last month. It resided on her computer and apparently was encrypted before she uploaded it. I deleted the folder as soon as I found it. She still had these pictures on her camera, and they were OK.

Don't laugh: Now that I've reformatted all of my external drives NTFS so Windows can read each, and started loading them back up again, along comes Helpful Hanna with some advice.
I should format all of my external drives as either ext3 or ext4 and install the Ext2Fsd program on Debi's computer.
Plus perhaps add a permanent sticker to the outside of each of the external hard drives saying they are formatted as Linux ext3 which can be read on a Windows computer by installing Ext2Fsd on the Windows machine.

Although Linux is not totally immune to virus or malware, and especially not the current wave of ransomware attacks. The odds of an ext3 or ext4 drive being infected is extremely low.
One caveat about Ext2Fsd is to not keep an external permanently mounted on the Windows machine, set the program to only mount using the Manager Program, and unmount when the Manager is closed.
I have not looked into this program yet. But it does make sense to change my externals to ext3 or ext4 since they are all connected to Linux boxes anyhow. Plus I have the added benefit of assigning users and excluding everyone and everything else from using the drive.

About DropBox. I got DropBox when I was with a writers group, this is where we exchanged chapters of our work for beta reading and editing. I don't remember how, but I managed to earn another gig of storage space back then. I don't use it for permanent storage of anything right now, but it is handy when I need to send files to someone and I don't want to do it by e-mail. I now have about five different folders which are used between certain individuals, and DropBox adds a notification if there is something new in one of the folders. Trouble is, you never know which folder, hi hi...
When I use it as a transfer, like when my LAN is acting up for some reason, as soon as I move the data to its intended destination, I delete the data from the folder I use for such purposes.
I do know deleting a file from a folder does not really delete it from DropBox's system. But if I recall, there is a place you can go to empty your stored data permanently, but I could be wrong about that.

You have a great day Yogi!

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 04 Apr 2017, 13:31

I've used Ext2Fsd in the past and abandoned it. It did not suit my purposes in that it was read only, plus it was made for Ext2 and I was using Ext4. If I recall I could also download files into Windows from a Linux box, but it would not work the other way around.

Dealing with something like Cerber would give me an incentive to backup Windows files from within a Linux environment. That would guarantee that Windows could not access the directories. You would have to unmount from the Windows directory when done just to be sure, but all that trouble seems reasonable to avoid a catastrophe.

I was a thinking a bit about Deb's picture files up on Yahoo's server - the one that is infected with Cerber. It is likely that the pictures are still there but contaminated with the Cerber boot loader. Thus, it would be possible to download all those pictures and look for a decontamination tool. You would need a clean machine that you can spare and connect directly to the Internet via a modem. Isolate the machine from your LAN so that nothing local is exposed to whatever is on Yahoo. Once you have all the pictures on the clean machine, you would disconnect it from the Internet and never, I repeat NEVER, connect it to your home network again. Anything else that you load onto that clean machine would be done via removable storage, such as a memory stick. It's my understanding that the Cerber encryption tool is not resident on the target machine. It's downloaded temporarily from their server over the Internet. Since your clean machine is not connected, it can't download the encryption key. The photographs may or may not be viewable with the virus embedded, but the task of cleaning up things becomes simplified if there is no Internet to connect to the calling program embedded in the photo files.

I've not researched it yet, but it seems reasonable to expect that there are ways to remove whatever Cerber initially attached to the photograph files and leave a clean image behind. If you really want to try and recover those pictures, it might be worth the effort. I think you will be safe as long as you are not connected to the network. I'm also guessing that normal AV software would pick up on the fact that the picture files are contaminated if they are scanned before the encryption takes place. Something like VirusTotal Uploader could be used to be certain the picture files are clean - they use a few dozen AV programs and take a vote on how safe the file is. The hardest part would be finding a program that can effectively clean the original picture files. Given the popularity of Cerber, that much should be readily available.

If you manage to clean up the picture files, they should be moved to a safe (clean) offline storage area. Then the machine you use to clean up things can be erased. I have a feeling you don't even need an activated copy of Windows to do this. You can download a copy of Windows 10 Beta software to set up the clean machine and create a local account, not a network account, to use it. That way when you disconnect from the Internet Microsoft won't be checking up on you and you will have something like thirty days before the OS either validates itself or you uninstall it when it asks for license fees.

