Ransomware Ruthlessness Revealed

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,620
You read about these Ransomware situations happening all the time now, and you think you know just how bad it is to deal with, at least on a technical level for most [H] readers. The lengths these criminals are going to screw it in even deeper is disheartening at best.

Others played the anger card, the profanity card, the sympathy card. “Am I the one you should hack? No. I am just a salary man who tries to make ends meet and bring foods to his kids,” said “E,” who also identified himself as “Mustapha from Morocco.”


What is even scarier is the fact that actually being able to obtain Bitcoins is holding these guys back (PDF of overview and full transcript).

“We should be thankful that there are at least some practical barriers to purchase Bitcoins,” wrote Sean Sullivan of F-Secure in a Wednesday post to the firm’s blog. “If it were any easier to do so, very little else would check the growth of crypto-ransomware’s business model.”
 
Last edited:
I said it in another post recently and I'll say it again: anybody involved in this kind of crap, writing this kind of malware on purpose for profit, should be executed on the spot if and when they get discovered. I'll even pay for some bullets if anybody wants to get a funding page set up. ;)
 
Criminals never stop. There are several programs that supposedly can catch or kill the encryption process before you lose everything but as always the best Anti-Virus is your index finger.
 
I don't know if it is even theoretically possible, but I wish there was some way to totally disable file encryption of any kind on a system. All of my customers are not tech savvy and a decent amount of them are elderly and none of them have any need or use for encryption at all. Unfortunately most of them are also the type that no amount of anti-virus or anti-malware can save them from themselves....
 
Backup, backup & more backups.

Not just to a USB drive you keep connected, but to a secure location that needs a password to access or a tape backup for larger amounts of data.
Always keep a copy off site just in case (burglary, fire, etc.)
As for how often to take a copy off site, how many days work could you afford to lose?

If you get hit by one of these viruses, you just need to clean the virus (or format the infected machine :D), and restore from your backup.
 
Is there a way to remove the ransomware without restoring from a backup? Might be a dumb question either way but it's something I've been wondering for a while.
 
I've never seen this problem myself but I don't have anything of great value on any of my computers. Anything I want to keep gets burnt to a DVD/Blu ray, or usb thumb drive. My system could get a ransomware virus today and I would just wipe the drive and reload. At worst I would have to download a few games from Steam. Email and documents from Word are on one drive and outlook.com.
 
I've encountered two types of Ransomware;

1) The type that made people panic, but it took me about an hour at most on sites like bleeping computer to find a tool to get rid of it.

2) The type that hadn't been resolved yet, but since I've always had rolling backups setup. Took me about an hour give or take to blow away a machine, roll back to a backup and at worst an hours worth of work was lost.

But then, I've always done my job and made sure any server I'm in charge of has numerous backups onsite and offsite. If your IT staff is doing there job there should never be a situation where you have to pay these scumbags. If you aren't a business and have critical information that isn't backed up, you are a dumbass. Back your shit up or accept your losses. NEVER EVER pay these shit bags.
 
More companies need to properly train their employees about how to avoid this shit. The IT manager for my company recently sent out a company wide email from some random email address stating "urgent security issues, please click the link to confirm and resolve" with a link to click and fill out info. Anyone who clicked got hauled into a afternoon course about computer safety and how to understand NOT TO OPEN SHIT they don't know and ask him about it first lol. Was pretty effective, about half my company that has email access (roughly 20 people) had to attend :D
 
Ragenrok said:
More companies need to properly train their employees about how to avoid this shit. The IT manager for my company recently sent out a company wide email from some random email address stating "urgent security issues, please click the link to confirm and resolve" with a link to click and fill out info. Anyone who clicked got hauled into a afternoon course about computer safety and how to understand NOT TO OPEN SHIT they don't know and ask him about it first lol. Was pretty effective, about half my company that has email access (roughly 20 people) had to attend :D
Click to expand...


that is



awesome!
 
I had a client's system compromised recently. He said his system lost 4 years worth or project images, revisions, and notes. It was due to one of the sales force employees who clicked on an E mail. According to the client, 3/4 of the computers in the company just locked up. His computer and another person in another department were completely compromised. By the time IT even had a clue of what just happened, his external HDD and the other computer had off loaded and locked nearly 6 TB worth of data. The IT dept got an E mail with the usual E mail with a pay us for your data request. They never did.

