Encrypted content - virus

Hello

Today I received a message that my Windows node has gone offline.
I thought I was a victim of a Windows update again, but unfortunately not.
Almost every folder on the machine, including the part of the storj node system and the shared content itself, became [decrypt2023@outlookpro.net].Elbie extension.
I don’t understand, because there is an antivirus on the machine and the Windows firewall is also active.

Can something be saved, or is that enough for my server and I can start over?
In this case, my user data is also taken, so my complete history of several months?

I have another node on the network, but it’s running under docker and still ok, I have to do something

Thanks!

I would be more worried about my personal data, even if your node machine was somewhat isolated - who knows which executable/script implanted this crap.

You can first check the files with something like 7zip and Notepad++. Maybe it’s a spoofed version that doesn’t actually encrypt the data, but either just renames or renames+packages (I know, I know, but it’s at least worth a try :wink: ).

If not… well… everything is most probably gone. All you can do is send a “f**k y*u” email. Unless you want to pay them whatever amount of bitcoins they ask. Which most likely you don’t.

Searching for the given email address brings this:
Elbie Ransomware - Decryption, removal, and lost files recovery (updated) (pcrisk.com)

Not everything can be detected, unfortunately. If you clicked some executable and confirmed the UAC prompt, something could’ve just slipped through.

Hey @lovaszl -
Which “part of the storj node system” are you referring to here?
Anyways, I’d start with @mars_9t 's advice, and double check that the files are actually encrypted. If they are, depending on which specific storage node files are inaccessible, the best/only option may be to simply start a new node from scratch

or is that enough for my server and I can start over?

I would be careful of doing this until/unless you are able to determine when/how malware was executed. Otherwise, I’d be concerned that you’d start up a new node only to have the data encrypted again. However, this is something I have personally not experienced before, so read my suggestions with that in mind :sweat_smile:

Bitdefender offers free decryption tools. Check them out.
What antivirus do you use? Is it free or payed license?

“good” ransomware uses strong crypto and no third party tool can help you out unfortunately without having the encryption key. It seems this one is reported to have implemented the crypto correctly, so I’m betting chances are really low.

Sometimes a restore to an earlier date will fix it, without having to decrypt anything. I fixed a friends computer because they had a random ware on there pc aswell which running restore got rid of it for me.

Thank you everyone.
I tried it with notepad++ and unfortunately it’s not a fake hash, the date trick didn’t fix it either.
I’m afraid one node minus then.
The antivirus nod 32 is standard licensed, I’ve had it on all my machines for years, I’ve never had a problem. I only used this machine for this purpose, not for everyday things.
It’s instructive, but I won’t give up :slight_smile:
Thanks!

2 Likes

I’m curious how you got infected, if you don’t use this PC for your daily activities?

2 Likes

I would save the money and use an either secure OS or the integrated free Windows Defender. That one is always up to date, and you don’t have to bother with licensing. Detect rate is similar to the big brands. Annoyance rate (blocking legit stuff like Thunderbird) is even lower than most big AV companies.

By far biggest security risk in my opinion, is not being up to date and using to much insecure/outdated software. Or Windows :joy:

Antivirus are not perfect, sometimes can even have a negative effect on security. (Reddit - Dive into anything).

1 Like

Try Malwarebytes. In my opinion it’s far better than other old school antivirus.

I agree with all of your message except this. By far the biggest security risk is the biological entity at the keyboard. :wink:
Most of these things start with a human making an error. Opening an attachment or downloading shady software. (key-generators or illegal software downloads being a big factor)
In many cases you’d also have to click through some security warnings from your OS.

If it’s windows, they now also have controlled folder access which will protect against apps accessing data they shouldn’t. It’s off by default though and it might cause some issues. I haven’t tried it yet myself, but just switched it on to give it a go. Allow an app to access controlled folders - Microsoft Support

4 Likes

That’s right! The weakest link is the pc operator.
I downloaded a pdf with malware and tryed to open it, from the Spam folder, from un unknown email, and reply to that email that I can’t open the file… while I was on my phone. :man_facepalming:t2::rofl::rofl::rofl:
I stopped working on my computer while I am talking on the phone from that day! :rofl:
Not paying attention at what you are clicking is like russian rulette.
I was lucky than… my AV poped-up on the second or third open try, blocking an url and instantly gater all my focus. And I’m pretty paranoid about security riscs and well aware of them, not just a “dumb blonde” sort of speak.

