My friends business was just hacked now info being ransomed for bitcoin

My friend owns a construction company and he texted me today saying that his company was hacked and infected with a “military grade virus” and now the hacker(s) are asking for bitcoin to get his info back.

He has a company working on it right now but I was just curious if anyone here has experience with these situations?

Is there anything he should be doing right now to mitigate the damage?

a reply to: Quantumgamer1776

Happens all the time. Depends on if your friends computer was cryptolocked! If it was it could get pretty costly if the proper security measures weren't already set in place.

a reply to: Quantumgamer1776

Did he have all his data saved before the intruders got in?

And if he did just tell him to do a refresh on the OS.
Go to boot screen and work from there.

a reply to: Quantumgamer1776

Lesson number one: Always save and back everything up on another drive, especially if it his business data.

If a company is working on it then i hope your friend gets it all back.

a reply to: Stevenjames15

Currently all I know is that the virus encrypted everything and the hackers are offering the encryption key in exchange for bitcoin

a reply to: Quantumgamer1776

There are three options:

1) Pay whatever absurd amount the scammers want and hope that they actually provide the encryption key after the Bitcoin is sent.

2) Plug in a Windows restore USB or disc, wipe the machine ( including full format ) and start fresh. The computer is fine, it's the data that's locked. Reinstalling will fix it.

3) Contact a data recovery specialist who will almost certainly state that their services will be far more costly than whatever the scammers are asking for.

Sometimes these crooks will negotiate or even unlock the system for free if the victim asks but that seems fairly rare.

All in all, even if there's important data to be lost, I'd advise option #2 and then getting into the habit of frequent back-ups and creating restore points regularly.

originally posted by: Hefficide
a reply to: Quantumgamer1776

3) Contact a data recovery specialist who will almost certainly state that their services will be far more costly than whatever the scammers are asking for.

As per a recent story on Slashdot, these "data recovery" firms most often just pay off the hackers to get the data back then claim they did it themselves. If OP's friend wasn't properly backed up, it's his own damn fault. That's IT 101.

Hmm, any business worth it's salt has precautions in place in case of a server failure, such as daily backups with offsite storage.

If not, then the clients were already at risk of losing details and a clean wipe would have to suffice. But if so, then minimal loss of data, and a minor inconvenience.

a reply to: Quantumgamer1776

I sure do. Here's my thread on the same subject on June 2, 2019. They actually attacked a sector within the USA food processing industry. The guys who were attacked are a billion $$ company and they had to pay the ransom. Also take a look at several of the weird comments from other OPS responding to me. Quite strange so keep your cards to yourself relating to privacy and the other guys company.

Oh and by the way

provide the encryption key

THE ENCRYPTION KEY DIDN'T WORK AS IT DIDN'T RESTORE EVERYTHING!!!!!!! 2+ weeks later they are still crippled.

Also should the NSA be able to figure it out? Meaning the FBI contacts them???


www.abovetopsecret.com...

I work for a company that sees this all the time- usually it's targeting banks, hospitals, municipalities and the like- our core clients.

A few things to know before getting started:
1) the virus isn't "military grade" - that's absurd.
2) if the data was cryptolocked and they want a ransom, you aren't getting that key without paying the ransom..
3) Even if you pay the ransom, there's no promises you'll get the key... but generally they're good about it.
4) the FBI may or may not have already compromised the payment portal.

#4 is the real kicker. You'll have to pay close attention to the problem to figure out exactly which varient of cryptolock he ran into, but being a construction business my guess is the computer wasn't properly secured in the first place- so it's probably one of the older ones that hits whoever is dumb enough to click on it.
That being the case, chances are good the payment portal is already taken down by your friends at the FBI, and you're not getting that key - period.


If he has no backups, it's probably tough titties for him.

The number one way banks and hospitals get through these sorts of things is to pay the ransom- but their networks were usually targeted for infection with the latest and greatest.
The second way they get through it is to wipe EVERY computer on the network and restore their servers from backups.

If it's a REALLY old variant, there were a few out there that had been cracked in the beginning, and there are applications that can decrypt... but I've not seen one hit anyone in at least four years.

a reply to: lordcomac

Yeah the “military grade” label sounded cheesy to me as well, but that’s the term my friend used. I figured it might just be the local IT guys trying to make their rates seem more reasonable.

I’m not sure if he had backups but I’d agree that would be a grave oversight if he didn’t.

You mentioned the fbi, would they be automatically contacted in a case like this? I haven’t heard from my friend of any police involvement on that level yet, but I’d did just happen this morning.

Thank you for your reply, lots of great insights and info.

I ran my business using a couple of computer programs and did not have that computer hooked to the internet. I had a second computer for using to go on the net. I don't think it is wise to have your main business computer online, and I think that all of a businesses business should be backed up on paper or on a second harddrive which is not hooked up to the internet either. My business computer had two hard drives, with the second being a backup in case the one went haywire. I never had both go out at the same time, I also had a battery backup in case of a surge.

People put too much trust in technology these days.