The company I work for, I am required to make a phone call if a file is sent to us without any warning. Anything over the weekend, we will scan before we open if it has a my attachments. Many times they are from compromised E mail lists of the client. We usually get a yeah I think there is something wrong with our E mail just delete. If they are big enough to have an IT dept or worker, we will contact them as well. Sometimes we catch stuff before they know if it's minty fresh.
 
shaggy77 said:
I had a client's system compromised recently. He said his system lost 4 years worth or project images, revisions, and notes. It was due to one of the sales force employees who clicked on an E mail. According to the client, 3/4 of the computers in the company just locked up. His computer and another person in another department were completely compromised. By the time IT even had a clue of what just happened, his external HDD and the other computer had off loaded and locked nearly 6 TB worth of data. The IT dept got an E mail with the usual E mail with a pay us for your data request. They never did.

The company I work for, I am required to make a phone call if a file is sent to us without any warning. Anything over the weekend, we will scan before we open if it has a my attachments. Many times they are from compromised E mail lists of the client. We usually get a yeah I think there is something wrong with our E mail just delete. If they are big enough to have an IT dept or worker, we will contact them as well. Sometimes we catch stuff before they know if it's minty fresh.
Click to expand...

Dude, to encrypt 6Tb of data... that should take a helluvlot of time man. They must have waited days or it was days before someone realized shit was wrong.
 
Those "practical barriers" prevented me from buying 4,000 bitcoin back when you needed to send money to Japan.

Not a fan of barriers, to say the least.
 
I have a client that had 45k worth of such trojans in his Avira Exchange Filter after an attack, those emails were tailored like handmade ! The name, the topic, the layout, everything matched, even the reason, my client was hiring people indeed and the topic was correct, the person in full name, everything....... That single one came through for whatever reason, the employee didnt dare to open and asked the CEO to have a look. The CEO came in, looked on the screen, said "yeah, dont you now we are hiring, that must be REAL"...and the employe clicked it. By A LOT OF LUCK and what not else the Desktop version of Avira Professional then jumped in and got it before it could start encrypting, on a i7 witzh SSD and some RAM this goes in seconds as we all know. Luckily it ONLY costed like 10h work to check all servers after an emergency shutdown of ALL systems, EVERYBODY and EACH SERVER I shut down remotely the fastest possible way after they called me. They were lucky :)

I have another Client, he was not so lucky with Zepto ransomware:
The Office Clerk called me up from remote office and said her PDF wont work for days now...HMMM. Well, they say this and in the end its some other reason but its got something, so I dailed in remotely, checked the Desktop and saw the fileendings ..--> ALARM ALARM...she uses VPN from time to time and maybe the HQ could get infected. I told her to pull the 220V plug NOW, DONT ASK NOW !!!!! short for that is: She got a brand new PC as it was 5y old by then anyway.

The story doesnt end. I immedeatly called up their HQ ( I am onl the remote Office FreeLancer and general adviser, not their HQ admin, they have none, all external afaik ). I told my POC to IMMEDEATLY pull all 220V, ASK LATER, go to each office room and make sure ALL or off and then call an IT Service.

It turned out that 1 Mail from the Global Exchange Server all use was infected and 1 remote and 1 local guy opened it up, both got encrypted, more over, the local PC was connected to SMB...NICE !!!.....that got encrypted as well on large amounts but my immedeate order to pull the plug saved a few GB, but many many GB were LOST.

Their local IT Service who also runs their DC servers called me up, he stated the same Zepto infection and same email origin and that he had like 3 of those last month were some got nailed down by Avira and KAspersky in two cases and some cases were the got not so lucky.


Their total loss on IT service bills alone was several k €, not including any data recovery or damage loss.


The case I told you first is a Wellfare Health Organisation, the 2nd one an Insurance Company. Both run 5-digit priced high end firewalls and UTM machines, have Avira or Kaspersky subscriptions for a hell of money..NOTHING HELPS !

If you click the wrong stuff you are FUCKED..or your company you work for.

The Wellfare CEO told me she has 2 collegues who run similar but even larger Orgs that BOTH got infected around the same time she was targeted. Both lost their servers, total drop out !!!


This is damn serious. Those suckers look for backup targets, have the UNAVAILABLE on SMB guys !!

Either pull the USB plug in SOHO or home, in enterprises dont make that Backup-Pool by mistake and lazyness available via SMB, use the embedded protocols of the Agents ( Acronis for example ) or use SSH and open the tunnel when needed and CLOSE it when done. Anything else is dangerous.


I keep my TimeMachine off since. Only connecting it when I backup my workhorse, MacBookPro. I personally dont backup my windows machines at home, more stress over time than taking the damage. In business you cannot have that approach, you gotta prepare against those nasty encrypters...and it is not easy to implement right away into a given structure and backup-plan.
 
