Virus attack (please help) - Ransomware

[Ofel]

Hi, guys.

I'm in a real though moment in my life. My Windows was attacked by a ransomware, and all my files inside D: has turned into .codnat files. I've been searching desperately on the Internet since 2 days ago, but I can't find any real decryptor for this type of file (.codnat). I cannot access thousand of my important files, including my college assignments!

If you've ever experienced or know something like this, please share here.
I will very much appreciate all the help I can get.

PS:
The txt file below is the message left by the attacker that ask me to pay ransom to get back my files.

 

[Zombie]

hmmm I wonder if I should download a file uploaded from a computer infected with ransomware

Also, there are plenty of methods which you can find online with minimal googling, like this one:
How to remove STOP (DJVU) Ransomware and decrypt .berost, .fordan, .codnat or .codnat1 files | BugsFighter

also, use a fucking antivirus, man

 

[Ofel]

I have already been trying some ransomware removal tool, but I'm quite sure now that the infection inside the system has been cleaned. I used system restore point and installed an antivirus for a full scan.

I've tried the STOP decrypter but it cannot decrypt .codnat files.

Thanks for trying to help anyway.

 

[Dr Super Good]

The files are likely gone for good since without the appropriate key, often immediately discarded, it is physically impossible to decrypt the files. The most powerful super computers could be working on it until the end of time and never succeed.

Outside of common security practices such as updating to Windows 10 latest milestone the best protection is to keep a backup of the files on a detachable drive which you only plugin during backups.

 

[Amigoltu]

Updating to Windows 10 is not necessary. Primarily, have at least Microsoft Security Essentials installed. It's a free antivirus, that is reasonably good at protecting from most threats. Other than that, be careful about what you download. Ransomware primarily spreads through downloaded executable files (like most malware), thus, be more careful about those. Be especially careful about emails from unknown sources, and do not download any attachments they might have.

EDIT:

Or uses arbitrary code execution exploits. Such as what wanacry did.

Hmm I've once heard about a case, where MS Word macro functions were used to install ransomware. I guess that's something like that.

 

[Dr Super Good]

Ransomware primarily spreads through downloaded executable files (like most malware)

Or uses arbitrary code execution exploits. Such as what wanacry did.

 

[pyf]

According to Bleepingcomputer, Michael Gillespie has announced several days ago that his STOP Djvu Ransomware decryptor will no longer be updated as the ransomware developers changed the decryption method. Quoting him, "The criminals have made changes and I will not be able to decrypt future versions as I did before."

Michael Gillespie on Twitter

More info about the STOP ransomware:
STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic - Ransomware Help & Tech Support

Outside of common security practices such as updating to Windows 10 latest milestone the best protection is [...]

No, not really imho.

[...] Updating to Windows 10 is not necessary. Primarily, have at least Microsoft Security Essentials installed. [...] Other than that, be careful about what you download. Ransomware primarily spreads through downloaded executable files (like most malware), thus, be more careful about those. Be especially careful about emails from unknown sources, and do not download any attachments they might have.

Yes, definitively imho.

 

[Dr Super Good]

No, not really imho.

Why not?

 

[Ofel]

According to Bleepingcomputer, Michael Gillespie has announced several days ago that his STOP Djvu Ransomware decryptor will no longer be updated as the ransomware developers changed the decryption method. Quoting him, "The criminals have made changes and I will not be able to decrypt future versions as I did before."

Michael Gillespie on Twitter

More info about the STOP ransomware:
STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic - Ransomware Help & Tech Support

It's okay. I've wholeheartedly discarded all the data turned into .codnat files.
Damn...

 

[pyf]

By discarded, you mean deleted?

Fyi, a new tool which might eventually help with some of the files encrypted with online keys, is currently in the works.

Quoting Michael Gillepsie, "I will now be focusing on sunsetting this decrypter, and continuing work on the new decrypter that will work only for the old version (up to .carote) with some caveats. The new decrypter will completely replace STOPDecrypter when it is released, and will work in a different way. More details to follow upon its release."

