Today I received a message that my Windows node has gone offline.
I thought I was a victim of a Windows update again, but unfortunately not.
Almost every folder on the machine, including the part of the storj node system and the shared content itself, became [decrypt2023@outlookpro.net].Elbie extension.
I don’t understand, because there is an antivirus on the machine and the Windows firewall is also active.
Can something be saved, or is that enough for my server and I can start over?
In this case, my user data is also taken, so my complete history of several months?
I have another node on the network, but it’s running under docker and still ok, I have to do something
I would be more worried about my personal data, even if your node machine was somewhat isolated - who knows which executable/script implanted this crap.
You can first check the files with something like 7zip and Notepad++. Maybe it’s a spoofed version that doesn’t actually encrypt the data, but either just renames or renames+packages (I know, I know, but it’s at least worth a try ).
If not… well… everything is most probably gone. All you can do is send a “f**k y*u” email. Unless you want to pay them whatever amount of bitcoins they ask. Which most likely you don’t.
Hey @lovaszl -
Which “part of the storj node system” are you referring to here?
Anyways, I’d start with @mars_9t 's advice, and double check that the files are actually encrypted. If they are, depending on which specific storage node files are inaccessible, the best/only option may be to simply start a new node from scratch
or is that enough for my server and I can start over?
I would be careful of doing this until/unless you are able to determine when/how malware was executed. Otherwise, I’d be concerned that you’d start up a new node only to have the data encrypted again. However, this is something I have personally not experienced before, so read my suggestions with that in mind
“good” ransomware uses strong crypto and no third party tool can help you out unfortunately without having the encryption key. It seems this one is reported to have implemented the crypto correctly, so I’m betting chances are really low.
Sometimes a restore to an earlier date will fix it, without having to decrypt anything. I fixed a friends computer because they had a random ware on there pc aswell which running restore got rid of it for me.
Thank you everyone.
I tried it with notepad++ and unfortunately it’s not a fake hash, the date trick didn’t fix it either.
I’m afraid one node minus then.
The antivirus nod 32 is standard licensed, I’ve had it on all my machines for years, I’ve never had a problem. I only used this machine for this purpose, not for everyday things.
It’s instructive, but I won’t give up
Thanks!
I agree with all of your message except this. By far the biggest security risk is the biological entity at the keyboard.
Most of these things start with a human making an error. Opening an attachment or downloading shady software. (key-generators or illegal software downloads being a big factor)
In many cases you’d also have to click through some security warnings from your OS.
If it’s windows, they now also have controlled folder access which will protect against apps accessing data they shouldn’t. It’s off by default though and it might cause some issues. I haven’t tried it yet myself, but just switched it on to give it a go. Allow an app to access controlled folders - Microsoft Support
That’s right! The weakest link is the pc operator.
I downloaded a pdf with malware and tryed to open it, from the Spam folder, from un unknown email, and reply to that email that I can’t open the file… while I was on my phone.
I stopped working on my computer while I am talking on the phone from that day!
Not paying attention at what you are clicking is like russian rulette.
I was lucky than… my AV poped-up on the second or third open try, blocking an url and instantly gater all my focus. And I’m pretty paranoid about security riscs and well aware of them, not just a “dumb blonde” sort of speak.
I was very surprised because I have been working as an IT system engineer for 20 years, I know the risks and I act carefully, this is the first time that my machine has been infected…
In the managed IT space AV is now considered insufficient protection. We now use what are called EDR systems or End point detection and Response. We use a package from a company called Huntress who have an incredibly good reputation. (John Hammond - one of their main staff has a youtube channel where he discusses recent cases) One of the most recent breeches was a side channel attack on a voip company called 3cx - and one of our clients who had refused to move off this system were hit with the breech… The application binaries for the client were compromised with malware. So, you can be a perfectly well behaved user and still get hit these days. In turn the 3cx source of compromise got tracked back to a developer workstation who downloaded a financial trading package that had itself been compromised. This is one reason I am moving away from using my computer for support and am instead using a vm solely for this purpose as it allows for more segregation. But my point with the reply is you don’t need to do stuff that is obviously bad to get hit these days.
There was a time when I didn’t use any AV, and Windows didn’t had any firewall. A time of dial-up connections, mp3 and avi downloads, when I believed you couldn’t get infected with malware so easily, just by surfing the net, and downloading music and videos. It gets me chills just remembering .
I even did a manual virus removal without AV, just by searching the entire HDD for any file with *.* and sort them by creation time and modification time. There were simpler times and malware.
Yep. I remember using a HEX editor on game files to hack the characters. lol
My very first internet experience was with a Unix system downloading emails via uucp over long distance calls on a 2400 baud modem. That particular system didn’t even have a tcp/ip stack but boy I learnt so much from it.
If I may recommend - if the machine is really only used for Storj, consider installing Linux, rather than Windows. From my point of view, there are many benefits (I don’t know about the crypto-miracle for Linux), there is no need to deal with fragmentation and, last but not least, licensing. Docker is essentially the same on both platforms.
Windows, or rather any M$ product, has disappointed me more than once. Never ever ;).
This is not strictly true. Clients were compromised simply by having 3cx binaries on their systems. the Malware was deployed on a strictly limited number of systems defined by the bad actors. But the those other systems were still compromised. 3cx advised which binary versions were compromised (very slowly and belatedly). Those apps are automatically updated and downloaded from 3cx by the voip servers. Either self hosted or hosted in 3cx’s cloud.
Agreed - but the client that was compromised didn’t have admin rights but still had the compromised binaries installed.
This is true - Their CEO is also known for cancelling licenses on his personal whim if he doesn’t like what you say about him or the company. This is part of the reason we moved everyone else off them some years ago now. The CEO is actually banned from the reddit forum for 3cx for his derogatory comments and behavior.
I agree with your last points (4-8) as well Though 3cx is trying to move clients to their web app now. But the problem is the web app doesn’t have the same functionality as the electron app.
Mail servers running code in an email at all is a big problem. I much prefer plain text emails myself and my Exchange server and Outlook is configured to do that. Unfortunately, a lot of people like their pretty pictures in their email. It’s getting worse of course with Teams hooks as well in email now. (I dislike Teams as well quite intensely)
An interesting bit of trivia here. If you join a machine to Azure AD, Microsoft automatically makes that user a local admin. You have to go back and remove those rights after the join.