So we like playing music in the car or wherever we are from our phone using youtube. Now lets instead just download our music before-hand and not use our costly phone’s bandwidth! On top of this we just want to download the audio since it is a much smaller file size and will take up little room.
Tool Needed:
Back to my favorite online video downloader: Youtube-dl – This is our simple command line tool we will run in the command prompt to grab our videos with. I have written a previous post on this on how to use it please check that out on figuring out how it’s used.
This is a quick blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.
The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.
First Step:
First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: [email protected] (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.
Options for Searching: Exchange Powershell OR Exchange E-Discovery Gui
I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.
-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.
Here is a guide to other parameters I might use when running the search. We can use things like Subject line or Dates and get fairly specific. Keep in mind it is using KQL language which is the same syntax used in e-Discovery. Use this guide to have an idea of what search parameters you can use for the -SearchQuery: https://technet.microsoft.com/en-us/library/ms.o365.cc.searchquerylearnmore.aspx#emailproperties
Once you receive the results you like you can then move on to delete them. with the following command:
I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:
Every file basically encrypted until you pay the son of aguns.
Basic Steps on handling this type of problem:
Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes: “folders”: [ “:\\$recycle.bin\\”,”: \\$windows.~bt\\”, “:\\boot\\”,”: \\drivers\\”, “:\\program files\\”,”: \\program files (x86)\\”, “:\\programdata\\”,”: \\users\\all users\\”, “:\\windows\\”,”\\appdata\\local\\”, “\\appdata\\locallow\\”,”\\appdata\\roaming\\”, “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”,”\\tor browser\\
Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)
Final step is replace the users PC and restore their files. That is if you back them up!
UPDATE:
Confirmed with Talos Security group that this is not de-cryptable as of yet