Why not?

Someone did not read @Amigoltu's post, I see.

Generally, ransomware gets installed thanks to the computer user himself/herself, doing something he/she should never have done in the first place. And no OS can save the user from his/her own ill-informed decisions.


While Windows 10 has something called Controlled Folder Access, it is not enabled by default. And enabling it requires extra involvement from the computer user to set it up to his/her needs.


Now, if I were to protect any computer from Ransomware, I would do any/all of the following things:
- install a blocking (combination of several) Hosts file (W9x => W10)
- install a resident antivirus software, with up to date signatures (W2K => W10)
- install a *heuristics behavior* based anti ransomware (XP => W10)
- run the OS from a limited account (W2K => W10)

As for me on Windows 10 version 1809, I am using a Hosts file, Windows Defender/Security Intelligence, and the beta version of MalwareBytes Anti-Ransomware (currently at v0.9.18.807 - Build 238)


I am not convinced that exploits are the main distribution channel for Ransomware. But for those who think it is, they may also give a shot at:
- Malwarebytes Anti-Exploit (XP => W10)
- HitmanPro Alert (XP => W10)

The anti exploit solution built into Windows 10 with version 1709 was a hit and miss, but it is also my belief that they are improving it over time. I personally do not feel the need to install MBAE on Windows 10 version 1809.


Regarding the STOP family of computer ransomware, we learn that their harmful part is built using either VS2013 or VS2017 afaik. It means that OSes which can not run such code are imho safe from such infections.


Other security features built into Windows 10 (not related to Ransomware) may not be available, if the computer itself does not meet sufficient hardware requirements. And such requirements get updated from year to year (please see the reports from dgreadiness for more info and tips). But this is *way* beyond the scope of this thread...

 

[Dr Super Good]

Generally, ransomware gets installed thanks to the computer user himself/herself, doing something he/she should never have done in the first place. And no OS can save the user from his/her own ill-informed decisions.

Except Wanacry, which was spread between systems automatically by exploiting legacy versions of SMB.
https://en.wikipedia.org/wiki/EternalBlue
This is why legacy versions of SMB are by default disabled in Windows 10. This is also why Windows 10 has quite a strict default update policy, including builds of it becoming unsupported after a year or so.

I guess you could blame the user for not installing the security patches in time to prevent use of the exploit. However the fact still remains that most of the systems Wanacry affected were because they were not up-to-date, connected to the internet or big network and were running at the time. The user did not have to run anything to be infected, such systems would be infected by other infected systems.

Regarding the STOP family of computer ransomware, we learn that their harmful part is built using either VS2013 or VS2017 afaik. It means that OSes which can not run such code are imho safe from such infections.

Visual Studios is an IDE and compiler set. It can build applications for Windows, Mac and Android. If GCC is integrated I am sure Linux applications can be built as well.

Other security features built into Windows 10 (not related to Ransomware) may not be available, if the computer itself does not meet sufficient hardware requirements. And such requirements get updated from year to year (please see the reports from dgreadiness for more info and tips). But this is *way* beyond the scope of this thread...

That likely is a motherboard feature. It is just like secure boot is only available on modern motherboards running UEFI as opposed to legacy ones running traditional/legacy BIOSes.

 

[pyf]

Except Wanacry, which was spread between systems automatically by exploiting legacy versions of SMB.
EternalBlue - Wikipedia
This is why legacy versions of SMB are by default disabled in Windows 10. [...]

I guess you could blame the user for not installing the security patches in time to prevent use of the exploit. However the fact still remains that most of the systems Wanacry affected were because they were not up-to-date, connected to the internet or big network and were running at the time. The user did not have to run anything to be infected, such systems would be infected by other infected systems.

