Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


turb

821 posts

Ultimate Geek


#197900 17-Jun-2016 09:07
Send private message

A mate's win7 PC has become infected with ransomware.

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

He works at sea, so needs offline access to old emails.

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

My question is this:

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?




Interests: HTPC, Web App authoring. 


Filter this topic showing only the reply marked as answer Create new topic
billgates
4240 posts

Uber Geek

Trusted

  #1575498 17-Jun-2016 09:09
Send private message

Create a new PST from within Outlook of the infected machine and then import that PST into another copy of Outlook in a replacement machine.





Do whatever you want to do man.

  

turb

821 posts

Ultimate Geek


  #1575502 17-Jun-2016 09:15
Send private message

But how to do it safely? I don't want to stick an infected usb stick into the new PC?




Interests: HTPC, Web App authoring. 


 
 
 
 


wellygary
4999 posts

Uber Geek


  #1575512 17-Jun-2016 09:43
Send private message

turb: But how to do it safely? I don't want to stick an infected usb stick into the new PC?

 

Boot the new machine with a live version of ubuntu, ( or other linux flavour)

 

Open the PST file in something like evolution, and then re-export the data to a new Pst file to a newly formatted stick, , insert stick intonew windows machine...


frankv
3936 posts

Uber Geek

Lifetime subscriber

  #1575516 17-Jun-2016 09:45
Send private message

An infection can only spread if it can cause you to run some kind of program on the new machine. If auto-run isn't enabled for the USB, then it is safe to plug it in. Most anti-virus software will scan a USB on insertion, before allowing anything on it to run.

 

Worst case, take the USB to some other kind of machine (e.g. Linux, Mac, Android, Arduino) which won't run a Win executable. Delete anything that isn't a .PST. Then it'll be clean.

 

 

 

 


turb

821 posts

Ultimate Geek


  #1575541 17-Jun-2016 10:27
Send private message

Great ideas, thank you for the help!




Interests: HTPC, Web App authoring. 


1101
2316 posts

Uber Geek


  #1576966 20-Jun-2016 10:58
Send private message

frankv:

 

An infection can only spread if it can cause you to run some kind of program on the new machine. If auto-run isn't enabled for the USB, then it is safe to plug it in. Most anti-virus software will scan a USB on insertion, before allowing anything on it to run.

 



 

That :-)
If you know what youre doing, there is no issue . But dont rely on AV to keep you safe from a possibly infected USB (for several reasons) . As long as it doesnt autorun, you'll be OK.
The other option is to burn the PST to a DVD. Again, make sure it doesnt autorun

 

Just to be safe , scan the USB/DVD in a PC that doesnt have any critical data on it .


bigtone58
2 posts

Wannabe Geek


#1578783 23-Jun-2016 07:46
Send private message

<quote>
A mate's win7 PC has become infected with ransomware.

 

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

 

He works at sea, so needs offline access to old emails.

 

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

 

My question is this:

 

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?

 

</quote>

 

 

 

You need to be careful here, but if the affected machine is still operational (i.e. you can browse the internet, send/receive emails, create documents/spreadsheets, etc), then the ransomware has done its thing and bolted through the stable door. There is therefore no active component of the infection on the machine at the moment, but there is possibly a dormant form that could be retriggered if you happened to stumble on it in your recovery of the PST file.

 

I am assuming that MS Word and MS Outlook are installed on the affected machine as you mention docs and PST files respectively. I would also assume that there is a high likelihood of MS Excel being installed as it is the usual companion of MS Word. Your description leads me to believe that these applications may be the ones that are predominantly used and are therefore highly likely to have been used as the path to introduce the ransomware. Without knowing which particular ransomware variant you have been stung with, I can only quote the fact that says "roughly 60-70% of ransomware is introduced via socially engineered emails that subsequently run scripts/macros that do the nasty work". The implication of this in your case is that the ransomware probably came in as a document or spreadsheet attachment to an email that looked legitimate to your mate (probably seeming to have come from someone who had been recently emailed - that's the social engineering part). When it was opened it then ran a macro from within that attachment that downloaded the ransomware engine which then proceeded to encrypt the files it wanted to target, maybe turn off some file backup options, maybe delete any system restore points, maybe overwrite free space multiple times, leave a message in the directories within which it encrypted files, and delete itself from the machine (leaving no retrievable copy of either a public or private key). It may have had to ask to have the macro execution enabled but being a "cruddy old laptop with a damaged screen" it may have had the ability to run macros still turned on as that was an old default. (The "maybe" parts in the preceding statement are dependant upon the ransomware variant you got stung with).