If I get hacked and someone wants bitcoins, they are out of luck, I don't have and never will even try to buy bitcoins. I do not trust bitcoins, maybe some people do but that's their loss.

a reply to: Quantumgamer1776

I’ve heard of this happening to a towns municipal office. The hackers wanted 100 grand in bitcoin in exchange for the information back.
The office talked them down to I think around 50k, sent them the bitcoin and the thugs actually gave them Their stuff back.

originally posted by: Quantumgamer1776
a reply to: lordcomac

Yeah the “military grade” label sounded cheesy to me as well, but that’s the term my friend used. I figured it might just be the local IT guys trying to make their rates seem more reasonable.

I’m not sure if he had backups but I’d agree that would be a grave oversight if he didn’t.

You mentioned the fbi, would they be automatically contacted in a case like this? I haven’t heard from my friend of any police involvement on that level yet, but I’d did just happen this morning.

Thank you for your reply, lots of great insights and info.

Automatically? no.
The FBI likes to shut down the payment portals to discourage the extortion. It probably doesn't happen until a high profile target gets hit- like a city government network, police station, etc.
I guess anyone can contact them, though?

I mean, as far as I'm concerned the FBI or CIA is running these scams in the first place to extort money for blackbook projects...

This is a good reminder to check on your backups, by the way.
There are hundreds of these cryptoscams out there, they tend to piggyback email attachments. They spread through various windows services so if anyone on your network gets infected most every computer on that network is hosed.

I know my backups aren't as good as they should be...

originally posted by: Macenroe82
a reply to: Quantumgamer1776

I’ve heard of this happening to a towns municipal office. The hackers wanted 100 grand in bitcoin in exchange for the information back.
The office talked them down to I think around 50k, sent them the bitcoin and the thugs actually gave them Their stuff back.

Like I said- they almost always give the code back.

Think about it- the virus cost very little for them to infect the town with. Usually they just spam out emails and some dumdum opens an attachment they shouldn't.

If they didn't give the code after receiving payment, companies that specialize in dealing with these thugs would hear about it right away...

Right now, as stated previously, the #1 method of recovery for banks and hospitals when hit with these things is to pay the ransom.

If the ransom only had a 75% chance of getting the data back, the chances of them paying up would fall significantly.
Your example was 100k, talked down to 50- a few years back I was close to a case where the ransom was roughly 12 million, after negotiations.

The ransom is set after they find out what data they've encrypted- and more often than not the companies don't make their problem public. They'll quietly pay up the huge bucks to get their huge business back in order, and it never makes the news.

a reply to: Allaroundyou

No.

At first suspicion of a crypto you disconnect the machine from the network to isiolate the problem. Chances are a port is open for RDS and some dumbass app is using something like a postgres database which often creates a user called postgres with a password postgres as well ( i have seen this one before ). If they can get so far as to encrypt the files on this rig then they could probably install a rootkit as well. The safest option is to buy a new server, install all your apps, restore from backups and unload the old rig on someone else ( or recycle it if you are so kind ). The risk is yours to reimage a compromised machine.

On ebay i just picked up 2 brand new hp DL20 gen10 micro servers with 16gb ram and E-2136 proc for 812$ each, shipped. Just need disks and hdd trays. Passmark score on those cpu is almost 16k, and overall an excellent deal. Also there is a website called labgopher that you can spec a machine to pull up relevant results.

In the future, for bavkups you want a separate dedicated machine that pulls the backup instead of pushing it to a drive. Any linux install on a microserver with either vembu bdr or urbackup is probably suffucient. You can mount dozens of giant USB to create tons of data warehouses.

Also concerning RDS, if that was the point of entry, i usually run a proxy server in front of my terminal server to restrict connections by public ip for connections outside of the network. You can do this with a reverse proxy using squid or even apache. In apache 2.4 its called "require ip" instead of "allow ip".

If your IT isnt a bunch of morons they will sort it out. Id have to see it first hand to tell you more as this is largely conjecture.

a reply to: drewlander

Oh, also you might consider rebuilding with ubuntu 18.04, install kimchi and wok for kvm. Then you can install any OS into this type 1 hypervisor and schedule snapshots that are easy to restore as well, in addition to running your backups against the host.

a reply to: Quantumgamer1776

Don't pay the crims.

Chances are that the encrypted files have been re-encrypted, meaning that you pay for the files and they only decrypt to a previously encrypted version.

If it was only one computer and you got it early and turned off the computer, you can use an unerase utility like the free 'Recuva' utility (but you'll need to put the hard drives in another computer).

It works because the original files are only 'marked as erased' when is 'deleted' by the ransomware and the encrypted files are written as a new file, leaving the old file still sitting on the drive and recoverable.

You'll have to take the hard drive/s out and plug them in to another machine, though, to read the deleted drives without overwriting anything. It's also good to have new big empty hard drive/s onto which you can write the recovered 'deleted' files.

But, if the original drive was nearly full, or if you have rebooted, or if you leave the computer running, then the erased file space might have been recycled and overwritten.

a reply to: Quantumgamer1776

If a company is working to fix the problem they won't want advice from people on the web. Your friend has lost money from ignorance and perhaps apathy. He needs to hire a proper computer professional that knows how to protect websites from hackers. A professional that doesn't keep data nor databases in the DMZ. A professional that does daily backups of everything including incremental backups of databases.

All these things are rudimentary. I'd expect even junior IT professionals to be trained in this practice,

No sympathy.