Regarding Wannacry specifically and according to what I remember reading in mid-2017, it was targeting unpatched Windows 7 computers. Its specificity was that it could propagate itself by using stolen code which allows to exploit a vulnerability in SMBv1 the NSA had been aware of (and presumably had been itself exploiting) for several years, while during that time Microsoft supposedly wasn't aware of the NSA's antics (*cough!*). But anyway and back to the developers of Wannacry, it is safe to assume they had corporate environments in mind, as it could also spread on a network.

While I am still not convinced that Ransomware mainly spreads thanks to exploits, I also know it can happen:
Exploit Kits Target Windows Users with Ransomware and Trojans - Bleepingcomputer
... but again, any experienced and sensible computer, user who also previously installed any or all of the software I mentioned above, and who also cares about updating the software he/she uses, should be safe from such threats imho.

The first and best line of defense for a computer still remains imho an experienced user, even moderately. Anybody can uninstall or disable manually anything he/she does not need in the first place, including SMB, the USB autolaunch feature, SSL, several stealthed communication ports, the Remote Registry service, VBScript... Reading about how software works and how to configure it, is fairly easy. and interesting. and possibly fun also. The general rule should always be: the user is the admin, and it is *him/her* who is using the computer and is making the important decisions; *not* the software, which is only a tool. And the tool must be bent to the user's will.

The problem is, Windows is designed and ships with compatibility and ease of use in mind for a non tech-savvy end user. Those OSes are supposed to be able to do a bit of everything the average computer user cares for, right out of the box. This means extra software added, and with more and more code added to the OS, the more potential exploitation of said code might happen.

The most secure OS imho is lean and clean, and comes with only the minimal amount of extra software and API sets built in.

Visual Studios is an IDE and compiler set. It can build applications for Windows, Mac and Android. If GCC is integrated I am sure Linux applications can be built as well.

I doubt that any variant of the STOP ransomware family could infect a vanilla W2000 OS. Afaik, nothing programmed with VS2012 or beyond could run on that OS (however iirc, some VS2010 MFC code using very clever programming tricks can). For the record, the Visual C++ 2010 runtime and above can not install on W2000.

If you happen to have such a sample, then please PM me. I would like to try to run it in a W2000 VM, with and without a kernel extender.

That likely is a motherboard feature. It is just like secure boot is only available on modern motherboards running UEFI as opposed to legacy ones running traditional/legacy BIOSes.

That is why updating to the latest Windows 10 milestone is not a panacea. To make the most out of all its possibilities, one must also buy up to date hardware. If the computer is several years old, then one must check his/her BIOS settings and manually enable any hardware feature Windows 10 can benefit from. That is what I did on my DELL Latitude computer. Oh, and better use at least a Professional version of Windows 10, too.

[...] This is also why Windows 10 has quite a strict default update policy, including builds of it becoming unsupported after a year or so. [...]

Security is not the only reason by far imho. I myself would have said it is mainly because of development and maintenance costs.

For the record, I have delayed my updating to version 1903 by another two months. No reason to hurry, even though extra security features are now ready for use, as this script is suggesting.

 

[pyf]

@Ofel: out of curiosity and interest, what did you do regarding your computer security after being infected and until this day? Also, what OS are you using, please?

 

[pyf]

[...] I am still not convinced that Ransomware mainly spreads thanks to exploits [...]

Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About - Bleepingcomputer

" [...] the STOP Ransomware [...] for the most part [...] targets consumers through cracked software, adware bundles, and shady sites. [...]

[...] In order to distribute STOP, the ransomware developers have teamed up with shady sites and adware bundles. These sites promote fake software cracks or free programs, which are really adware bundles that install a variety of unwanted software and malware onto a user's computer. One of the programs installed via these bundles is the STOP Ransomware. Some of the reported cracks that are have been seen installing STOP include KMSPico, Cubase, Photoshop, and antivirus software.

It is not only cracks, though, as many of these shady sites offer downloads of free software, but are simply just adware bundles that install the ransomware. [...]"