I have a customer that gets these about every other week. They don't learn. I just restore their machines from backups and go about my business. It is annoying but nothing that isn't a big issue if you just make sure to have good backups. They lose a day of work at most. I did find out that if you use the built in Windows backup tool those files won't be encrypted. Mainly because Windows won't let you get access to them easily. It is normally one guy who gets the infection so I have 2 different folders that he backs up to. I do see this on off the street customers too. We get to sell lots of cloud backup solutions that way.
 
Ragenrok said:
More companies need to properly train their employees about how to avoid this shit. The IT manager for my company recently sent out a company wide email from some random email address stating "urgent security issues, please click the link to confirm and resolve" with a link to click and fill out info. Anyone who clicked got hauled into a afternoon course about computer safety and how to understand NOT TO OPEN SHIT they don't know and ask him about it first lol. Was pretty effective, about half my company that has email access (roughly 20 people) had to attend :D
Click to expand...
awesomesauce
Spaceninja said:
I have a customer that gets these about every other week. They don't learn. I just restore their machines from backups and go about my business. It is annoying but nothing that isn't a big issue if you just make sure to have good backups. They lose a day of work at most. I did find out that if you use the built in Windows backup tool those files won't be encrypted. Mainly because Windows won't let you get access to them easily. It is normally one guy who gets the infection so I have 2 different folders that he backs up to. I do see this on off the street customers too. We get to sell lots of cloud backup solutions that way.
Click to expand...
Some people should not be allowed to have a computer. But lucky you, not everyone finds a gold egg laying goose.
 
I have dealt with this a dozen times or so now. I almost enjoy telling the customers they are screwed.

Most companies end up accepting the week of down time and waiting for authorization on an exchange / money order transfers to buy BTC. The last one was about $3000 not including our consulting time. Normally they are severs setup by a competitor that haven't been monitored in years or by an old IT guy the company employed 10 years ago. Every now and then it is one of our customers who declined a backup system on their proposal and ignored our free quarterly backup audit recommendations. Those are the most satisfying to deliver the news to (not just because of the "I told you so." but the cheap ones somehow are always the mean ones you hate working for anyways.).

I think a lot of people would be surprised by the number of small businesses on the verge of loosing all their data and having to close up shop just to save a few $$.
 
Last edited:
Ragenrok said:
More companies need to properly train their employees about how to avoid this shit. The IT manager for my company recently sent out a company wide email from some random email address stating "urgent security issues, please click the link to confirm and resolve" with a link to click and fill out info. Anyone who clicked got hauled into a afternoon course about computer safety and how to understand NOT TO OPEN SHIT they don't know and ask him about it first lol. Was pretty effective, about half my company that has email access (roughly 20 people) had to attend :D
Click to expand...

We're going through similar training. I get to be the asshole to the folks that keep clicking. A few clicked the first one. Second one, a bit less. We've done 6. We have the same people clicking on it every single time. At what point do you say these people just will not learn. They like to click.

Some people are morons.

Those that get this as their one or very rare instance? I feel bad for them. Backups are essential. For those that I see time and time again needing help removing a virus? I don't feel bad at all. They just won't learn.
 
120kV Mouse Feedback would help ;)

Anyone planning on doing such a mouse ? One for every company ! The one who fails 3 Mails must use the 120kV Mouse for a month..any more wrong clicked testmail and they get zzziiiiiiished...from the MOUSER !
 
Wow I didn't even know this was a huge issue. Fucking criminals suck.

But kinda similar to this. I had a friend of mine, his mom works at their small family business. And apparently she clicked on some email, and they took remote control of her machine! Then proceeded to tell her, that her PC needed a "security check", and they told her it would cost $200. So she paid it! WTF.

Then after talking to her, I immediately told her it was a scam. She had no clue. I ended up going over there and blew away the machine and reinstalled. Luckily she didn't lose any important data, but I told her and all their off staff, to backup their data on a daily basis.
 
Shoot'em right away !

No mercy for those guys, absolutely ZERO MERCY !

Robbing people like this, randomly shutting down places including those that help people ( medical care institutes etc.. ) is like attempted murder to me. Hang them high and let the ravens pick their bodies off the pole as a warning.


We all wait for the 1st infant emergency care complex that shuts down and the tragedy that follows.


It's a disgrace in the face of humanity.
 
It is like polluting a water well. No one, absolutely NO ONE will speak for someone who poisened a well, same applies for those guys I guess.
 
You must log in or register to reply here.
Back
Top