Ransomware Steals Independence Day
In the fight to protect customers from cybercrime, ransomware attacks are considered especially heinous. This post is based upon true events. Any names, dates, and locations have been changed to protect the innocent.
Independence Day Cyber Attack
The hack began at approximately 3:45 AM on Tuesday, July 5th, 2016. Before 6AM it was over and the network was fully encrypted by cybercriminals, except for one functioning domain controller. Every other server, plus all workstations that were powered on were rendered useless. If you could log on at all, the operating system was now unlicensed with a broken profile. Most of the necessary system files and any data files had .LOL extensions (such as somefile.docx.lol). So, no programs work and the LOL files cannot be opened (even on an uninfected computer) without the decryption key. Most folders contained a “JOKE” ransom note named “how to get data.txt” with the contents below:
Hello boys and girls! Welcome to our high school “GPCODE”!
If you are reading this text (read this very carefully, if you can read), this means that you have missed a lesson about safety and YOUR PC HACKED !!! Dont worry guys – our school specially for you! The best teachers have the best recommendations in the world! Feedback from our students, you can read here:
As you see- we trust their training, only we have special equipment(cryptor.exe and decryptor.exe) and only here you will get an unforgettable knowledge!
The lesson costs not expensive. Calculate the time and money you spend on recovery. Time is very expensive, almost priceless. We think that it is cheaper to pay for the lesson and never repeat the mistakes. We guarantee delivery of educational benefits(decryptor.exe). First part(cryptor.exe) you have received 🙂
Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor etc repair tools are useless and can destroy your files irreversibly.
If you want to restore files – send e-mail to firstname.lastname@example.org with the file “how to get data.txt” and 1-2 encrypted files less than 5 MB. PLEASE USE PUBLIC MAIL LIKE YAHOO or GMAIL.
You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
P.S. Remember, we are not scammers. We don`t need your files. After one month all your files and keys will be deleted. Oops! Just send a request immediately after infection. All data will be restored absolutelly. Your warranty – decrypted samples and positive feedbacks from previous users.
The typos and poor grammar are either intentional or an obvious product of English not being their primary language. Even today, if you Google for this virus or ransomware, there is very little published. Most results are bogus or blatant pitches from anti-malware or backup tools. To date, no anti-malware has been effective in preventing ransomware. Purchasing backup software after the fact is useless.
Just like a pond or swimming pool filled with algae, the only course of action for a compromised network is to drain it. You fully reinstall all workstations and servers. Then you restore data from backup. Alternatively, you can pay the ransom. For customers who discover they don’t have adequate backup, paying the ransom may be the only alternative. However, the process to pay the ransom is neither quick nor easy.
Paying Ransom With Bitcoin
There was one old physical accounting server that was soon to be decommissioned. Typical for a disaster, another vendor was in the middle of performing a migration to a new version of the accounting software on a virtual server. The new virtual server was toast. While we were confident in our backup, if the files could be decrypted it would save considerable restoration time. As we began to rebuild the world, we also took a gamble on paying the ransom.
The recommendation from authorities is never to pay the ransom. The FBI recommends that you contact them and they will handle the investigation. Most business owners don’t report ransomware infections out of the concern for a public record and the fact that a formal investigation does nothing to get your systems running or data restored. This customer was not in a regulatory industry and had no requirement to report the breach.
If you’re not familiar with Bitcoin, it’s the favorite digital currency of cybercriminals because it does not use traditional banks to come under government scrutiny. Although bitcoins may be generated or mined by specialized computational machines, the majority of bitcoins today are purchased by cash or wire transfer from banks. Many people think of bitcoins as a commodity like gold. However, the value of bitcoin is much more volatile.
We created a new Yahoo account and sent a message to the specified address with a couple of encrypted data files. Gp2mail.com is hosted by Cloud Flare in San Francisco according to the American Registry of Internet Numbers. However, the domain registrar is in Shanghai and contact information for the domain is a fake U.S. address with an invalid state of DK.
It took 5 hours for the criminals to respond. The reply was as follows and the two files attached were indeed decrypted:
Sorry for delay.
Here is decrypted sample. Decryptors price in first two weeks is 0.3 bitcoin.
