+- Civil Engineering Association (https://forum.civilea.com)
+-- Forum: Various (https://forum.civilea.com/forum-6.html)
+--- Forum: Free Discussion (https://forum.civilea.com/forum-46.html)
+--- Thread: Ransomware Encryption (/thread-51636.html)
Ransomware Encryption - LiviuM - 09-05-2015
Hello,
I recently hacked a ransomware encryption:
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************Most of the files were encrypted by a ransomware virus, the pattern was:
file.txt encrypted into file.txt.whatever10 @GMAIL.COM.crypt.
(whatever10 is fictional)
Files had great entropy, and randomness was also great:
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************![[Image: 67258893899846088968.png]](https://pic.civilea.com/images/67258893899846088968.png)
The requested ransom was 2500$ and raised to 6000$ (because the thief realized files were really required byt that company).
My work time: 3 days and 6 hours, (48-52) hours.
Money asked for work: 500$
Money received: 630$
13$/h, a little more than I'm getting from engineering, (9$/h without taxes, 6.6$ after taxes).
If you have the same issue feel free to contact me, if it's the same encryption I'll help you for free, the work is already paid.
The encrypted files are 1250 bytes larger than the original ones.
Targeted files are pictures, videos, database files, archives, music chm, txt, pdf, and occasionally exe and dll.
Wish you never encounter such problem.
Regards,
Moderador Note:
Title Changed!
RE: Ransomware Encryption - LiviuM - 10-06-2018
Dear friends,
I'm reviving this thread (although not allowed) as a reminder for your safety.
It's still happening so you should care.
During the last years I was contacted by ~30 people that were encrypted.
I was able to help 7 of them with full/partial recovery.
Different viruses different solutions, I'll focus on prevention and solutions after an attack.
Solution
The data is important, not the device or the cleanup.
Most people start the recovery process by installing an antivirus to remove the thread.
Pointless, the virus did its job, most likely self deleted, the data is encrypted so focus on decryption!
The virus and its files are useful for decryption don't touch them.
Shutdown the computer, remove the hdd, image/clone it.
If it's a raid setup use a recovery boot-able usb stick or dvd (Ubuntu or Gandalf Win10 or Hirens Live).
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************Put the original hdd somewhere safe, never touch it again.
You can now contact some smart IT person to do his/hers thing on a copy of the clone image and VM.
Buy a new hdd and clean install the whole lan, network
(you don't know where it came from or how many systems are affected or for how long the attacker spy-ed your network and activity). Custom made viruses will last forever, detection is based on signature, custom, low profile means no signature. Heuristics works only for dumb viruses.
With or without the data, you need to restart production, fast.
Don't panic and buy the most expensive server/antivirus/things, it doesn't matter, the setup of things matter.
Change all passwords, if banks are involved discuss with them.
Reset router and DVR to default and change passwords.
Reset email passwords to new ones.
Submit from the clone the relevant info here:
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************You'll know if there is a solution free or not.
If there isn't, submit here:
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************If they can't help, they'll tell.
Decryption and communication might take about 1-2 weeks. So restart production fast in a clean environment.
If you're here, bad luck. You might try Kaspersky forum, file recovery tools and other tricks and finally pay the ransomware and hope to receive the key.
Prevention
Make back-up.
I repeat make off-site off-line backup (helps with all kind of events like flooding, fire, theft, power surge, ... police).
No system is secured, a well determined attacker will find a way to breach.
You need to limit the damage based on data value and production delay cost.
Disable port forwarding on your router for remote desktop connection and DVR and whatever other lan services that are not secure.
20 were attacked by remote desktop connection brute-force.
2 had DVRs compromised, were flooding the network.
Buy/use a router with OpenVPN and connect to your lan with VPN.
You could use port forwarding if your router allows to configure access from specific IPs to those ports.
Use a NAS with versioning. Use a cloud storage with versioning (for in-house nextcloud).
Public cloud 50GB for free:
Code:
***************************************
Content of this section is hidden, You must be registered and activate your account to see this content. See this link to read how you can remove this limitation:
http://forum.civilea.com/thread-27464.html
***************************************Synology or Qnap have this option and can be stored at home.
1 victim had a portable backup hdd connect right at the moment when she got encrypted. All data was lost, the virus had programming issues and corrupted the data.
Some lost family photos or stuff that can't be recreated.
Requested ransom:
500$ (3 cases)
5000$ (20+ cases)
>200.000$ (3 cases)
You can get a random, automatic virus, created by an automatic platform and it all works automatic (encryption decryption), like home banking. It normally costs 500-2000$, it's called ransomware as a service (SAS).
Or you can get a virus that allows an attacker to spy your activity, data, backup, data value, passwords, bank accounts... for a while, he decides when to strike and be sure that the ransom will be expensive (~10 cases >5000$) without recovery options.
Stay safe