The computer was an infected windows 7 Machine and I witnessed the damage this can do to a company.
The customer was infected with the Nemesis Ransomware and all files were encrypted with the words super_man@aol.com after each file.
DON'T EVER PAY THESE SCUMBAGS
The first thing was to remove the infected computer from the network before it infected other computers if it hadn't already.
I then logged into the modem and change the password and removed the remote desktop forward that was in place for the accountant to access, his problem was that the password he used for his login was too simple.
All his files had been infected
Yes the customer did do a back up regularly but after his back drive broke down he failed to backup his files manually or replace the backup system, even then this probably would have infected that as well.
What I did to retrieve the customers files.
Don't connect to your personal network, don't connect to the internet as yet, if you do want to enable safe mode with internet access then remove all computers from modem and only connect this but I would do this as yet.
Rebooted the PC while tapping F8 to enter Safe Mode, may be different for your PC.
From a clean PC download Malwarebytes and HitmanPro for 32bit or HitmanPro_x64 for 64bit, ShadowExplorer and Mafee getsup
I would purchase a copy of Malwarebytes its worth for premium protection, it will also protect against Ransomware.
Make sure that the USB is empty because you will want to format this when done
Once all files are downloaded and on the USB stock transfer to the infected PC now in Safe mode
Install and run malwarebytes update software/definition first by hitting the update button and if you have purchase a serial then enter now or use the premium in trial mode
Once complete click remove virus, you may need to reboot but make sure after the reboot you tap F8 to enter Safe mode again, If it does reboot back to normal boot just reboot again until you reach Safemode again as we have much more to do.
Be aware that all we are doing for now is trying to remove the infection so that we can boot into normal mode to see if we can retrieve the files.
After this is complete from Safe mode also run Hitman pr or 64 bit if you have a 64bit system
it will ask you to either install just click on one time run only, there is no need to install as it will conflict.
I also used a free copy of comodo rescue CD which boots and runs from the CD, that was me being anal.
Ok this may seem stupid but I now rebooted to normal boot in other words not in Safe Mode and entered system restore.
I did not do this earlier as I didn't want to infect system restore, so I removed the infection first.
Now by restore this to an earlier date say week or so I thought that just maybe this would work and it did repair some files but most files were still not working.
Hopefully you can still restore and that was not deleted.
After the restore finished I then returned to Safe mode and installed Malwarebytes again then did another scan then rebooted, back to safemode then scaneed with hitman pro and comodo.
I know this is monotonous but trust me its all worth it.
After all scans are done and you have rebooted to normal boot mode, you now have a PC restored to a much earlier time before the ransomware and hopefully virus free, so from here on the USB stick run ShadowExplorer-0.9-portable as Administrator
Don't forget to scan the USB stick when doing the virus scans as well and never place that infected stick back into a clean PC, your better off getting another USB stick if needs be.
Hopefully your system has has shadow copy turned on and if so you can go back in time, as you go back in time you will find a day when the ransomware was placed on the PC and executed as the earlier days will show all your files in perfect condition.
Select your C drive then sect the date from the dropdown menu.
Please do not try to use shadow explorer to you have fully cleaned the PC
Right click on the folder you need to retrieve, then click export, then sect a USB drive the drive
Note that you WILL have to format the drive, these people usually create a fictitious user which is hidden so don't attempt to keep the computer as is, this exercise was merely a process to remove ransmoware/malware and retrieve your lost files.
No comments:
Post a Comment