In next weeks – 1 BTC. Time is determined by key from “how to get
data.txt”, this key contains exact time of infection. Pay and save your
money and time. Warrantee is your decrypted samples and GPCODE`s 10 year
After payment you`ll get the decryptor.exe in 2-12 hours and all your
files will be decrypted automatically.
If i don`t send decryptor for you, who will pay to me in the future?
Get additional information and join to discussion about GPCODE here
See this links to find bitcoins http://howtobuybitcoins.info/.
Here https://coincafe.com/legal.php# “Ransomware Policy” you can get full
support for ransomware victims. This way is preferable.
Also usable for paypal https://paxful.com/buy-bitcoin/paypal
If you are ready to pay, send payment to this bitcoin address-
Please send me notice,when you`ll send payment.
You can Google the exchange rate for bitcoin. At the time, 0.3 bitcoins was valued at $246. Building a new virtual server, restoring the SQL databases, and having the accounting vendor perform an emergency migration would take at least 12 hours. In comparison to the restoration effort, the ransom would be a small price to pay.
Throughout the ransom process, you have little expectation or control of when the cybercriminals will respond or the length time to process a bitcoin order. It can easily take 4-5 days to simply purchase bitcoin, transfer to cybercriminals, and get a decryption program in return. While you may be able to decrypt systems and data, some workstations and servers will have boot problems requiring reinstall regardless.
The process for purchasing bitcoin is shockingly invasive. While the cybercriminals get to remain anonymous, you must give up your entire identity. To purchase bitcoin you must submit:
- A photo of the front and back of your driver’s license.
- A selfie of you holding your driver’s license beside your face.
- Your Social security number.
- A copy of a utility or cable bill with the same address as your driver’s license.
All of this information is required to just setup an account with a bitcoin exchange like Coincafe. Supposedly, bitcoin exchanges in the U.S. are required to record these personal details in accordance with the Patriot Act. Bear in mind that these organizations are not regulated or backed by the Federal Reserve.
The next day our account was verified. Instead of providing unknown bitcoin exchange operators full access to draft a bank account, it’s common to FedEx cash. Since the exchange rate is volatile, $20 – $50 more than the needed amount should be sent. Again you must take a picture of the cash with the order number and upload it. Sometime the next day, you order is processed and you have a bitcoin amount in your digital wallet. You can then transfer a specified amount to the bitcoin wallet address on the ransom and then e-mail the thieves about the pending transaction. The next day, we received this message with a link to download the decryption program:
Sorry for delay.
Extract file from ZIP,rename(add to file) *.exe extension (must
be decryptor.exe), run decryptor and wait for
the message -Done! .it`s need a lot of
time. all your files will be decrypted automatically. Better
way, if you have some doubts- dismount your
hard drive and connect it to another
PC as volume. After this step run decryptor and check files.
if some files are not decrypted
1) check “how to get data.txt” -may
be in this files keys are different?
2) Probably you have issues with read-write permissions in
some folders or discs.Try to delete LOL!
extension manually and open file(if
file are good,then use AntRenamer for another files).Try run
decryptor with admin rights. Also check file
names in folder-may be you have files
with the same name?
3) send me a letter with undecrypted sample
4) dont use simple passwords, create rules and policies for each
user,restrict programs for run, set password on
antivirus, disable admin rights, create cloud
backups. Please reply to me, when you get
decryptor. I hope that learn was useful for
you. Bonus- now you know about bitcoins.
We didn’t have the luxury to wait for all the time delays and bureaucracy. By the time the hackers responded with the decryption program, operations had been restored to a new accounting server. The old accounting server had been disconnected from the network and the decryption program did unencrypt the files. However, a required reboot made the server restart continuously. Even attempted repair of the operating system would not fix the problem. Our gamble ultimately failed as the ransomware decryption corrupted critical boot files beyond repair.
Containing Ransomware Early
Most IT departments are unprepared for the eventuality of ransomware. Here is a short list of a disaster drill that everyone should do. If you catch the ransomware infection before it is fully spread:
- Quarantine affected workstations and servers from the network.
- Until you determine the device that is the origin of the attack, you should also disconnect critical production servers as a precaution.
- Unshare infected file shares.