 

I would guide you to proceed as follows:-

 

. Copy the PST file to a USB stick and take it to another "clean" machine.
. Run as many Anti-Virus and Anti-Malware tools over it as you can find. I would recommend Malwarebytes and Hitman Pro as first attempts (as well as your "updated" Anti-Virus suite). There are many others available as well.
. Review the logs from these tools to see if they found the ransomware in a particular email in the PST file.
. If it explicitly states that the email has been erased, then you are probably safe, but just to go "belts and braces" I would proceed as follows:-
. If an email is not identified you will have to then do some detective work to find out when the files got encrypted. It should be apparent by looking up the dates on the files left behind by the ransomware.
. Now you need to attach and open the PST file and find emails in the PST from just before the dates on the ransom demand files. You can do this with Outlook or an Outlook email viewer tool (available from Microsoft).
  WARNING Don't try to open the email yet or you may retrigger the ransomware.
  RECOMMENDATION Turning off "allowed macro execution" in Excel and Word may help to prevent a retrigger. (I haven't researched how to do that but it should be relatively straight forward).
. You need to look for an email with an attachment that is likely to be a Word document or an Excel spreadsheet and might have some unusual phraseology in the Subject header (the ransomware carrier).
. This is the email that MUST be deleted without opening it, and you will probably have to do this with Outlook (so be careful).

 

If you have managed to get to this point then the PST should be clean and you have probably removed all traces of the ransomware (apart from the already encrypted files). Please also take into account other advice offered in this thread as they all have valid points to make.

 

If you wish, you can PM me, but as I am fairly new to being active on this site, it may take me a little to figure out how that works.

 

Regards Tony


 
 
 
 


turb

821 posts

Ultimate Geek


  #1578870 23-Jun-2016 10:24
Send private message

bigtone58:

<quote>
A mate's win7 PC has become infected with ransomware.


All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.


He works at sea, so needs offline access to old emails.


The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.


My question is this:


How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?


</quote>


 


You need to be careful here, but if the affected machine is still operational (i.e. you can browse the internet, send/receive emails, create documents/spreadsheets, etc), then the ransomware has done its thing and bolted through the stable door. There is therefore no active component of the infection on the machine at the moment, but there is possibly a dormant form that could be retriggered if you happened to stumble on it in your recovery of the PST file.


I am assuming that MS Word and MS Outlook are installed on the affected machine as you mention docs and PST files respectively. I would also assume that there is a high likelihood of MS Excel being installed as it is the usual companion of MS Word. Your description leads me to believe that these applications may be the ones that are predominantly used and are therefore highly likely to have been used as the path to introduce the ransomware. Without knowing which particular ransomware variant you have been stung with, I can only quote the fact that says "roughly 60-70% of ransomware is introduced via socially engineered emails that subsequently run scripts/macros that do the nasty work". The implication of this in your case is that the ransomware probably came in as a document or spreadsheet attachment to an email that looked legitimate to your mate (probably seeming to have come from someone who had been recently emailed - that's the social engineering part). When it was opened it then ran a macro from within that attachment that downloaded the ransomware engine which then proceeded to encrypt the files it wanted to target, maybe turn off some file backup options, maybe delete any system restore points, maybe overwrite free space multiple times, leave a message in the directories within which it encrypted files, and delete itself from the machine (leaving no retrievable copy of either a public or private key). It may have had to ask to have the macro execution enabled but being a "cruddy old laptop with a damaged screen" it may have had the ability to run macros still turned on as that was an old default. (The "maybe" parts in the preceding statement are dependant upon the ransomware variant you got stung with).


