-3

I am trying to explain what happened and asking what could be done after being infected
Yesterday a client called and told me something strange happened to his server and most of the file types are change to "CRYPTED!" and the extension of the file was changed to something like "(.xcvo0n)".

Part I (ATENTION,ATENTION)

 ATENTION!!!

I am truly sorry to inform you that all your important files are crypted.
Atention! I do not offer for free the decrypt key's, for that you have to pay x.xx BITCOIN.

You can get bitcoin very easy on this site: www.xyz.com
You have to create an account and to buy x.xx BITCOIN from a seller located in your city.
Then you have to send the amount at this BTC adress: abcadsdfsdfsfsdfsdf
After that, contact me at this email adress: zxc@xcv.com
With this subject: acv23-123123

After the payment you will receive the key's to decrypt your files and a tutorial

Here is another list where you can buy bitcoin:
https://xcv.com/en/ex

Part II (SAD BU TRUE)
It was easy to guess, he was the victim of "Ransomware".

Part III (WHAT HE DID BUT WAS NOT GOOD ENOUGH)
After a deep looking at his server I find out that:

  1. There was an AV but that AV had no Anti Ransomware module.
  2. The server OS was Windows server 2016 and was up to date and patched and the windows Defender was enabled.
  3. There was some old backup from DB and source-codes.

Part IV (WHAT HE DOES TO DO)
The data is unique and valuable and he had to do something to save his ***.

  1. Pay the Ransome!
    But as Norton mentioned in the first tip in Ransomware – what can you do about it

Do not pay the ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.

  1. Remove it!
    But How?
    Files are encrypted and the backups are not worth to restore.
    I could not find a practical solution to "how to recover ransomware encrypted files".
  2. Forget everything and start from scratch!

Part V (YOUR OPINION)

  • What are incident response and disaster recovery plan for facing ransomware in case we ware not reday and had no plan had no backup from DATA?
R1W
  • 1,617
  • 3
  • 15
  • 30
  • 4
    Step zero: Already have reliable backups. Step one: Never pay; you'll only encourage more attacks. – Ghedipunk Nov 26 '19 at 05:46
  • There are [many questions here about this topic](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+how+to+deal+with+ransomware) like for example [How to avoid ransomware](https://security.stackexchange.com/questions/92748/how-to-avoid-ransomware). It is not clear for me what is new in your question. It is not even clear what you mean with *"practical workaround solutions to get rid of ransomware"*: get not infected in the first place, recover after infection, decrypt encrypted files .... ? – Steffen Ullrich Nov 26 '19 at 06:05
  • 1
    @R1W: like I said, there are numerous questions about this topic (just follow the link I've posted to find more). Others are for example [Getting files back by paying Ransomware](https://security.stackexchange.com/questions/107285/), [How to deal with encryption virus?](https://security.stackexchange.com/questions/112229/), [Can I decrypt files encrypted by Odin ransomware?](https://security.stackexchange.com/questions/138819) ... In these question you'll also find links for more help, like [The No More Ransom Project](https://www.nomoreransom.org/). – Steffen Ullrich Nov 26 '19 at 06:15
  • 2
    Unfortunately, we are not a malware/ransomware removal site. We don't do tech support. – schroeder Nov 26 '19 at 08:11
  • @schroeder imagine this about very important data and you have to something and you have to deal with it, I am aware that the first step is to prevent it from happening but, when it happened what should be done? and the other thing is that I am not asking about a particular tool or something like that, I want to know in a similar situation what should users do, I am sure that this happens to many user and company and will happen again. – R1W Nov 26 '19 at 12:21
  • @SteffenUllrich Thank for the links, but all first three links do not contain valuable data that can help but the "The No More Ransomware Project" is something, I did the procedure but there not much help because the ransomware was known to them. – R1W Nov 26 '19 at 12:28
  • 1
    @R1W: In this case there is likely no "workaround" we can provide. If the ransomware is properly written then there simply is no way to recover the data unless you had a working recovery strategy implemented before (i.e. offline backup). That's the main point of ransomware - to give you no choice but to pay or to accept the loss. – Steffen Ullrich Nov 26 '19 at 13:17
  • 1
    @R1W Your question is akin to "What steps can I do after a car accident to make my car not broken anymore?" - nothing. –  Nov 26 '19 at 15:27
  • @MechMK1 From where I stand, it's about incident response and disaster recovery but in this case, the victim was not ready for action and had no plane to recover from it. – R1W Nov 26 '19 at 15:40
  • 1
    Regarding your edit: See the answer. There is nothing that you can do if you don't already have backups. Take this as an expensive lesson and start backing up your data today. The more you look for ways to recover your data, the more time you're wasting by not setting up an offline backup. – Ghedipunk Nov 26 '19 at 17:30
  • @R1W Then the only response is: Do better next time. –  Nov 26 '19 at 17:55

1 Answers1

6

Probably nothing you can do

You may be able to find decryption software for this specific ransomware, but chances are slim.

All you can do is restore from a backup.

What if I don't have a backup?

That's your fault. Your files are lost. Ransomware is nothing new and the warning "The only effective defense against ransomware is a backup" has been out there for years.

See it as a very expensive lesson about the value of backup systems.

Anders
  • 64,406
  • 24
  • 178
  • 215