This might be too much work for a busy man like yourself. I'm reasonably confident you can recover the picture files, but there are also professionals who are good at it. Then again, if the pictures are not that important, they can stay with Yahoo and go down the tubes with the rest of the company. :mrgreen:

I hear Verizon is going to merge Yahoo and AOL. The new name of the mesh will be Oath.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 05 Apr 2017, 10:01

Hi Yogi

I've already erased and wrote zeros to the hard drives that got infected. So there is nothing left to try to recover.
Also, Debi went into her Yahoo Mail and deleted all of her mail, including those she archived. Basically, she is starting with a clean slate there too, but Yahoo may keep that stuff stored in the background.

Rather than trying to make all my drives readable by Windows, I decided to format all the externals as ext3 that are connected to Linux machines. And now have TWO Master Storage Drives, one as NTFS and one as ext4, both containing the same files. Plus the pair of externals I keep off-line, one up here, and one down at the house.
None of the drives are shared anymore. What I do on one computer only gets saved to the single external connected to it. Ditto for the other computers. Then I will manually move the USB connector from the Master ext4 to each of the computers and run Rsync from each box, one at a time. Then I will simply mirror the data on the ext4 Master to the NTFS Master using a computer that is not used on-line, aka my accounting computer.

I should be safe doing it this way, or at least I hope so.

Debi watches shows she records on TV, and one of those episodes she watched last night was a Ransomware attack to either NCIS or one of the bigger cop shows. She told me which one, but you know how that goes, in one ear and out the other, hi hi...

I have all of my files all checked now and saved to an off-line drive, unfortunately with many duplicates.
I was told I didn't have to worry about files infecting files, if they don't have those warning pages. Even so, I've been password protecting each folder I'm moving stuff into. Whether that helps or not I don't. I'm not copying anything from a previously infected folder. Looking elsewhere for those same files that are clean.
That's the nightmare of redundant backups. Too many copies of the same documents!

Have a great day!

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 11 Apr 2017, 10:45

This ransomware attack may have actually been a good thing in my case.
It made me go through data and get it in order and stored in a safe place again.
I have not touched my genealogy files in years, as far as updating the master file.
I did keep a working copy updated, but had not backed it up in a way for the attack to miss it.

I moved my genealogy files to an on-line database, and while checking for missing data, and adding what I had in other files not yet stored in the backup master record, I ran across some names that I hit a brick wall with every time I tried working on them.

A lot of new data has become available, old records now on microfiche and I can finally access them.
Well, I finally figured out my great-great-grandfather on my mom's side's real, full and complete name, and also all the records necessary to verify the data. Six different official record sources, each with identical information.
So it was an exciting find for me!

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 11 Apr 2017, 11:30

There is always some fear and trepidation involved with cleaning up computer files. A few times I've lost entire operating systems that took years to build up. There was a lot of vintage software and data, but most of it was totally useless. Then, too, I would often find things I thought were lost forever. I'm guessing you ran into the same thing when you were restoring your backups. It's a pain in the drain to put all the king's horses and all the king's men back together again, but there is something to be said about lean mean efficiency.

I know a few people who are into genealogy. It's interesting but I don't see how anything older than a hundred years could be traced with confidence. I know churches and family bibles kept records, but they were not always accurate. Unless you were of royal lineage it seems to me that most family histories were sent to oblivion prior to the twentieth century.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 12 Apr 2017, 11:41

I have tons of programs on 5-1/4 floppies that won't run on today's computers, hi hi...
I managed to get some of my favorites working by running them in a compatability mode on XP, but they won't run at all on Windows 10.
Although it's been a few years now, I did find some LInux programs to emulate Windows 3.11 and the rest, not WINE, but actual emulators for a specific version of Windows. Pain to use though. I wonder if they are still out there?

Most folks are not interested in their families past. I know because I collected old family artifacts, and paid dearly to have some documents preserved and stored for well over 30 years. The cost was getting to much for me to handle, so I took the items out a few at a time and tried to get the families they most belonged to to take them. They didn't want them. Many of the artifacts I had the interesting stories that went with them, so they were fairly easy to sell on e-Bay.

A lot of old family records get destroyed when one government takes control of an area. Where my ancestors lived, they were part-time German rule, and part-time French rule. Each time the ownership changed hands, the governmental records of the other were destroyed. Thankfully, the churches all kept excellent records, so we were able to get past those eras in many cases.

I used to keep two genealogy records, one was for everyone I knew where they fit, and the other was only for those family members who I obtained at least three positive verification's for, which actually made for a mess, so I finally combined them all into one program.
After hitting a dead end going back on direct bloodlines, I began working on each of the spouses lines until I hit a dead end on each of those.
About the only time I would do any genealogy work at all was when I remarried and had new lines to add.

