I haven’t dealt with any malware, virus, or any of that stuff for decades. Not since the late 90’s, early 2000’s… MSBlaster days.
Until last weekend. Friday night was fine, zoomed with my daughter. Went to bed without turning off my desktop, which is unusual. Woke up Saturday, and was unable to log into my computer. Kept getting errors related to my Windows profile. It wasn’t until I started in safe mode with a temporary profile that ransomware messages popped up. I clicked around for a few minutes, got pissed off… turned off computer.. installed new drives and reloaded it.
I didn’t keep regular backups, but I had drives from my previous computer from roughly 2 years ago… so I’ve got the vast majority of my music and files that don’t change all that often… but I’ve lost a few things… which is in convenient and annoying.
So now I’m trying to understand how this happened. And I’ve come to the conclusion after a bit of research that it was my having RDP enabled. Although the fact that I don’t normally leave the computer on when I’m not using it, and also had the port forwarding set from the outside to a crazy non-standard port… is probably how the computer survived without infection for 10-15 years… but obviously its/my luck ran out.
My first observation is… isn’t it odd that the ransomware that hit my computer prevented me from logging on? If the goal is to make money off people by ransom’ing their files… wouldn’t you want them to be able to log into their computer easily to find your ransom note?
I’m also curious if my RDP password was mostly likely broken, or if RDP is flawed in some way where access was gained without working out my password? I’m really curious about this as I’m wondering if having 2FA on RDP would have prevented access, or if RDP is flawed to the point where authentication was completely circumvented.
I’m also trying to identify the specific ransomware variant. It’s been identified differently by several web-sites I’ve found… so I’m curious if you more experience folk, would easily recognize it? I’m pretty well resigned to the fact that most ransomware these days won’t have decryption software available, but I would like to monitor the web/forums on the chance that one is developed for whatever hit me, at some point in the future. I’m thinking it might be a Dharma variant, or something called Judge, or perhaps C1024? Not sure. Like I mentioned earlier, it’s been identified differently by different web-sites.
Here’s an encrypted filename: Build Notes EliteBook 820g1.txt.id-F411D2B1.[email@example.com].DR
Here’s the note Info.txt text file contents:
all your data has been locked us
You want to return?
write email firstname.lastname@example.org or email@example.com
And I’ve attached a picture of the ransom ‘pop-up’: