In the coming weeks, we will be releasing periodic segments of a new series called “Ransomware In Action.” We have initiated an infection on a Windows 10 workstation in an attempt to educate users on ransomware infections. During the process, you’ll get to see what happens during a ransomware attack, how your files come out virtually unscathed, and how you can recover from an attack almost instantaneously.
The first step of the process was to infect our lab environment with different types of ransomware and malware to document the results.
Our test lab included a Windows Server 2012 R2 domain controller, a Windows 10 Professional workstation and a reevert appliance for file storage running on top of an VMware ESXi 6.0 hypervisor.
The lab’s reevert appliance hosted two shares with sample documents, spreadsheets, PDF files, executables, ISO and other files. The Windows 10 VM has these shares as mapped network drives, just like a regular office environment with file servers and workstations.
This setup includes a test domain and all machines, including the reevert appliance, are members of that domain.
We initiated the infection from the Windows 10 VM. The workstation does not have any kind of anti-virus installed and to be honest, they are never 100% able to catch malware anyways; especially when it comes to 0 day type attacks and Windows defender being disabled, which has truthfully never been a very effective tool as it is.
The first step was getting a sample malware package downloaded. Malwr is a great source for finding and downloading all kinds of malware samples.
For the first part of this series, we decided to give Cryptfile2 ransomware a try. We downloaded the package and executed the ransomware.
Once executed, nothing out of the ordinary pops-up, nor you do not see any visible signs until everything is encrypted.
I checked the task manager shows two xkgtkulv strange processes consuming a lot of CPU power, which we assume are related to the ransomware.
Figure 1: xkgtkulv processes are suspicious
In less than five minutes, all network shares were encrypted. Cryptfile2 ransomware leaves a text file everywhere that provides instructions on how to contact attackers to decrypt the files. It also attaches a contact email to all encrypted file names. Apparently all file types get encrypted and this includes executables, installers, ISO files, etc.
Once Cryptfile2 ransomware is done with the encryption process, it displays a fake error message, asking user to type in their credentials to initiate a system restore due to a Windows failure. It is looking for credentials with Administrator level access.
Figure 2: View of an encrypted folder
On network shares, it creates a fake Adobe Acrobat Reader installer file to possibly lure network users to click and spread the infection to more machines.
Figure 3: A fake Adobe Acrobat Reader Installer is created
The text file explains what happened to the files, what kind of encryption (RSA-2048) was used and how they were encrypted. The text file even has a link to Wikipedia for more information about RSA-2048 encryption method. Cryptfile2 ransomware encourages victims to immediately contact them or the ransom price will be doubled within 72 hours. You can see the file below.
Figure 4: HELP_DECRYPT_YOUR_FILES text explains everything!
In our case, the fix was easy. All that needed to be done was to log into reevert’s admin panel and rollback our data to a snapshot before the time the infection started.
Figure 4: The Rollback function is here to save you a lot of time and effort during the file recovery process.
Reevert takes hourly snapshots of your data. If anything happens, you can recover and restore files very quickly; alternately, you can rollback the whole share back in time in the event that everything is infected. You can also perform a full restore if it’s the only viable solution. This is as easy as just a few clicks and can save you a lot of time and effort in recovery related operations.
Even if you are using reevert in “Sync Remote Shares” mode, the recovery will be fast and easy. All that needs to be done is rolling back the filesystem to the original state and then copying files and folders back to your non-reevert file server.
In a real world scenario, you will also need to disconnect the infected computer from network and make sure it is malware free before reconnecting it back to your network.
For a hassle free 30 day trial, click the "Free Trial" button, download and deploy a copy of the appliance. No Credit Card required.