Posts: 152
Threads: 29
Joined: Feb 2016
Reputation:
0
05-03-2018, 06:29 PM
(This post was last modified: 05-05-2018, 03:17 PM by baker7.
Edit Reason: Updated to correct Virus Name
)
Good Afternoon Everyone:
Well, I was the unfortunate receiver of what I think was a Cryptowall Ransomware variant. I watch about 35 videos on youtube, each telling me that there are a few ways to get rid of the ransomware. All it said was that I needed to pay $1,000 USD for the unlock code. I figured that "heck, I just need to find out what I am dealing with and get the right tool" WRONG - There was no indication of what it was, and worse than that, it must have activated while I was away, because when I got home, ALL FILES had been compromised..........I was advised to WIPE the drive all the way, and reinstall using my system image that I made on 3/29/18.
PROBLEM IS: While it SAYS that you can use a network connection to connect to a server share (running samba on Debian 8), each attempt says that the image cannot be found. I can't simply back up the image on the same drive, so I have set up samba to back it up to my 8TB drive over the network, but I wonder why I cant restore this way - keeps erroring out, even with the right password - Is there a way to force it to find the image?
Even when I copied the image to a folder on the desktop, windows could NOT find the image - Should I move the image copy to the ROOT of the C: drive and command a system recovery? Is there a way to go right into the recovery, or do we have to always go to "troubleshoot" - seems a LONG way 'round if you want windows to recover an image?
Any assistance you could provide me with would be beneficial, as without the image restored, I have bare bones capabilities right now.....
Thanks,
Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Posts: 4,727
Threads: 311
Joined: Sep 2014
Reputation:
102
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support!
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>
</div></left>
Posts: 152
Threads: 29
Joined: Feb 2016
Reputation:
0
(05-03-2018, 06:39 PM)Britec Wrote: Here is some info:
https://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
https://noransom.kaspersky.com/
https://www.nomoreransom.org/en/index.html
Britec:
Thank you for the information provided regarding Cryptowall - I was told that whatever this is was a variant, but I am not sure it was cryptowall.
Now, I HAD installed Windows 10 Pro to my system again, and it was working fine, but NOW all I get is a constant reboot loop, and it will boot up, show me the Dell Logo, and then just go black and reboot - I cant seem to get to a recovery environment, and when I try to reinstall windows 10 to get it moving again, it says that I am missing a critical driver, and that I need to install it before I can continue.
Add to that, that the system cant even FIND my backup System Image, and you can see why I am stymied - I HAD at least a working Windows Install, but now, I cant even access the windows Install that worked 2 days ago - any ideas on how to fix BOTH issues??
Thanks,
Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Posts: 4,727
Threads: 311
Joined: Sep 2014
Reputation:
102
I have made videos on installing windows 10. Check out my Youtube channel
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support!
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>
</div></left>
Posts: 152
Threads: 29
Joined: Feb 2016
Reputation:
0
05-06-2018, 02:00 PM
(This post was last modified: 05-06-2018, 02:19 PM by baker7.)
(05-06-2018, 11:24 AM)Britec Wrote: I have made videos on installing windows 10. Check out my Youtube channel
Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??
Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Posts: 1,630
Threads: 20
Joined: Sep 2014
Reputation:
31
(05-06-2018, 02:00 PM)baker7 Wrote: (05-06-2018, 11:24 AM)Britec Wrote: I have made videos on installing windows 10. Check out my Youtube channel
Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??
Brian B.
*Power off the machine
*Insert Windows 10 usb drive created with media creation tool
*When powering on hit f12 or esc to bring up boot device options
*Boot to the usb drive
From there you can access system repair options and/or Install Windows.
If all of your data is encrypted why are you trying to create an image?
Posts: 152
Threads: 29
Joined: Feb 2016
Reputation:
0
(05-06-2018, 03:03 PM)Timster Wrote: (05-06-2018, 02:00 PM)baker7 Wrote: (05-06-2018, 11:24 AM)Britec Wrote: I have made videos on installing windows 10. Check out my Youtube channel
Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??
Brian B.
*Power off the machine
*Insert Windows 10 usb drive created with media creation tool
*When powering on hit f12 or esc to bring up boot device options
*Boot to the usb drive
From there you can access system repair options and/or Install Windows.
If all of your data is encrypted why are you trying to create an image?
UPDATE: was able to make a DVD with the Media Creation tool Windows 10 PRO - 1809 - Which has the update for the Spring Creators Update. For some reason, I was continually rebooting, so Britec's instructions to search for videos he did was silly considering my situation, and I was unable to boot using USB's but booting with a DVD seems to work: Had to mess with boot order, and I think something was a little strange - All is OK as far as the Install goes right now - lets hope we can keep Thrush solid for now.
System Image: The System image I want to restore is from March 26, which was the day I decided to backup Thrush - This is 2-3 months PRIOR now to May 1, when I got the ransomware. I think I will be OK if I restore this, but I also have another PLAN that I can use: I do have a folder by folder save of the files I want, so if this does not work, I can go back to a 2015 backup done around this time that year.
