RansomWare blues

[Clément 143]

I got a [pgpopen@foxmail.com].pgp that forced me to reformat my machine.

 

I have successfully installed 10.4, installed all components and libraries... loaded my project and ... I'm missing some VCL styles 😥

What happened to :

[BRCC32 Error] dhsPinger.vrc(71): file not found: C:\Users\Public\Documents\Embarcadero\Studio\21.0\Styles\AquaLightSlate2.vsf
[BRCC32 Error] dhsPinger.vrc(73): file not found: C:\Users\Public\Documents\Embarcadero\Studio\21.0\Styles\Glossy2.vsf
[BRCC32 Error] dhsPinger.vrc(76): file not found: C:\Users\Public\Documents\Embarcadero\Studio\21.0\Styles\ZirconSE.vsf

 

I installed all VCL Styles (GetIt Manager), went to DelphiStyles.com, search Embarcadero Blogs, CodeRage... where are those styles?

 

Clément

 

Edited August 16, 2020 by Clément

[Attila Kovacs 617]

I'm afraid you have to pay with bitcoins for this info 😛

[Clément 143]

2 minutes ago, Attila Kovacs said:

I'm afraid you have to pay with bitcoins for this info 😛

I got very lucky! Even my backup server got infected

[Attila Kovacs 617]

How's that? Simple windows share? Or mounted drive?

[Attila Kovacs 617]

Looks like they are in getit not in the install: https://community.idera.com/developer-tools/b/blog/posts/getit-aqua-light-slate-vcl-style

[Clément 143]

Windows share that's created by the backup application only when the backup is ready to be copied. This was a full backup copy day, so it took longer to copy.
What saved me was 2 things actually.
1) A folder that only a windows user (usrBackup) has write access to it. Every other domain user has read only access

2) A rather large glyph collection.

 

 

My drive C was completelly lost.
 

[Clément 143]

5 minutes ago, Attila Kovacs said:

Looks like they are in getit not in the install: https://community.idera.com/developer-tools/b/blog/posts/getit-aqua-light-slate-vcl-style

I already check GetIt manager. It's not there.

I installed from the WebInstaller.. Maybe ISO installer has more styles

[Sherlock 626]

Slightly OT: dhsPinger has an ominous ring to it. Pinging the DHS sounds like something you should not do lightheartedly.

[Guest]

55 minutes ago, Sherlock said:

Slightly OT: dhsPinger has an ominous ring to it. Pinging the DHS sounds like something you should not do lightheartedly.

On this subject i always keep the firewall logs, there is no attack happen before a ping !

A common mistake all attackers do is to check if the target is online before starting a session of flooding, login try or whatever, just if that is a concern then keep your logs and parse them (aka filter them if they are big) for specific entries and pattern.

[Clément 143]

7 hours ago, Sherlock said:

Slightly OT: dhsPinger has an ominous ring to it. Pinging the DHS sounds like something you should not do lightheartedly.

LOL!!
Don't worry I have precedence  ... I founded DHS when I was still in high school,Turbo Pascal and Turbo C++ ruled the world ( a long time ago , in a galaxy far away... )  ...
 

[Sherlock 626]

Just now, Clément said:

LOL!!
Don't worry I have precedence  ... I founded DHS when I was still in high school,Turbo Pascal and Turbo C++ ruled the world ( a long time ago , in a galaxy far away... )  ...
 

And I bet they hate you for it

[Clément 143]

6 hours ago, Kas Ob. said:

On this subject i always keep the firewall logs, there is no attack happen before a ping !

A common mistake all attackers do is to check if the target is online before starting a session of flooding, login try or whatever, just if that is a concern then keep your logs and parse them (aka filter them if they are big) for specific entries and pattern.

There are a few things I learned from this experience. There was a lot strange traffic in my firewall. I already wrote a batch that will block those traffics automatically.
But that wasn't the main issue. When I was remotely accessing my machine, I noticed it was slower than it should. I start searching for processes that were eating all my resources CPU and memory.
My antivirus was "normal", all my usual processes were "normal" but yet something was eating over 70% of CPU and 80% memory... I was in task manager and click the Users.. To my surprise, there was another user logged in.
Very unusual name something like "yyz==Twe". I never would have created a user like that one. The moment I killed the connection the machine start working normally. The Antivirus warned me there was a Ransomware running asked to run an offline scan, and I restarted the machine.

Windows 10 was up to date. How this fellow managed to create a local user in my machine through RDP is beyond me.

[Angus Robertson 518]

Always best to restrict the remote addresses allowed to access RDP through firewall rules.  For remote hosted servers, always make sure at least two address blocks in case your ISP does some renumbering without telling you. 

 

Angus

 

[Guest]

26 minutes ago, Angus Robertson said:

Always best to restrict the remote addresses allowed to access RDP through firewall rules.  For remote hosted servers, always make sure at least two address blocks in case your ISP does some renumbering without telling you. 

