File server got affected by .micro



  • What can i do now as my file server got affected by .micro. All my files are listing as .micro ext or .html .xml ext. As far to me found that it is like ransom attack is there any way to recover my file.

    http://sensorstechforum.com/remove-teslacrypt-3-0-and-restore-micro-encrypted-files/

    found the above link for solution but before checking it i need to get clear idea for this and how can i recover my files back



  • .micro is the extension name. This is TeslaCrypt.

    Do you have backups, is anything lost?



  • The general recovery method here is the same as any storage failure: you restore from backups.

    There is some limited possibility that you could do a recovery via decryption, but realistically that cannot be done on any scale and has only limited success. Worth attempting, perhaps, but most anyone will just restore from backup.

    Be sure to completely reinstall your environment, you need to be 100% sure that you are free from TeslaCrypt before proceeding.



  • As per @scottalanmiller above, DO NOT attempt to clean the infection... wipe and reimage all affected machines before restoring from backups. You cannot remove ransomware completely, always wipe and reimage.



  • @RojoLoco said:

    As per @scottalanmiller above, DO NOT attempt to clean the infection... wipe and reimage all affected machines before restoring from backups. You cannot remove ransomware completely, always wipe and reimage.

    Or any serious malware. Just rarely gets more serious than this.



  • I agree, once you have been infected just take a backup in case there is something that needs to be recovered later and then wipe the slate clean and start fresh.



  • I have cleaned malware, but never on a file server, or any other server in this respect. A pc, for repair, a compromised system hdd recovered, reimaged, but old image restored on another for inspection. There are so many hiding spaces even pc's are never trusted again after infection. Opening svchost's and other running processes never takes you to the process that is timed to show itself, and shut down. Searching every entry in even one process is a daunting task. Reliance on software to ferret out all the areas of attack implies the software can and will be ready for the zero day attack, the attackers have most if not all the tools we have to write code that gets around the products. You may stare a Microsoft entry in the face with no clue of it's true task - the many registry entry's, dll's, etc. Man I miss DOS.



  • Also to make sure the Backup is clean, that this is not something that has been a hidden but now 'discovered' process that has been running for weeks. Backup can be compromised. Most malware is considered a failure if it is detected, or on the other hand, needs to be detected for ransom, or just outright malice.



  • Bad thing is that we they dint have any backup of that server.
    So am letting you to give any solution, one of my colleague is suffering with this.



  • @RoopanKumar said:

    Bad thing is that we they dint have any backup of that server.
    So am letting you to give any solution, one of my colleague is suffering with this.

    You can attempt the decryption methods, no harm in trying but there are three accepted solutions to ransomware:

    • Pay the ransom as requested
    • Do nothing, the data is lost
    • Restore from back <- not an option here

    Given that the data was not important enough to back up, one can only assume it is not important enough to pay the ransom either. So my guess is that the desired thing is to do nothing and the data is just gone.



  • @scottalanmiller I have suggested the same but we dont know who he need to pay for ransom too.

    The data lost is lost but they needed so i came up here to find anything or anyway for it



  • @RoopanKumar said:

    @scottalanmiller I have suggested the same but we dont know who he need to pay for ransom too.

    The TeslaCrypt malware should have told you whom to pay when it informed you that it had your files. If it did not, I doubt that there is any means of finding out.



  • @RoopanKumar said:

    The data lost is lost but they needed so i came up here to find anything or anyway for it

    Sadly, I don't mean lost like "they are not sure where it is", it is lost like .... it is gone. Unless they can use those decryption methods and get the files back that way, which is unreliable and slow, then there is nothing to be done.

    If there was a way to get the files back, ransomware would not be worthwhile. The reality is, it is extremely effective.



  • Cisco talks about this tool having success. Download this open source decrypter from GitHub and see if it is able to access the files:

    https://github.com/vrtadmin/TeslaDecrypt/blob/master/Windows/TeslaDecrypter.exe



  • That looks like a decent tool. If Cisco recommends it, definitely worth trying.

    My guess is that the decryption process will be slow. Has anyone tested this tool yet?



  • @Reid-Cooper do have any documents for the steps to be taken or how this works. So i will recommended to download and check with it.