- Temporarily remove DNS from DHCP, server network cards, and wireless routers to prevent further infection.
- Check Active Directory for rogue accounts.
It’s highly recommended that infected devices be reformatted with fresh installs and data restored from backup. Taking the steps above you have a broken network, but you can save some valuable assets until you manually find the originally compromised machine. Remember that modern ransomware is a hack and no longer characterized by malicious e-mail attachments or drive-by downloads from risky web browsing. The most common mistake is to clean a few machines assuming everything is fine, just to find out the whole network is encrypted a week or two later.
Ransomware Rebuild Example
There were a total of 6 servers and 25 workstations that were encrypted and useless, including a high-end firewall. We took the steps above, but it was too late. Fortunately a dozen or so workstations had been turned off and were unaffected. Here’s what we did using a four person team:
- Made an announcement to all users and went to their offices to explain the situation. After the next couple of tasks, users with uninfected workstations would be able to get to the Internet. E-mail was with Office 365 and unaffected. A SharePoint document migration project was approved shortly after this disaster to mitigate further disasters of any kind by eliminating the on-premise file server.
- Slid a backup firewall appliance in place while the production firewall was reinstalled.
- Removed rogue admin accounts from the one functioning DC and enabled DNS so unaffected users could get on the web. There was still no data, but at least most of the staff could get to the Internet and e-mail.
- Forced a reset of all user and administrator passwords and advised a password reset of any hosted or vendor services.
- While infected desktops were reformatted, one Hyperv host was reinstalled.
- A new virtual domain controller was promoted and the previous one destroyed in case there were other backdoors enabled.
- Next a new virtual file server was created with user and department documents restored.
- A new virtual accounting server was created and the third-party accounting vendor performed an emergency accounting migration from backup SQL files.
- Users had full access to the environment on the fourth business day and the second Hyperv host was reinstalled with virtual machines moved at night for load balancing.
The staff had partial system access on day 1, but were not fully functional for 4 business days. Recovery could have lasted much longer without a System Plan, system monitoring, standard operating procedures, disaster recovery planning, and rock-solid backup. Guardian Managed Services are flat cost, so there were no additional charges for recovery. However, the customer lost 4 business days in productivity and some lost reputation with their customers and staff. Fortunately, this was not a regulated industry where the breach had to be publicized and fines levied by authorities.
Ransomware Cause and Prevention
Just because you have regularly patched systems with stringent firewall security, it’s only a matter of time before you face the same fate described above – unless you take some extra precautions. Virtually every business has some type of remote desktop or virtual private network access to their systems. Modern ransomware attacks are performed by foreign state sponsored hackers that probe for weak user account security. Targeted company users are fully researched through corporate websites and social media.
All it takes is some employees using weak or easily guessed passwords from the wealth of information online and it’s all over. Investigating afterwards, a couple of staff members had very generic passwords. A brute force password attack took literally no time to access the VPN server. Once logged on, the hackers downloaded their favorite security tools to begin to enumerate the local server administrator. The hackers then created backdoors, cracked the domain admin password, crippled the firewall, and finally encrypted the entire network. Web filtering and up-to-date anti-virus and patching didn’t matter.
Legacy IT support firms that bill by the hour are ecstatic about ransomware because the more pain and problems you have, the more they get to bill. Backup providers are also smartly cashing in on lackadaisical companies with limited restore or disaster recovery capabilities. However, if you’re a true managed service provider offering flat cost support like Matrixforce, then you’re losing money when the customer has problems. Even in a flat cost arrangement, customers are still badly hurt by productivity loss, lost revenues, reputation damage, and potential regulatory fines.
The only way to prevent current ransomware attacks is threefold:
- Annual staff training on data breach with acknowledgement of the top 18 security policies and procedures, as well as an annual risk assessment.
- Roaming network management to prevent traditional malware from phoning home and to immediately identify traffic from a compromised device.
- Device management with multi-factor authentication to prevent account hacks and provide selective remote wipe/lock on mobile or stationary devices.
We call it Overwatch and for less than $189 per user annually you get to add value to your staff while protecting your organization from the menace of ransomware. If you think about it, you spend more on coffee and office supplies per employee each year.