That is the right thing to do, but there is better solution that can be called once and for all to sleep right at night.

 

Most of you know how to write a simple Windows service that will listen to a port, that service will have one thing to do ( can be only one thing ), the one thing is to enable the RDP rule in Firewall and disable it.

I do it like this 

1) The service is listening to port X ( some random port but will be open all the time for anyone or can be restricted to IP address/range) 

2) The service port can be restricted to TLS with HTTPS or simple TCP without any security layer, why ? because the authorization will be using 2FA, means all what it in its core is few bytes.

3) When authorization checked and passed, the service will enable the rule for your custom RDP port Y ( suggestion here to change the default port), by authorization i mean you service can simple provide a small HTML page with one text box and a button, you can go fancy here with an app or leave it to be accessed by browser.

4) The service will use OS API to detect the RDP session login, if it didn't happen within 3 minutes then it will disable the rule.

5) When new session is on, it will pull the state of logged users every 30 seconds, user logged off or disconnected, it will wait for new session within 3 minutes and disable the FW rule.

 

that is it, and you got the idea and can do it your style, simply put it is a simulation to port knocking, but with more enhanced security due the F2A, as for the needed sessions API's if  you want to go fancy like the above then SvCom have it or Google is your friend.

 

As for letting your OS access Internet, i have an opinion about that, it is nothing good comes from letting any OS part from reaching the internet and establishing a connection to anywhere, or leaving any port belongs to the system accessed from wild net.

Someone would say and what about updates, i will answer tell me when an update enhanced your system ? or when does the update worth the risk ?

Those updates should be manually done by you and on your terms and time.

 

Now joking aside, logging helps to understand and protect but will not help when the real hardcore hackers come, you will not see anything and will not find a trace, they will gain access and upload what they wants or even leave many doors open for themselves without letting you feel a thing, all of that is coming from the system ( RDP or port 445 ,139...), known software is the weak point because hackers can study the code and exploits unnoticed weak code, the only thing can protect you is don't leave open ports and don't allow OS to update, for that matter too don't allow RAD IDE to connect to Embarcadero servers too.

[Anders Melander 1630]

2 hours ago, Clément said:

How this fellow managed to create a local user in my machine through RDP is beyond me.

Maybe you shouldn't have let that guy with the strange English accent from "Microsoft Support" help you with you "PC problem"

 

34 minutes ago, Kas Ob. said:

but there is better solution that can be called once and for all to sleep right at night.

Speaking of sleeping right at night; This thread was actually the topic on my dreams (yes, it was a nightmare) last night: I watched in horror as all my systems were being encrypted before my eyes. Somehow the hacker had so much control over my system that it kept on running even after I pulled the plug.

Completely unrelated , but the first thing I did this morning was to run a compete scan on my system.

[Angus Robertson 518]

The firewall that blocks RDP from Windows should be external to Windows, not a Windows application, they can be stopped or modified by those that try very hard.  I have my own firewall in my rack.

 

Angus

 

[Guest]

11 minutes ago, Angus Robertson said:

The firewall that blocks RDP from Windows should be external to Windows, not a Windows application, they can be stopped or modified by those that try very hard.  I have my own firewall in my rack.

Truth be told i don't know any faster or lighter in weight of resources on the system than the default FW, for me i completely trust Microsoft FW, but you are are right on that point, Windows FW is trust worthy while the system is not compromised once the system is pawned then FW is the first to go, and it is useless.

 

15 minutes ago, Anders Melander said:

Completely unrelated , but the first thing I did this morning was to run a compete scan on my system.

Not enough, harden your system by blocking all that Cortana, system updates, MS metrics shenanigans, Embarcadero shenanigans...etc, all must go.

 

 

For my own sleep well, and for better dreams and less nightmares, as a protection i sleep with heavy cast iron pan (skillet) near my pillow !, to be used as weapon and as shield, attack and defense 😎

The bonus side of it, when i snore i hear an echo or reverb, depends on the couplet !

[Angus Robertson 518]

Layers of protection are good, even multiple firewalls provided there is not too much performance hit.  External firewalls also means external logs, mine syslogs to my office systems as well as the rack, so it can not be compromised.  

 

Angus

 

[dummzeuch 1386]

Do you mean you had your Windows computer directly connected to the internet and RDP activated? In my eyes that's disaster waiting to happen.

 

There apparently is a big market for RDP addressee and accounts and they are even cheap (Heise online had an article on that today (in. German).)

[Anders Melander 1630]

1 hour ago, Angus Robertson said:

can not be compromised

Famous last words.

I hear the NSA is very fond of hardware firewalls. The firmware is often very old.

[Clément 143]

1 hour ago, dummzeuch said:

Do you mean you had your Windows computer directly connected to the internet and RDP activated? In my eyes that's disaster waiting to happen.

 

There apparently is a big market for RDP addressee and accounts and they are even cheap (Heise online had an article on that today (in. German).)

