Ranssomware .mammon

TiZed
TiZed W/ Alumni Posts: 3 Security Scout

we have been using F-secure for many years.

 

on 12.09.2018 we found some of our mashines encripted by unknown Ranssomware giving .mammon extensions.

 

our internal ivestigation found several mashines infected trouh the local network

using administrative rights.

Infected mashines have Ranssomware executable called "system.exe" at c:\users\XXXX\Appdata\roaming /where "XXXX" is username having adminitrative rights on network and local machines/.

Ranssomware is encoding local files but any shared folders accesible trough the network.

 

yesterday we found basic description on

 

http://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html

 

our report got registered as ref:_00Db0JXpV._5000X1Z5Ar5:ref

 

we are wondering why F-secure was not able to stop or reduce damages.

 

we are looking for 2 solutions:

 

1. how to get protected against any possible further attacs of that kind

2. how to recover / decrypt data that have not been backuped recently.

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    Please consider if you were maybe penetrated via legitimate, but weak password protected, publicly accessible remote desktop links? That's one common attack venue, where hackers find the port, guess the password, get in, install legitimate encryption software, encipher your data and demand a ransom. No malware is involved in that  process whatsoever, so anti-virus software cannot do anything in such cases.

     

    BR: Tamas Feher, Hungary.

     

     

  • TiZed
    TiZed W/ Alumni Posts: 3 Security Scout

    it seems to be combined attack.

     

    For sure I found ransomware executable detected from F-Secure log but somhow 2 minutes later system was rebooted and then ransomware executable took control before F-Secure and sicceded to block it.

    Than later real encoding started after my login.

     

    I saw something wrong and swithed the power off.

    Then I reboted is safe mode and sicceede to find ransomware executable agent.

    It succeded to ecode some 2/3 of the system disk but fortunately 

     

    On some other mashines encoding proces was finished without a human login.  They are 100% encoded excluding the Windows folders which are not affected. On these mashines we did not find a copy of any ransomware executable agent.

     

    May be attackers were enterer trouh RDP then injected a ransomware executable and did restarted  machines. 

     

    We revised our policy for remote access but we cannot avoid it completely.

    Firewall system is good enough but may be improved I hope.  

    For sure we should look for any internal network monitoring/blocking  solution.

  • TiZed
    TiZed W/ Alumni Posts: 3 Security Scout

    Hello again,

     

    Now I can summarize:

     1. Attack came from rough open non standard RDP port forwarded to  a local mashine. Ransomware was stated thee for sure. It succeded to encrypt first all the local drives and mapped network drives. Unfortunatelly attacked user had administrative access to other machines defined by the group policy in local network. 

    2. Further attacker or Ransomware itself succesed to take control on several mashines from the same user group. On the each machine it succeded to take control on Ransomware was installed and run.

    3. On some other mashines it succeeded only to inject the Ransomware executable in "c:\users\anyvaliduser\appdata\roaming\system.exe" and to modify registers of the user :"Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"  to point to the executable above so as Ransomware to start on login.

    4. I succeded to take a copy of the executable and sent it to the F-Secure support together with some encrypted files and the corresponding Ransom note. I did send a copy to "https://www.nomoreransom.org/bg/index.html" as well.

    5. We took care with some improvements tgo avoid  further problems of this kind.

    We implemented some steps to get better protected /like change of all passwords; improvement of the group policy; disable direct RDP; implementation of network firewall; windows and AVP updates./   
    6. Recent versions of AVR and Windows Definer are able to detect and remove it. Windows defender is recognizing it as "Ransom:Win32/Pulobe.A" blocking and removing it as well.

    7. "https://id-ransomware.malwarehunterteam.com/index.php" is recognizing it as aversion of Scarab and says that a decryptor may be found ...

    8.We yet need /we are looking for/ a possible file decryption. We have some unique files encrypted.

     

This discussion has been closed.