Cryptowall never encrypted files with .aaa extension, nor can you recover files using any of the method listed in the article after an infection. Teslacrypt version 2 used the .aaa extension. Version 2 did have a vulnerability which allowed the recovery of files. Here a more detailed write up of the recovery process: http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
> Remote Desktop is always enabled on my PC.. so i'm not sure what you mean by leaving it on
That's exactly what he means. You left RDP on. The computer with RDP enabled was probably accessible from the internet through your router/gateway (did you open a port to it?) and your password was probably compromised (likely) or if it was an old version of RDP, it was hacked via a known exploit (less likely)
If you want a sobering reminder of how exposed you really are, get your router/gateway's WAN ip address and enter it in https://www.shodan.io/
to see how easy it is to find targets.
Hey! I'm always interested to see the results of these things. If you've got the time, can you upload the sample to both https://www.virustotal.com/ and https://malwr.com/ and provide me the links for each.
Uploading to Virus Total is a great way to support all AV vendors as they have private API keys to pull down samples from the service. I work for a security vendor myself however I don't want to give too much bias hence pointing you towards a neutral place to upload to.
Thanks!
Just popped something that installed a tor apk as posted below after researching:
https://www.hybrid-analysis.com/sample/3554913ab11c234934fb6cb245fc221a1a9240f15c548fb186596999bcb822f0
I saw a bunch of permissions start popping up to allow access to various things, then screen lock + message happened.
It's all fixed now and I even followed up with Norton support who said everything CortanaInstaller said yesterday.
Fortunately I got it off within 5-10 minutes and with the 20+ gigs I had stuffed in this thing it would've taken some time to get anything via RDC. Plus no incoming texts nor outgoing, same with calls.
I'm certain I'm safe at this point.
Reset your passwords.
Use a password manager.
I would also invest in a data protection tool. Typically if you have a data breach like this, it means that you're fairly vulnerable. I prefer Rollback Rx Home Edition personally as it's free and it both encrypts and backs up your data but Veracrypt and Microsoft's own Bitlocker are also great free choices.
Windows 10 does have limited protection built in. It's kinda hidden; you just have to search for "Ransomware protection". It takes a few days to train it.
Similarly with other apps. There are many enterprise AV/NGAV that handle ransomware well, based upon behavior of unknown applications. But you're going to pay substantially.
There's plenty of services for online backups. I used CrashPlan a lot in the past as a home user. Once they moved to a business model, I changed, but they are a great service (https://www.crashplan.com/en-us/)
It means there was an attempt to steal your login credentials, but it was blocked. So you're safe.
A couple things you may want to consider:
- Incorporating a content blocker (i.e. uBlock)
- Running an active scan with Malwarebytes to determine if there's any trojans on your machine
- Encrypting and backing up your hard drives and data (i.e. Rollback Rx)
- Encrypting your web traffic with a VPN (i.e. NordVPN)