[SOLVED] Need advice; client server infected with .wallet extension ransomware

My client is a law firm with about 100 employees and hundreds of thousands of folders of data. Due to an iffy backup solution that so far we have not been able to recover completely from, we contacted the hackers and were told that the ransom would be $1950 worth of BTC. Money is not the issue, they just want all of their data back. This is my first time encountering this virus and I knew people here would have experience on this. Is it worth it to try other measures besides paying the ransom? Are there any?

Thanks for any help, the longer we wait the more money they lose.

You were able to restore to the last uninfected backup? And identified the entry point for the ransomeware? And still have the original infecting computer?

Have you identified the specific type of ransomeware? There are a number of variants if I remember correctly that were broken and recoverable. Some as simple has having weak keys that can be brute forced.

Of course it all potentially becomes pointless if it costs more than just paying. But theres risk in that as well I suppose.

It's a pretty big chance that you'll get absolutely nothing if you pay them. It has been the norm in these cases, you don't get anything if you pay up. So don't. Spend the money on data recovery.

Ehhhhhh its not really that way

FBI really recommend paying blackmailers? That just sounds really stupid.

Edit: That article is from 2015, outdated. FBI does not recommend paying ransoms. Cold, hard reality might make it look like a compelling choice though. Far from a sure thing to get your data back though, as 2016 data shows.

Well, think about it this way. If hackers didn't give you your system back after you paid them, they would only make money once and then the advice would be to not pay them. If they do give you your stuff back, then the advice becomes to pay them every time. Lot more money to be made if they always give you your stuff back. One and done vs repeatable scheme.

Yup, it doesn't cost them anything to give you the key to release the files, but it risks them losing out on money in the future if they don't.

From the attacker's standpoint, it makes sense to release the files if the owner pays up.

That's also why the fee to get it released is never out of reach ridiculous. They're not forcing you to pay 10's of thousands, they ask for a couple hundred to low thousands. Its a price people will actually pay to get their stuff back.

@Pholostan many organizations including the FBI routinely recommend paying. The whole "we don't negotiate with terrorist" is a myth, we do it every day, and in many situations its recommended just to pay. Ransomeware is just the latest iteration of this type of crime.

But the reality is that if @jlbrown.tech is talking about must have info, and time and money being lost, it does need some thought. You need to ensure you wont get reinfected, and identify the source and type of malware if possible.

If you don't and you pay up, unencrypt the files (they will most likely give you the key), and then clean everything, cleaning everything may reinfect you if you didn't clean the source of the infection in the first place.

1 Like

you may be able to find the key to the encryption online. lot of ransomware'ers are lazy and reuse the exact same code over and over. once it gets cracked/released it's put online usually so others can use it and not pay. if you cant find the key, pay.

Any tips on identifying how we were infected? I haven't been doing this work for very long so I just posted on here looking for assistance. Haven't had time today to do any serious research.

Thanks for the help guys. Good practice has always kept me out of this sort of trouble. However, these people weren't paying us to manage their stuff and we didn't set them up either. Crazy how many businesses out there rely on junk.

Still sounds really stupid to me. Sure, there can be a reality that you have no choice, still I would not do it.

Edit: Does the FBI really recommend paying ransoms though? Really? Nope, they don't. That's why I was so surprised hearing the opposite, when they changed their advisory in April last year.

The advisory quotes FBI Cyber Division Assistant Director James Trainor, who confirms that the bureau does not recommend paying extortionists:

“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
It’s good to hear such a clear statement from the FBI, as in late 2015 the law enforcement agency was widely quoted seemingly saying that it often advised victims to “just pay the ransom.”

Now the FBI has published a list of tips to reduce the chance of ransomware being the ruin of your company (and some of them are applicable to home users too):

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure anti-virus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts — no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from Microsoft Office files transmitted over email.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
  • Prevention is always better than cure. Protect your computers – whether it be at home or in the office – from the threat of ransomware, and take the necessary measures so that if you are unlucky to be hit by a ransomware attack, you can recover.

Also this alert from FBI in September:

https://www.ic3.gov/media/2016/160915.aspx

RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT

Repeating the stance on not paying ransoms:

The Ransom

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

There is some tools for ransomware, Kapersky has one:

Oh yes it does. It exposes them, easier for them to get caught. They would be idiots to give you anything after you've paid them. Is there really a good statistic that shows paying is a good idea?

Only 5 percent ever consider paying the ransom an option

Source: Barkly

Despite several high-profile examples of organizations willing to pay the ransom to recover their data, plus advice from the FBI recommending as much (at least until they revised their stance in late April), the overwhelming majority of the IT pros we surveyed said they have never and would never consider paying the ransom.

Not only did many consider it a matter of principle, there was also a healthy dose of skepticism that paying would actually result in them getting their data back. As Kansas Heart Hospital learned the hard way in May, criminals don’t always follow through with their promises to decrypt the data.

Doesn't really look like it.

Edit: Found some reports for 2016, been reading some. Most seem to agree that less than half pay the ransom (~40%). Of those who pay there seem to be a majority that get something from the criminals, about a quarter to half get nothing/can't recover any data (reports differ a bit).

1 Like

Ransomeware infections usually but not always come in through suspicious email attachments or such and Users clicking on them and opening them. It's usually something along the lines of:

"Dear John Smith

Please see attached invoice that is overdue

Kind regards"

Short and straight to the point whilst making the user want to open the attachment. Most of the time the ones who open them aren't even the people who would be in charge of paying but people love gossip and knowing whats going on in the company that they aren't normally privy to.

Ask around if any end users remember getting any suspicious attachments and opening them only to find them blank or such and you'll probably find the point of infection assuming users own up to it. The worst part is before you mentioned it they won't even have thought to report it.

There are other ways of tracking how it came in. What did the virus hit? Some files and folders that were in a File Share on a Server that then was pushed out as a mapped drive? Or did the Server(s) themselves get encrypted? If its the former then the owner of the encypted files that get created will usually tell you whose responsible assuming it isn't one of the variants that hides itself as a security group.

1 Like

.wallet sounds familiar actually. I think it is a new variation of CrySiS called something Indian.. ah yes Dharma:

Thread continue into this year, you might find something there. Several people are sharing information about attacks.

Oh god I hope you don't get sued.
Those bastards are vindictive.

Who?

The data partition on their server was hit. No workstations.

Bump.
OP you want to see this

5 Likes