Locky/Decryptor assistance

I am the IT Admin for a small network, running a windows WSE2012r2 server. Users came in this morning and found all data files had been encrypted showing makdonalds@india.com.xtb at the end and have lost all their file extension/associations.

I have read the ransomware thread and am posting the txt file attachments here, and certainly appreciate any assistance!

We have good data backups that look to be intact from Friday, and have a system backup from 4/16 that we can restore if need be, just trying to see what other options we have. I am working remote, so anything I can do from here without a site visit would be great.

I will post a reply that contains additional files that were shown listed below.

Please let me know the next steps.

Keith Hill

Additional Files Attached

scrnsave.scr has been renamed to scrnsave - copy.scr.txt to make it innoculous

Looks like user zc was the culprit, he probably just opened an e-mail without looking. This is a totally new variant but it appears to have left the dropper behind with an easy name.

I would like a copy of that if possible, if so then the FRST fix will place a zipped copy on the desktop could you upload that to a sharing site for me to collect

Otherwise I am afraid you will need to do a backup restore

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: zip: C:\Windows\System32\Payload_c.exe CMD: del /F /Q /S "C:\How to decrypt your files.HTML" CMD: del /F /Q /S "C:\How to decrypt your files.PNG" CMD: del /F /Q /S "C:\.How to decrypt your files.URL" CMD: del /F /Q /S "C:\How to decrypt your files.txt" HKLM\...\Run: [svihvbja] => C:\Windows\System32\Payload_c.exe IFEO\sethc.exe: [Debugger] cmd R5 silsvc; <===== ATTENTION: Locked Service Task: {FE8902EF-CDAD-45A5-9915-F860FAF48B81} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\BPA Scheduled Scan => powershell.exe -EncodedCommand SQBuAHYAbwBrAGUALQBXAHMAcwBCAHAAYQBTAGMAYQBuAA== -NoLogo -NoProfile -NonInteractive Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

First off, thank you for your prompt reply and time. It is greatly appreciated and noted.

I have attached the fixlog.txt file. I am searching for the payload_c.exe file, but it seems they have run a cleanup and forced a restart of the server. I’m looking to see if there are any other remnants I can offer.

It had been quarantined with MalwareBytes. I was able to restore, zipped and password protected the file and have shared it below:

https://drive.google.com/file/d/0B9u9R4w1fqZ9MXNDeVh5Z0VYNWc/view?usp=sharing

I will send you the file password as an internal message here.

Let me know if you are unable to access the file. Once downloaded, let me know and I’ll delete the share for protection as well.

Thanks much!

Keith

you need to zip and password protect or it it will only be allowed to download by you since it is infected

Ay it is being detected as infected, which probably means Avast has it as well

But if you could zip and password it that would be nice but not essential

It appears that it only may have been the download folder encrypted

I removed the original share, zipped and pw protected the file and reshared. I have sent EssexBoy the pw. If I need to send to others let me know, I don’t want to post it publicly to minimize risk of redistribution.

Thanks for the heads up!

Thank you I have it now :slight_smile:

avast already detect it
https://virustotal.com/nb/file/4109e9cd225e41273deddbfc7bd2cbaab28b22a4ed3668913a10eba19176e12d/analysis/1462820629/

First submission 2016-05-05 05:35:53 UTC ( 4 days, 13 hours ago )

Jotti >> https://virusscan.jotti.org/en-US/filescanjob/h4p4pkoahh

Intriguing I scanned it on my system and no threat detected

maybe just added? … run update

Nope I have the latest, lets see what Maxx says

Guys, I have a similar problem, but my customer files just changed to something like this: AF12A25FB6485E1CBB0ABBF5FC6EF87A.locky
Can I use this same decrypting method?
Thanks,
Fernando

No you cant.

Please open anew topic in the viruses and worms section and follow the guide at the top: https://forum.avast.com/index.php?topic=53253.0

Silly locky programmer can’t even spell McDonalds correctly.
No free happy meal for him ;D

Fer, there is no decryption tool for it (yet?)

Attached is a screen capture of the email we received from the Hijacker. We have chosen to restore the server system and data from backup, which occurred Friday Night at 8pm, seemingly before the initial exploit of the payload early Saturday morning. I have deleted the odd zc admin account, it looks like it was created from an IE frame java exploit on a user login back around 3/18 and decided now was the time to act for some trigger reason.

I think I have the system clean, is there anything else I should run/rerun to verify?

Thanks for all your help, much appreciated!

Keith

I would consider using MBAM anti ransomware that should be leaving beta soon https://blog.malwarebytes.org/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Or

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

You also need to ensure that net facing programmes are all up to date