I would guide you to proceed as follows:-


. Copy the PST file to a USB stick and take it to another "clean" machine.
. Run as many Anti-Virus and Anti-Malware tools over it as you can find. I would recommend Malwarebytes and Hitman Pro as first attempts (as well as your "updated" Anti-Virus suite). There are many others available as well.
. Review the logs from these tools to see if they found the ransomware in a particular email in the PST file.
. If it explicitly states that the email has been erased, then you are probably safe, but just to go "belts and braces" I would proceed as follows:-
. If an email is not identified you will have to then do some detective work to find out when the files got encrypted. It should be apparent by looking up the dates on the files left behind by the ransomware.
. Now you need to attach and open the PST file and find emails in the PST from just before the dates on the ransom demand files. You can do this with Outlook or an Outlook email viewer tool (available from Microsoft).
  WARNING Don't try to open the email yet or you may retrigger the ransomware.
  RECOMMENDATION Turning off "allowed macro execution" in Excel and Word may help to prevent a retrigger. (I haven't researched how to do that but it should be relatively straight forward).
. You need to look for an email with an attachment that is likely to be a Word document or an Excel spreadsheet and might have some unusual phraseology in the Subject header (the ransomware carrier).
. This is the email that MUST be deleted without opening it, and you will probably have to do this with Outlook (so be careful).


If you have managed to get to this point then the PST should be clean and you have probably removed all traces of the ransomware (apart from the already encrypted files). Please also take into account other advice offered in this thread as they all have valid points to make.


If you wish, you can PM me, but as I am fairly new to being active on this site, it may take me a little to figure out how that works.


Regards Tony



Thanks ever so much for the detailed answer mate - you're a star.

I'll have a look and let you know how I go.




Interests: HTPC, Web App authoring. 


turb

821 posts

Ultimate Geek


  #1594260 18-Jul-2016 07:49
Send private message

Thanks for the input everyone!

I followed the instructions above to check the .pst file was clean, and that nothing else had snuck onto the USB drive.

I scanned the laptop with MBAM free, and Hitman Pro.

Win Defender, Win Restore and Win Update had been disabled by the malware. Win System File Repair tool wasn't able to fix them. Any win 7 recovery, backup or installation discs are lost.

Now that I knew the .pst file was safe, I could start fiddling.

I created a new gmail address with IMAP enabled, added it to Outlook on the old machine and copied the inbox and sent folders across from the xtra account. This took some hours (>4000 emails). When the content was loaded into gmail and I could view it all from gmail on another PC it was time for a big sigh of relief.

Then on the off-chance I tried the RannohDecryptor tool from the Kaspersky website. It took a little tinkering, but OMG it worked! >24000 document and photo files (33Gb) safely decrypted.

Time for another scan of the decrypted files with the two tools above. Nothing found. Copy everything onto a external HDD.

Now I'm on a dopamine high, so I set about rebuilding the laptop:

Win 10 clean install, Win Defender, Malwarebytes Anti-Malware Premium, Malwarebytes Anti-Exploit free, uBlock Origin, Dropbox Pro, no Flash, no Java. Windows Media Player disabled. My Documents save etc now all redirected to the Dropbox folder.

 


For offline email access I used Thunderbird. Nothing wrong with Win Mail except it's not really clear how it works, and there aren't enough settings to mess with. Gmail Offline (which I didn't even know existed) to enable fast offline searching of the old emails.

Interestingly, the first pass of win10 defender detected another infected file, that MBAM and Hitman both missed. It was an mp3* file infected with TrojanDownloader:ASX/Wimad.at which was described by Defender as a SEVERE RISK. That made me wonder if MBAM was a waste of money, but then I remembered how the malware had disabled Defender as part of its attack. So MBAM stays.

*I'm sure this file wasn't the source of the infection as I think it needs to be played in WMP to be activated, and (like everyone) he's getting his music online nowadays.





Interests: HTPC, Web App authoring. 


Filter this topic showing only the reply marked as answer Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.