 

[Amigoltu]

Well, cracks (and all other pirated material) were always a security risk. KMS activators especially were always a high risk, most of them being executable files with Trojans, adware, you name it. Not to mention, that most of them are not-working-fakes, altogether. Simply said, this isn't really anything new, and it primarily concerns people, that are illegally downloading stuff.

I believe it's safe to say, however, that those who use these things frequently, know which sources are trustworthy. The article also did not mention torrent sites, as those would never "team up" with the malware devs. They are community driven, and the community moderates it's content, to an extent.

 

[Wrda]

Wouldn't this be easier if you hired an IT guy to fix your pc?

 

[pyf]

@Wrda: His computer is not broken afaik.

 

[Wrda]

Well, at least in my country IT guys have their stuff to clean viruses and other things.
I don't think it needs to be broken for that.

 

[pyf]

[...] IT guys have their stuff to clean viruses and other things.

Ofel already knows how to clean a virus infection.
Now, if by 'other things' you mean they can decrypt files encrypted by the .codnat variant of the STOP Ransomware which used an online key to do so, then the whole world definitively wants to know more about this 'stuff' thing you are referring to.

[...] in my country [...]

Based on your Profile page, I see we all live in the same 'country'.

---

Still no idea what OS Ofel is running, but in the meantime and for those who believe that updating to Windows 10 latest milestone alone is the best protection against computer threats, then I suggest they also have a look at ConfigureDefender. I am myself using it with the 'high' settings enabled (with one or two modifications to suit my personal needs). Additional settings are available thanks to PowerShell cmdlets. No need to be an IT guy to learn to use them imho.

Anybody can install/run software, and learn how to properly configure it. Even if said software is the OS itself.

I am also pointing out that Windows 10 is not (that) broken. Or maybe that it is no more and no less broken than any other Windows version, depending on one's definition of the word 'broken'.

 

[Ofel]

@Ofel: out of curiosity and interest, what did you do regarding your computer security after being infected and until this day? Also, what OS are you using, please?

There's nothing wrong in the system I think, everything works normally after the infection. It changed only my files in disk [D:] to .codnat (about 70%). My first thought was that maybe system restore would fix any error caused by the infection in [C:] if any. Then I installed Avast for a full scan and everything are operating just fine.
I'm using Windows 7 Professional.

 

[pyf]

How do you protect yourself against ransomwares now?

 

[pyf]

STOP Ransomware Decryptor Released for 148 Variants - Bleepingcomputer


Emsisoft | STOP Djvu Decryption
(requires an internet connection)

 

[EggPooPoo]

There's nothing wrong in the system I think, everything works normally after the infection. It changed only my files in disk [D:] to .codnat (about 70%). My first thought was that maybe system restore would fix any error caused by the infection in [C:] if any. Then I installed Avast for a full scan and everything are operating just fine.
I'm using Windows 7 Professional.

Oh wow, very strange. I've never heard of a CODNAT File!

I'm guessing it's somehow able to keep all the base Binary Code of each File readable by the OS; yet strangely in terms of using Explorer.exe to Interact with it, it is rendered impossible.

If you could scan for all of the Binary Code of each File; and try to restore it somehow into new ones that may work!

 

[pyf]

@EggPooPoo: all one needs to know about the STOP Ransomware is here:

STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic - Ransomware Help & Tech Support

 

[EggPooPoo]

@EggPooPoo: all one needs to know about the STOP Ransomware is here:

STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic - Ransomware Help & Tech Support

Huh?

 

[Amigoltu]

Generally though, I would highly suggest to NOT HOLD critical information in your computer. At least not one, that is often connected to internet. Have that information on separate memory device (External hard drives, USB drives, or (g)old CDs). If you follow this rule, no virus will worry you, for worst case scenario - you can always format the drive and reinstall windows.

Personally, if I were creating some important virtual stuff for work (software, video, audio, etc.), I'd have a second PC, that would be (almost) always offline, and would be there to do work or store my work.

 

[Cherrymage]

Huh?