Cerber Ransomware on Slave Drive Question...

Discussion in 'malware problems & news' started by harrismail, Sep 20, 2016.

  1. harrismail

    harrismail Registered Member

    Joined:
    Sep 20, 2016
    Posts:
    4
    Location:
    England
    OK here goes,

    I'm new to the forums so be gentle....

    I got a version of cerber 3 ransomware on my Windows 10 office PC, for some reason I saw what was happening and after 20 minutes I reimaged the PC back to the previous days state.

    But here's my question..... a ton of files on my slave drive were encrypted - I had backups so that was fortunate BUT can my slave drive do anything harmful to my clean OS drive?

    In other words even if I delete all the files on the slave drive (not format) and copy over the good files from a clean backup can the slave drive cause me grief?

    Steve
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,181
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    Steve- No one here can answer your question definitively as the specific malware you were hit with may or may not have had the capability of spreading over a Network. Although in the majority of cases that answer is no, adding this functionality to any malware file can be done quite easily and is Script-Kiddie level. So essentially you never know.

    For you to answer your own question you can proceed as follows:

    1). Shut off the Autorun/autoplay function for USB drives. A good primer on how to accomplish this in Win 10 can be found here: http://www.thewindowsclub.com/enable-disable-autoplay-windows

    2). You can now safely insert the USB in order to scan with with something like Zemana AntiMalware portable.

    3). Just to confirm things go into the View tab of File Explorer Options and enable Show Hidden files, and then look for any autostart entries on the USB which were previously hidden from you. If they exist it will be quite apparent to detect (autorun.inf).

    M

    ps- can you please let us know what main security application you used that allowed you to be infected?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    I've read in past about some versions of ransomware that was using file infection to spread itself. It doesn't seem to be popular way of distribution, but you never know.
    If you have backup of encrypted files, delete those and replace them with files from backup. Before connecting backup media be sure that you don't have active infection.
    If you have executable files on that drive (programs, portable programs or installers) don't use them, but instead download new from reputable source.

    I hope that you know how you got infected and that you know how you can prevent such cases in future.
     
  5. harrismail

    harrismail Registered Member

    Joined:
    Sep 20, 2016
    Posts:
    4
    Location:
    England
    Thanks for your responses - yes I do know how I managed to get the virus.... it's my own fault for penny pinching...
    I have been using Ammyy admin for a couple of years to connect to friends and relatives PC's and it's worked well..... until last week.....

    I went to the main Ammyy.com website to download the latest version.... unbeknowns to me their website has been compromised loads of times this year and their executable has been replaced with various viruses and ransomware... this time I was unlucky to get the cerber ransomware..

    Anyway the long and the short of it is that my laptop got infected as well as my main desktop PC - the seperate data drive was unfortunately networked and shared...

    Fortunately I have always got recent Acronis True Image backups of both my laptop and desktop OS drive (all my desktop data is in a Dropbox folder on a shared seperate drive)

    So I reimaged both the laptop and desktop to my most recent backup, got in touch with Dropbox support to roll back to the day before, installed a clean slave drive to redownload all the clean Dropbox data and was back up and running within 12 hours.

    From now on I'm going to be using Teamviewer for my remote sessions!!

    Lesson well learnt.
     
  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    I don't know exactly what you're trying to do.

    But you can boot to a Linux LiveCD bypassing your current OS. In fact to be totally safe you can disconnect the clean HDD.
     
  7. harrismail

    harrismail Registered Member

    Joined:
    Sep 20, 2016
    Posts:
    4
    Location:
    England
    I guess I'm now understandably a little nervous connecting anything to my laptop or desktop either a pen drive or slave drive in case there is a chance that either the pen drive or such can possibly "infect" the laptop or desktop even if I don't click on an executable that's on that drive.

    None of my pen drives or slave drives etc have autorun enabled (and I can see all hidden files) so the drives just sit there if I connect them.

    I guess it is possible even for an empty pen drive to infect a healthy Windows OS?
     
  8. harrismail

    harrismail Registered Member

    Joined:
    Sep 20, 2016
    Posts:
    4
    Location:
    England
    I only had Windows 10 Defender on that laptop (I know.... not good enough) - which did try to stop the infection - I knew something bad was going on so I started the OS reimage after about 20 minutes but obviously by then a lot of files had been encrypted.

    Thanks also for the Zemana antimalware recommendation - it's very good.
     
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    My suggestion simplified.
    Physically remove the clean OS hard drive.

    Needed 3 things:
    1) borked slave drive
    2) empty drive big enough to store desired files from borked slave drive.
    3) Download 2 or more of these rescue iso. I suggest
    http://www.digitalcitizen.life/top-free-bootable-antivirus-rescue-discs-windows-pcs
    1. Bitdefender Rescue CD
    7. Avira Rescue System

    Burn the .iso so it's bootable. GIYF. Connect borked drive & scan. Repeat with another rescue cd. Take note if cleaned or not. Back up to empty drive. Depending on borked drive new status proceed as needed.
     
Loading...