Well... yes... I mean, my computer has RDP activated in another port. So basically the ISP router forward the requests from a non-default RDP port to a non-default RDP local port.
My computer is not working 24/7. But it can start itself everyday at 8:00 am, and I turn it off when I'm done. So it can stay on from 8:00 to 17:00, or sometimes 23h00.

I still have to understand how he managed to create a local account. As far as I can tell, ha managed to overcome 3 firewalls. My ISP Router, my server, and my machine. So he manage to discover the exact ports and his timing was perfect.

Or this attack didn't happened all at once. I might have been infected by some virus a few weeks back that remained inactive, or was unable to take action, up until "something" happened and made the hacking possible.

Since it's my working machine, I only open my customer email. There's no navigating to suspicious sites or downloading illegal content.

The fact is that "somehow" he manage to create a local user account using RDP. And Windows Defender kicked in only after I dropped his connection. If one more minute has passed it would be terrible!

I would required a lot more than those 3 VCL Skins...

 

And by the way... this kind of ransomware uses RSA with AES to encrypt contents, the encryption takes place by scanning folders and file alphabetically.
I have my Images (Glyphs and Icons) stored in "Images" Folder ( Several GBytes of recoverable data ) that delayed that virus long enough.
Just a few folder from my Projects... It ignores executables and any file with less than 5kb . The only thing left unencrypted is a text file with "directions" to contact them.

Well, finally  I manage to recover all my projects. My most recent backup was from 11/08 the attack took place 12th. In my backup server, my readonly folder tree was unaffected. The problem I had was some files are not included in my backup  (like some VCL Skins, Icons, RC files, configurations files, Delphi settings, thirdparty components, etc.. ) A lot of work to rebuild my machine since I have a really hard time believing the antivirus got rid of that virus.
I just feel safer destroying partitions and reformatting everything. Brand new Windows 10 installation with Delphi and all its ecosystem.

 

Edited August 17, 2020 by Clément

[Attila Kovacs 617]

usually the credentials are stolen from the client pc's where they are stored

antivir's are crap

multiple cold backups stored in different geographical locations are backups, everything else is just delusion

Edited August 17, 2020 by Attila Kovacs

[Guest]

6 minutes ago, Clément said:

I still have to understand how he managed to create a local account.

That require special skills in forensics, such experience is not easy to find in one article or even in one site, but you can start by tracking your logs and registry keys for dates and permissions, i bet not many of you know that registry keys and entries have creation and modifying timestamp ! (regedit.exe doesn't show that)

 

8 minutes ago, Clément said:

The fact is that "somehow" he manage to create a local user account using RDP.

He didn't !, those attacks are complicated and happen by stages or phases, step after step.

 

You didn't get it yet, there is many many ways for take control over PC with RDP or without like using port 445, but you can trust that there is decent chance that your system had invited him home !

Will not going in details that might flag the forum and you know i have novice experience, read few things here and there, but all what i need is your router MAC address along your IP and we are good to go to try, those can be obtained by one connection made from your PC to some place where i can extract them, then chain some actions, in the result your RAD IDE or system will be calling me AKA bypassing all the security walls with 1000 routers you built.

 

And keep in mid most Firewalls don't even log the DNS traffic by default, that is the core of most evil.

[dummzeuch 1386]

12 hours ago, Clément said:

I just feel safer destroying partitions and reformatting everything. Brand new Windows 10 installation with Delphi and all its ecosystem.

 

Definitely the way to go. Trying to clean up an infected system is way more dangerous than rebuilding from scratch. And you could never be certain you removed everything.

[Guest]

1 hour ago, dummzeuch said:

Definitely the way to go. Trying to clean up an infected system is way more dangerous than rebuilding from scratch. And you could never be certain you removed everything.

It is up to each and everyone, the most important is to feel safe.

 

May i suggest this

1) Create or dedicate a drive for second System, lets call your daily OS is A, then dedicate a drive for Windows B and enable the dual boot for it.

2) Don't go and use B as it is an emergency approach only

3) From A remove the drive letter for B, means A will not see B or its drive, this is essential as any virus will not mount a drive as this is a no-no and any AV will be able to stop it.

4) Better than dual boot, dedicate an old or small disk (physical harddrive or SSD) to another system and put there your tools, back , recovery etc.. and disable it from BIOS, this will make sure the even in the boot sector is compromised then the second drive is safe and will let you boot and fix or recover ... or at least search the internet for solution

 

I have 6 Windows in multiple boot along with 1 linux and may be 5 OS's and boot CD's running directly from ISO files without disk write access,

3 SSD disk different in size with 3 HDD running in RAID 5, the raid array are only for BackUP and archive and it is disconnected from the power, i click their cables once per week for the maintenance, while one old SSD 80Gb is for dedicated emergency.

 

Most old ransomware do the encryption after the boot directly and before full loading of the windows, by having those second counting down at dual boot menu you may have better chance to stop and prevent it from completing its task after an unexplained restart, for that use EasyBCD, it is also the one that will allow you to boot to an ISO file.