What to expect when you get hit with Ransomeware (first hand experience).Martin Musket
Recently NC Network Solutions, Inc was called in to handle a Ransomeware issue that affected 3 different companies (all interconnected from their network provider). The screenshot above is an example of the message that all 3 companies experienced on all 23 of their servers.
So what did NC Network Solutions, Inc do to get the data back? From the standpoint of running any kind of recovery program there is nothing that can be done. The first step is to file a report with local police and the FBI (for insurance purposes). The next step was to start a dialogue with the hacker. Once the dialogue has been established NC Network Solutions, Inc requested proof that the keys could be provided and the data decrypted. If that cannot be proven then chances are they were not going to get their data back. In this instance the hacker did provide a key to a singular system to prove that he could provide keys to decrypt the rest of the data.
How much did the attacker request and what method of currency was he looking to get paid in? In this instance the attacker was requesting $50,000 dollars worth of bitcoin which translates to about 5 Bitcoin. The attacker chose bitcoin, because it is untraceable and unregulated. Bitcoin uses digital wallets to transmit currency from one user to another. So the first step was to set up the company with a wallet to transfer the bitcoin to the hacker. Keep in mind that anything over $10,000 dollars of purchase for new accounts takes ~3 days to a week to process in which time the company was degraded to manual paperwork to track transactions. Once the payment was made the hacker released the decryption code to unlock the other servers.
So now that they have paid their money and have the decryption key they can go right back to work? No. Once the keys have been produced then you have to go through the process of decrypting all of the data. Depending on how much data there is (in this case there was approximately 40TB of data). It took approximately 2 weeks to decrypt all of the data. During the time the data was decrypting NC Network Solutions, Inc ran penetration tests against the networks firewalls and closed down any unnecessary ports. Antivirus and Malware programs were installed and run against all endpoint systems (PC’s, Laptops, PDA’s).
Could this have been prevented and how? Yes. By keeping offsite encrypted backups and having a Disaster recovery plan in place, but first and foremost to have an outside vendor do penetration testing and to locking down all system to prevent the hacker from getting in the first place.
The company that was supporting these 3 companies is now out of business and the companies that were affected now rely on NC Networking Solutions, Inc for all their IT needs. In this case we consider the companies involved very lucky to get the data back although it turned out to be a VERY costly lesson.