What would be the best way to go about getting my company back after it was hit with a ransomeware attack. They are asking for $1000 in bitcoins and our systems are locked out. I currently have a few kids from the cyber security program at the college near me trying to help.
If you dont have backups you can restore from, then you are likely not going to decrypt anything any time soon.
You could certainly keep all the encrypted data around (offline) so you can try to attack it.
Your best off usually just paying it out, its not likely you can get out of it another way. If you have a recent backup you can restore back to it, but if you don't then you're kind of out of luck.
Regard your last day or two of data as a loss and restore your clean backups.
If you have none, quick lesson for the future have regular backups that don't just over write each obter and test your backups periodically. The amount of times people have backups but never tested then and they turn out not to work is more than you'd imagine.
For the ransomeware, try to identify which one it is, there are some whoa keys have been found and can be unlcoked. Others have not and the only way to recover is to restore a backup or pay.
4 Likes
Not sure if you use flashplayer?
But if so, then this might have been caused by the recent zero day vulrenability that has been found in certain versions of flashplayer,
which has been abused to infect victum pc's with new ransonware.
Adobe has patched it since Thursday with a new version of Flasplayer. 21.0.0.213.
just on a side note.
2 Likes
Out of curiosity would linux inhibit your business in anyway? That would fix it up pretty quick.
Damn russians.
@Eden is right on all points here.
Automated bare metal backups for systems with some form of image management & retention allowing for a working set of several weeks. Usually a good plan for each machine is 1x full per week and => 1x incremental per day or more frequently if desired/able. At week end the system will collapse the intra-daily incrementals into the intra-weekly, same again at end of month.
You must backup the content of important servers/storage too because any afflicted system will also encrypt anything it can access which includes FTP/CIFS/Samba shares.
Some people also replicate backups to a form of offsite (which can be cloud based or the swap-the-usb-drive game where you take todays home & tomorrow upon arrival swap them over again, repl by day, swap at end, repeat).
As for recovering encrypted data with the keys... again, like @Eden said, ID the BS and hopefully you've got a variant that's been cracked or had it's keyspace drastically reduced.
Good luck.
1 Like
@Konack Emsisoft publish free ransomware decryptors: https://decrypter.emsisoft.com
Emsisoft attempts to reverse-engineer new strains of crypto ransomware as they're released, I really hope there's something here that can help you, it's worth checking to see if they've a decryption key that works for the strain.
2 Likes
If you're using windows 7 or 10 use shadow explorer to make it easier to see if you can recover previous versions of the files encrypted, i've seen with recent versions of ransome ware it tries to delete the shaddow copy data but has failed in most cases i've seen and if it's windows 8 you don't have shaddow copy refer to other posts for options.
http://www.shadowexplorer.com/downloads.html
it's mostly a script so not something a lot of virus scanners pick up if you open the zip file containing it and run it, it gets to do most of it's nasty business. I've never had to pay a ransom for any customer I've helped and would never advise a customer to. Bitch slap yourself if that is the kind of advise you give out.
You can disable windows scripting engine and prevent such scripts running as long as no software you use requires that running, I've been planning on writing up an article about ransomware and how to best defend against it or recover from it.
Really? Bloody Flashplayer
do you know what kind of ransomware this is?
Yeah the ransome ware that was spreaded trough a zero day vulnerabillity in Adobe flashplayer, is called Locky.
Locky is the last one I had to deal with a couple of weeks ago, it was sent to the client in an email stating the bank transfer failed to go through with a zip file attached. that's the only method I've ever heard of, but using a flash exploit isn't that surprising really, damn flash. It's one thing we can say Steve Jobs really was right about. Flash player is the devil.
1 Like
The latest case I've just had was a business in the next town over, got Cerber Ransomware from an email, encrypted the data on the system and the two POS systems in the restaurant next door, and failed to delete the system restore data, previous versions are there, the Tech from that town they called went straight to using Recuva, didn't check for previous version of the my documents etc. sat back playing games on his phone waiting for the recuva scan to finish and recovered 50%-75% corrupted documents and deleted the encrypted files. I didn't get called until 5 days later and the previous versions were gone and probably enough of the lost data overwritten to not be worth an extensive proper data recovery, they had more or less given up on their data and just wanted things straightened out and their email working again. I increased the amount of disk space reserved for system restore data from 1% to 10%.
----From here on is nothing to do with crypto locker but the rest of the adventure---
He gave them a backup hard drive because they had no backups in place at all, it's a second hand Toshiba 300GB laptop drive that he stuck to the top outside of the case with double sided tape......yep..... I advised the customer that a permanently connected USB drive will likely get encrypted along with the data on C: just like the other machines on the network, there is also a USB wifi dongle that the machine is running off but the wifi is a different IP range to the Ethernet used for the internal business systems and the ethernet connection on the main reception machine can't get an IP address, turns out they've had email problems since he visited the day of the infection, he told them there was a problem with the server (there is no server), the software support mob had been unable to remote into the POS systems from the main reception system and were unsure why, turns out an ethernet cable that runs from port 7 on the switch in the bottom of the comms rack that contains nothing but a modem and routers and patch panels, had been unplugged from a small white router on top of the black router that the access points for the guest wifi connect to. Figured that out by helping them figure out who installed that gear for them and provides support for the gear to find out where the IP range for the internal network was coming from, which port on which router, Had to wait a bit because when they remoted into the main router they discovered it was getting login attempts from IP addresses in china almost non stop, several IP address to block, with ethernet connection working again now that the switch is connected to the rest of the network in the proper place the email works normally again, their main booking software was having issues, he also told them to change the mode that software operates in from sync mode to online mode for whatever reason and it's run terribly since, apparently fine after switching back to sync mode, still waiting to get to remote back into the reception machine to set up backup to a rotation of the two backup drives i sold them (new ones with cases). This is what I mean when i say I'm sure a lot of small to medium business's are getting F*&k#d by cryptolocker even more by bad support.
End Rant
1 Like
@Konack how did you go with recovery? I'm sure I'm not the only person here who has been concerned about the outcome.
1 Like
The company that got attacked ended up paying the amount and they received a key to unlock their data. I don't have any of the specifics on it but they are doing fine. The person who attacked them also mentioned they should make their better. Its wasn't very good.
make their what?
Security.. I'd imagine.
luckily (if you can call it that), these people are in it for money, so not keeping their word to unencrypt the data would be bad business. At least its an easy lesson to learn, no data loss, just a little money loss.