Office network...one girl gets FBI Ransomware, rest of the network has rootkits

YeOldeStonecat

YeOldeStonecat

Well-Known Member
Reaction score
6,904
Location
Englewood Florida
So within hours of a girl opening a phish e-mail (some linked in invite or something)....her computer gets whacked with the FBI ransomware...I get the e-mail of 911 from someone else in the office, an insurance company...while I'm on a several hour phone call job of switching PC credit card processors for a multi-site package store business over an hour away. I e-mail back to have her shut down her computer.

Within about an hour...the boss of the insurance company sends an e-mail..most of the computers on the network have popped up with the Windows file protection error, please insert Windows CD.

By the time I finish my prior job, I remote into their office and start with her computer...RDP in from the server as Administrator and easily clean up the FBI bug. While finishing hers, I start working on one of the computers that had that Windows file protection error. malwarebytes scan, clean. go to check antivirus...can't launch. Hmmm...not even showing in systray. Snag TDSS...run it, finds rootkit.boot.xpaj.a but it cannot repair the MBR, asks to rewrite a fresh one. I know better than to do this, seen it make a rig unbootable too many times if I see that error...ends up giving an invalid partition error when I reboot. I try the new malwarebytes anti rootkit beta tool..it finds stuff, cleans, reboots...basically back to square 1 again...TDSS still sees it still has same error.

But yeah, main point of this thread....just a heads up, if someone on a network gets an FBI bug...may be a variant that is network aware and able to spread and inject a rootkit in other rigs very quickly.

My schedule sucks next week..already booked...but I'll have to wipe Monday and try to find someone to help me go clean up this network of 18 rigs.
 
Just out of curiosity, are they keeping their Windows and third party apps updated? If not perhaps this is a good time to offer an MSP service. None of my managed clients have been affected by this infection and I'm thinking it's because I keep all there programs fully updated.
 
They are on WSUS, they have a network antivirus package. I've been working on them for over 2 years to let me replace their Cisco router with an Untangle UTM at the edge....maybe now I can finally get one in there. As for their web players being updated...they're not bad (generally just a little bit behind)...but not managed monthly with that either.
 
Who is plugging in their iPod or iPhone? I had a similar case about 6 months ago, though it only managed to hit 2 machines. They were the only 2 that hadn't been migrated to Kaspersky from mcafee. Turned out someone had an infected file from their home machine hiding on their iPhone.
 
Hmmm....could be something like that. I was assuming that the girl that got jacked by the FBI Ransome after opening up that phish e-mail (which I saw..and it was clearly phish)...spread the bug.
 
Thanks for the heads-up YOS.

What's the backup status? Would it be quicker to restore? Watch out for mystery partitions...
 
Man what a nasty onsite!
All workstations hit from that XPaj rootkit. Some of them can't even boot up in safe mode, bluescreen with a 21a no matter what.

Took one of the drives of the bluescreening rigs and slaved into my laptop..external SATA dock, and my laptops MSE jumps right up and goes to finding and cleaning the XPaj.

Had been using Eset and Kaspersky on the other rigs and they were unsuccessful. Heh..sometimes MSE really surprises me.

Whelp... back to making rounds of this office and blowing away MBRs and getting rigs back up.
 
Nuke 'n pave on all of them!!!

Couldn't get Windows to settle down solid....feel this new XPaj variant molested enough OS files to stay in there. This is a case where "Better safe 'n sorry".
 
Arrrgh!!!

What else were these folks running besides MSE?

Did you find the perp (infected email attachment, infected phone, etc)?
 
My laptop had MSE. They were running "End Point Security"..which is part of N-Ables management, and based on the Panda engine. I've seen it perform fairly well overall....seen it pick up infections that Eset missed. It's a tiny bit "heavy" on older systems is pretty much my only gripe with it.

And their e-mail is filtered through Kaspersky, Authentium, and Clam scan engines. So they missed the phish e-mail too...appearing to come from Linkedin.

One girls rig got hit, spread to a share on the server..from there leapt to the workstations...both XP and Win7 64 bit.
Server came out pretty well, OS not touched..just some files on the wintam share.
 
Lucky about the server but I'd watch it like a hawk. Maybe even grab, if still available an image of the server before the infection as a fall back point.
 
yeah got an image of the server from a while ago. :)
Since domain users don't have local admin rights on the server...pretty sure it wasn't able to scratch the surface on that.
Just an example of the drawback of domain users having local admin rights...in common small business networks. It's almost a necessary evil. Smaller businesses typically need that. But this is a drawback...a user on one workstation has rights to other workstations from \\workstationname\c$.
 
I haven't worked in a server environment (well, not for a long time) . Would UTM have limited the infection to the one workstation?
 
You must log in or register to reply here.

Similar threads

HCHTech
Website access issues
Replies
11
Views
1K
phaZed
phaZed
D
[WARNING] Medusa Ransomware Attack on Milano Salon
Replies
8
Views
1K
HCHTech
HCHTech
callthatgirl
New Outlook and Outlook 2016/2019
Replies
1
Views
622
callthatgirl
callthatgirl
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
3K
trevm999
trevm999
britechguy
iPhone: Anyone ever encountered one that's infected?
Replies
11
Views
2K
Markverhyden
Markverhyden
Back
Top