Ransomware on Labview files

SteveJobs · ‎12-28-2016

Hello,

Recently we have run into a ransomware attack, and it seems as though our LabView files were directly targeted.

Every file in the "\Program files\National Instruments\" directory has been encrypted to the file type:

"[amagnus@india.com].wallet".

For example, the main executable for LabView is :

"LabView.exe.[amagnus@india.com].wallet"

Is this an issue that the community in general is experiencing? We are trying to determine exactly where this threat originated.

Attached is a picture of the file directory (taken using my phone).

Bob_Schor · ‎12-28-2016

This appears to be part of a known Virus, as the signature appears on a number of messages, including some for sites suggesting ways to remove the virus.

How you proceed is up to you and your IT Team. Some advice that makes sense to me:

Preserve your machine. Take it off the network and do a "stand-alone" backup to an external hard drive. Only use the hard drive to restore to this machine -- remember, it has "bad stuff" on it.
Take the machine off the network, and keep it off the network! If you want to try "fixes", download onto a freshly-formatted USB Key and plug the Key into your infected PC. Reformat the Key after you use it (cannot be too careful).
If you do manage to "unlock" your machine, copy as little as possible of your documents. Whatever you copy, run it through several Virus scanners to make it as "pure" as possible.
Assuming you are able to safely recover some stuff, reformat your machine's Hard Drive and re-install everything. Do a full "write all the sectors" low-level reformat -- you want to make sure nothing is "hiding" in a hidden partition or such.

Bob Schor

P.S. -- I don't think this has anything, per se, to do with LabVIEW, just bad luck that this was the Folder that was included in the hit.

SteveJobs · ‎12-28-2016

Thanks for the timely and well thought out response! Glad to hear that it's a local phenomena and not a universal issue.

billko · ‎12-28-2016

@SteveJobs wrote:

Thanks for the timely and well thought out response! Glad to hear that it's a local phenomena and not a universal issue.

I know you actually mean that you are relieved that this is just limited to your site and not universal to NI. That being said, it obviously means there is a huge security hole somewhere in your IT department and if you don't fix it, it could (and probably will) happen again!

Oh, and this kind of thing is so frustrating that companies have been known to just cave and pay up. I think of it as a "fee" for "lessons learned". 😉

I'd probably just call it a day and restore from backup.

Bill

(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.

altenbach · ‎12-28-2016

The LabVIEW folder can be restored by just reinstalling LabVIEW (except maybe for custom settings in the .ini file), so this is not a great way to ask for ransom. I would be much more worried about about personal files.

Is there anything encrypted that is actually of value to the company (or to you) and that cannot be restored from backup?

In any case, follow Bob's advice and take the PC off the network. Maybe somebody from IT has forensic tools to investigate how the infection happened (malicious website, malware attachment, via a USB drive, etc.) so they can better protect in the future.

LabVIEW Champion.

LabVIEW

Ransomware on Labview files

Ransomware on Labview files

Re: Ransomware on Labview files

Re: Ransomware on Labview files

Re: Ransomware on Labview files

Re: Ransomware on Labview files