The sad thing is, most folks who do genealogy are not meticulous enough, and seem to add anyone they think may fit.
They say the entry is validated with documentation, but the documentation may go with the name, but not where they have them placed in their trees. Then others come along and duplicate their mistakes.
When I find my family in other peoples work, you wouldn't believe the number of mistakes I find, simply because we have about twenty named George in only three generations. Plus we have a few who changed their names when the emigrated to the US, and sometimes again when they modified it to English. Yet some folks may show this same person as three different people in their programs.

We have something interesting about our family. Two different groups of individuals who claim they are not related to each other. Yet when you talk to them, their old family stories are identical to ours. I had a whole stack of documents to prove we both came from the same great-great-great grandparents, yet they still claim it is just a coincidence that they had the same names, same occupations, wives of the same names, and from the same town.
A few years ago, when DNA testing became more affordable, my brother had his run.
I then learned that one of the family members across the river also had a DNA test done.
It took over six months for me to convince the person who did to have a comparison run concerning my brother.
Although reluctant to do so, he finally agreed. It proved beyond the shadow of a doubt that we have the same ancestors, but he would not share that information with his relatives for fear they would disown him, hi hi...

Sometimes I'm accused of plugging names just to build up the numbers I have in my file. This hurts, because I've never done such a thing. My file is quite large simply because it contains the spousal genealogies for most of the generations I could track. Heck, if you just look at my immediate uncle, dad's brother, he had 14 kids, and all but one was married. The wives of those cousins all had parents, and grandparents, etc. So when you start adding spousal genealogies the numbers add up real quick. I've also run across some most interesting stories while doing them too.

If it were not for hitting those juicy stories, genealogy would be super boring to do, hi hi...

Have a great day Yogi!

User avatar
yogi
Posts: 3904
Joined: 14 Feb 2015, 15:49

Re: Ransomware Attack

Post by yogi » 13 Apr 2017, 07:13

Without a doubt you have put more time into investigating your roots than anybody I know. I've seen some family trees put onto paper but only one that is close to being as extensive as what you describe. It seems that country folks are more interested in their family than are city folks. Given all the time and effort you put into it, I can see why you are paranoid about backing it up and protecting it. Preserving it inside a modern database would not be difficult if you had the time and the money to do it. A lot of what you have would need to be manually re-entered into a new system and you might have to come to terms with SQL in order to use all the data seamlessly. It's got to be disconcerting to confront family members who have little concern and do not want to preserve heirlooms and artifacts from your past. The competition among those who compiled alternate trees is absolutely disturbing. You must have questioned yourself at some point, "Is it all worth it?" Of course it is. The knowledge you gained has enriched your life in ways many people don't understand.

User avatar
Kellemora
Posts: 1658
Joined: 16 Feb 2015, 11:54

Re: Ransomware Attack

Post by Kellemora » 13 Apr 2017, 10:11

The irony of it all Yogi, is I'm not actually related to 95% of those in my family tree, but they are all linked to me through a chain of relatives spouses.
Doing your own ancestors has some meaning. But when you do the ancestors of spouses back as far as you can go, and then start doing the descendants of those distant ancestors, your tree grows exponentially. Working in this fashion is how I managed to amass over 146,000 individuals, all linked, in my family tree. There are probably ten times that many I don't know about too. Definitely OVERKILL to the max.
But at the time I was hot and heavy into doing this, I was volunteering my time to man a research center who had only a dozen or so people come in each day. In other words, I had a lot of idle time to kill, and was at a place with the resources to track down individuals, without having to pay to access their microfiche and microfilm rolls. So, I made good use of this time I was there working.
On the wall in my hallway back home, I had an ancestor chart, and a descendant tree coming down from my eldest known ancestor. It filled the entire length of the wall from the kitchen to the office door, and was about four feet high, all printed out in 10 point type to get it to fit. Then I would print out little slips and paste to the existing one, draw a few lines to connect them, etc.
GEDCOM is text based genealogy program with unlimited storage capability, because it stores each individual as an individual, but with code numbers to connect those who belong connected. I just hate trying to use programs like this. GRAMPS is a great program that uses GEDCOM, but it really is a pain to use.
The old Family Tree Maker (FTM), and the later Family Tree Maker for Windows (FTW) I consider one of the greatest of them all. But they sold out twice now, and data from the old versions cannot be directly imported into the newer versions. A website like Ancestry.com is not really a genealogy program, it is simply a Display program to show all of your family and links, but it does hold images of your family and source information. Trouble is, none of the add-ons you put in there can be saved since the export is GEDCOM which is text only.

The sad thing about genealogy is hitting those brick walls concerning your own family.

Post Reply