I was very surprised because I have been working as an IT system engineer for 20 years, I know the risks and I act carefully, this is the first time that my machine has been infected… :confused:

In the managed IT space AV is now considered insufficient protection. We now use what are called EDR systems or End point detection and Response. We use a package from a company called Huntress who have an incredibly good reputation. (John Hammond - one of their main staff has a youtube channel where he discusses recent cases) One of the most recent breeches was a side channel attack on a voip company called 3cx - and one of our clients who had refused to move off this system were hit with the breech… The application binaries for the client were compromised with malware. So, you can be a perfectly well behaved user and still get hit these days. In turn the 3cx source of compromise got tracked back to a developer workstation who downloaded a financial trading package that had itself been compromised. This is one reason I am moving away from using my computer for support and am instead using a vm solely for this purpose as it allows for more segregation. But my point with the reply is you don’t need to do stuff that is obviously bad to get hit these days.

2 Likes

I beat you by a little, Been doing this 30 years now. Have not been compromised yet - but boy does it take some work sometimes.

There was a time when I didn’t use any AV, and Windows didn’t had any firewall. A time of dial-up connections, mp3 and avi downloads, when I believed you couldn’t get infected with malware so easily, just by surfing the net, and downloading music and videos. It gets me chills just remembering :smile: .
I even did a manual virus removal without AV, just by searching the entire HDD for any file with *.* and sort them by creation time and modification time. There were simpler times and malware.

1 Like

Yep. I remember using a HEX editor on game files to hack the characters. lol

My very first internet experience was with a Unix system downloading emails via uucp over long distance calls on a 2400 baud modem. That particular system didn’t even have a tcp/ip stack but boy I learnt so much from it.

And “Huntress” would have mitigated this?

I don’t know how this gets together with this

I am not saying that you can’t get hacked without doing something bad but opening a ZIP file from a spontaneous job offer from HSBC is a bad thing in my opinion.

I don’t know the exact details of this case. Here is what I make of it.

  1. Most of the victims used some kind of AI-Cloud-Blockchain-SuperDuper Security Buzzword and still got infected. That is why no Security Company takes liabilities for damages.

  2. According to Hackergruppe Lazarus steckt hinter der 3CX Supply Chain Attacke | ZDNet.de, users would have to open user got fake a job offer by mail that contained zip file. This is wrong on so many levels.
    2.1 Users should not have admin rights. Sure even without admin rights sometimes there could be an escape, but it stops a lot
    2.2 Mail servers should never ever accept mails with zip files (or Office with macros, or exes). It is not 2008 anymore, use something like wetransfer or STORJ. That of course still does not stop someone from putting up malware there, but it is a lot easier to get flagged. Azure, AWS and wetransfer are all pretty fast when it comes to abuse in my experience.

  3. According to talque, 3CX is known for bad security. The still don’t hash passwords, which basically makes it illegal to use it in Europe.

  4. The downplaying from 3CX tells you everything. It it not bad to get hacked, bad is if your company has no culture of accepting it and trying to learn from the incident. Best case would be a public post mortem. The more negative and self critical the post mortem is, the more trust I gain in the company.

  5. The two previous points show me, that simply using 3CX in a company is a security risk. Using shitty software almost always is.

  6. 3CX use electron for desktop apps

  7. Even macOS and Linux is affected

  8. Attackers somehow managed to get valid certs, so no clicking trough smart screen was needed from the victims. How that happened and how that company reacts to this would be interesting.

1 Like

I am sorry, it happens sometimes.

If I may recommend - if the machine is really only used for Storj, consider installing Linux, rather than Windows. From my point of view, there are many benefits (I don’t know about the crypto-miracle for Linux), there is no need to deal with fragmentation and, last but not least, licensing. Docker is essentially the same on both platforms.

Windows, or rather any M$ product, has disappointed me more than once. Never ever ;).

1 Like

This is not strictly true. Clients were compromised simply by having 3cx binaries on their systems. the Malware was deployed on a strictly limited number of systems defined by the bad actors. But the those other systems were still compromised. 3cx advised which binary versions were compromised (very slowly and belatedly). Those apps are automatically updated and downloaded from 3cx by the voip servers. Either self hosted or hosted in 3cx’s cloud.

Agreed - but the client that was compromised didn’t have admin rights but still had the compromised binaries installed.

This is true - Their CEO is also known for cancelling licenses on his personal whim if he doesn’t like what you say about him or the company. This is part of the reason we moved everyone else off them some years ago now. The CEO is actually banned from the reddit forum for 3cx for his derogatory comments and behavior.

I agree with your last points (4-8) as well Though 3cx is trying to move clients to their web app now. But the problem is the web app doesn’t have the same functionality as the electron app.

Mail servers running code in an email at all is a big problem. I much prefer plain text emails myself and my Exchange server and Outlook is configured to do that. Unfortunately, a lot of people like their pretty pictures in their email. It’s getting worse of course with Teams hooks as well in email now. (I dislike Teams as well quite intensely)

1 Like