clock menu more-arrow no yes

Filed under:

Frosted Flakes: Ransomware - Infection And Recovery

New, 7 comments

Because it’s the football offseason and we’re more than just about sports.

messy technology

Last Friday was an enjoyable day… (no, it wasn’t.)

I had yet another customer site get infected with a ransomware virus. When you have a virus infection that affects a few computers, it can disrupt business, particularly small business.

In this case, it was a single workstation that was infected with a variant of the Cryptowall virus. It appears that the user had clicked on an email or a website disguised as a sales order that contained a link to an executable which contained the virus. The virus package included a Tor client so that it could communicate with its perpetrators. It hid so that it could only be found with the workstation rebooted in “Safe” mode, and only then after hidden files were displayed.*

The Cryptowall encrypted the local workstation’s data files along with quite many files on the server - whatever that user had access to through the server shares. The customer was in a position to lose a large number of Excel spreadsheets, hundreds of photos for which they paid professional photographer quite a bit of money for, and an Access database that assists them in sales forecasting.

This particular infection is called “ransomware” because the perpetrator expected to be paid by my customer to get their files back. The customer found this message in a README file in every directory that contained encrypted files:

What has happened to my files? Why i am seeing this?

All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly. It does NOT mean they are damaged.

Solution

Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.

So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.

That’s not the entire message, but enough that you get the idea. Perhaps you’ve seen it yourself.

There is no way to decrypt the files without the private key. To get the private key, you have to pay the ransom. I don’t recommend you pay the ransom, as there is no way of knowing for certain you’re going to get anything back from the file kidnappers. Someone at the company asked me about paying, and I said that if a bank robber called you and said that you could have the money back that they just stole if you gave them more money, would you do it?

(It’s not that great an analogy, but I was a little stressed at the time. I hate it when people are asking me questions while I am still trying to assess the situation, verify backups, and determine what damage has been done.)

The most disconcerting thing about the infection was that I discovered we do not have good file backups. We have not had a good file backup since October 24, 2017. I was certain that I’ve checked this, but apparently, I have been lacking. I also thought that we were doing a cloud-based backup of files, but we are not. We have all of the application data such as SQL Server data being backed up with cloud-based backup, but we had completely missed file backups. (We were able to recover files with Windows Shadow Copy, in case you’re wondering. It’s not a great solution, but we ended up with little loss.)

I have encountered many instances of ransomware infection. I know several individuals who have lost all of their family photos and personal data. I know of one organization who was down for a week while we recovered because an application server was corrupted and the vendor had difficulty restoring the application. I estimated loss of business cost at just under $100k for the week. Another site could not recover their accounting files for a month, meaning that they could not bill nor pay during that time period. I have no idea of business cost on that one.

Another site (not my customer) blamed their consulting firm. The firm agreed to pay $7k to make things right, after which they were fired, and that site was re-infected shortly afterward.

Your only solution to this problem is to have good backups.

This is as true for end users as it is for organizations. There are a lot of options here. The easiest option for end users is to have a cloud backup solution. You typically pay a monthly fee, but if you are infected, you have a good chance of getting back your photos of Tommy and Susie throughout the years.

At the least, you could buy an external hard drive and copy your files to it, then unplug it and keep it in a safe place.

Someone at the customer site asked me if there was a real solution to the security problem.

”Isn’t there something that can be done? Isn’t there a way to stop all these attacks and infections?”

”No,” was my reply. ”There is not.”

Is that true?

Yes. And no.

But it’s where I’m leaving it for today, because I’d love to hear all the comments about that answer.

*Note to fellow geeks. I am not explaining the entire situation. I have left portions out - most people don’t care about the details.

News

Why Nebraska fans say a spring game is a hard habit to break, even at $643 a ticket
The score didn’t count, but the memories did. At one Nebraska spring game, Roger Benes’ nephew turned a corner and found himself being stared down by 6-foo

NIT Bracket Breakdown: Nebraska Cornhuskers - BT Powerhouse
Nebrasketball’s Bracket, y’all!

Huskers Head to Cleveland for NCAA Championships - Nebraska Huskers
Seven Nebraska wrestlers will compete at the NCAA Championships this Thursday through Saturday at Quicken Loans Arena in Cleveland, Ohio.

NCAA Bid Completes Remarkable Turnaround - Nebraska Huskers
After a 7-22 season, even coach Amy Williams didn't expect an NCAA Tournament in her second year, until she saw a certain work ethic and team chemistry take hold.

Former Nebraska quarterback AJ Bush is on the move again.

Which NIT Regional is the Toughest? - For Whom the Cowbell Tolls
Mississippi State’s Bracket features Baylor and Louisville. Using the KPI, we determine which regional is the toughest in the NIT.

LifeVest study: News releases put major spin on findings

Both the American College of Cardiology and Zoll, a medical devicemaker, issued misleading news releases this weekend trumpeting the results of a study examining the LifeVest, a wearable cardiac defibrillator.

I wore one of these for about 30 days after I left the hospital post-heart attack. It sucked. My sternum and ribs were broken, and it was so painful that I refused to wear it after a few days unless Mrs CN was around or I was at cardio rehab.

Then There’s This

Husker Army's page - Matthew Malone's Page - DEVELOPING RELATIONSHIPS THROUGH EDUCATION AND MENTORING INC

Husker Army again this year is proud to be participating in BIG DREAMS WEEKEND. The DREAM foundation is a positive organization that strives to touch the lives of local at-risk youth.

The DREAM bowl-a-thon will be April 20th in Elkhorn Ne, and Husker Army would like to show how great Husker fans are at supporting local causes.

I would appreciate you supporting these guys as they support Steve Warren’s DREAM foundation.