I have the System Image on my Linux drive that I use for backups, so what I want to do, and am doing now is to connect to Cardinal via Samba, and copy (drag and drop) the "WindowsImageBackup" folder and any subfolders to the ROOT of C:\ - Hopefully, windows will see that image and can restore it - My Linux Backup drive is EXT4, so windows may not see it in the System Image Recovery, so I am hoping that copying it to C:\ will take care of that.
Thanks for the assist Brian and Tim - You are Amazing
Will Keep you UPDATED - I'm gonna make a WinPE USB to help me if I run into this again, but I don't know if there are protections against the ransomware I got, but It would be nice to have
Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Posts: 152
Threads: 29
Joined: Feb 2016
Reputation:
0
(05-06-2018, 06:40 PM)baker7 Wrote: (05-06-2018, 03:03 PM)Timster Wrote: (05-06-2018, 02:00 PM)baker7 Wrote: (05-06-2018, 11:24 AM)Britec Wrote: I have made videos on installing windows 10. Check out my Youtube channel
Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??
Brian B.
*Power off the machine
*Insert Windows 10 usb drive created with media creation tool
*When powering on hit f12 or esc to bring up boot device options
*Boot to the usb drive
From there you can access system repair options and/or Install Windows.
If all of your data is encrypted why are you trying to create an image?
UPDATE: was able to make a DVD with the Media Creation tool Windows 10 PRO - 1809 - Which has the update for the Spring Creators Update. For some reason, I was continually rebooting, so Britec's instructions to search for videos he did was silly considering my situation, and I was unable to boot using USB's but booting with a DVD seems to work: Had to mess with boot order, and I think something was a little strange - All is OK as far as the Install goes right now - lets hope we can keep Thrush solid for now.
System Image: The System image I want to restore is from March 26, which was the day I decided to backup Thrush - This is 2-3 months PRIOR now to May 1, when I got the ransomware. I think I will be OK if I restore this, but I also have another PLAN that I can use: I do have a folder by folder save of the files I want, so if this does not work, I can go back to a 2015 backup done around this time that year.
I have the System Image on my Linux drive that I use for backups, so what I want to do, and am doing now is to connect to Cardinal via Samba, and copy (drag and drop) the "WindowsImageBackup" folder and any subfolders to the ROOT of C:\ - Hopefully, windows will see that image and can restore it - My Linux Backup drive is EXT4, so windows may not see it in the System Image Recovery, so I am hoping that copying it to C:\ will take care of that.
Thanks for the assist Brian and Tim - You are Amazing
Will Keep you UPDATED - I'm gonna make a WinPE USB to help me if I run into this again, but I don't know if there are protections against the ransomware I got, but It would be nice to have
Brian B.
UPDATE: Posted to Family Members and Friends on Facebook as a WARNING
Quote:Good Evening Everyone:
I just Wanted to let EVERYBODY know that they should always be CAREFUL of what they download or click ON: Have spent 6 of the last 8 days restoring my Windows Desktop after a Ransomeware Hit me, and encrypted EVERYTHING - Most of this time, was in Montpelier (VERMONT'S CAPITAL CITY) taking stock of what I needed to have to make the rebuild possible, although my System Recovery FAILED and could not be read - If anyone sent me an EMAIL message, I have not responded to many - and for that matter, I have not been on Facebook for about a week - Lucky for me that I like to keep backups - problem is, I lost some files, and not sure which ones, but I can get them back in time. If you EVER get one of these Damn things, DO NOT PAY the ransom, and do a COMPLETE wipe and reinstall - Paying the ransom only makes these FOOLS make more of these things - Lucky for me I do a Windows Backup regularly (and that I NOW have a FULLY FUNCTIONING Acer Aspire One with Win10 Pro Loaded - Saved me some HELL this week while I was down at home BlueBird (Laptop) was Unaffected, and was reinstalled 3 months ago, so she was OK to use at work while Thrush was down - All Windows Machines on my network have Windows 10 PRO, and if they don't have the Spring Creator's Update (Version 1803) already they soon will have it
Anybody Got a Seltzer Water for a Die Hard Keyboard Jockey hehehe *GRIN*
Brian B.
I wish that there was a way to nuke these things and whip them BEFORE they can do the damage - Is there a Ransomware protection software that I should be running to help me steer clear of this? Didn't even KNOW I had the thing until 17:00 on 1 May - Damn that thing was AWEFUL - Thank GOD I was able to restore that 1TB external - Have a 2TB external that I'm moving the files to, and TIM is a LIFESAVER *5ERS* Thrush NOW has Version 1803, so I am mostly all set - Just have to reinstall Adobe, Office and Dreamweaver and we should be all set
The System Image Recovery was USELESS because apparently you need to be careful when copying to a network drive, cause there can be dropped packets OH well - Next we will get a 4TB or Larger Drive for my office backups
Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Posts: 4,727
Threads: 311
Joined: Sep 2014
Reputation:
102
Loads of different ransomware protection out there for free. But nothing beats common sense.
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support!
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>
</div></left>
|