A Hefty Ransom
Two Friday’s ago, was a good day. Or at least it started that way. I had wrapped up a half day planning session for a new district office building. The location of work I do, I am usually out of cell range. This was no exception. When I drove into cell range, a LOT of messages started to come through via text and email. Sifting through them was a bit of a challenge. Now for the meat of the blog, this message is going to turn into a public service. We all know the rules when it comes to the internet, but we have become creatures of habit and forget some of the basics. Our office got hit by ransomware. This is probably the same you have heard on the news about cities, institutions, banks, etc. getting all of their files encrypted and then having to pay or reconstruct from back up.
Our office was hit with the RSA1024 encryption, I don’t know the delivery method (brute force, phishing, click bait, etc) of the actual ransomware. The product was probably delivered through a trojan using Dharma or crySIS. In this case, the final executable was MINMAY.EXE, it placed itself on our server and activated itself around 2:00am. I started to do some research on the RSA1024 encryption, crySIS and anything related to ransomware. Basically, I was trying to understand all of the mechanics of what had just happened.
It appears Dharma sniffs for the open port 3389 on Windows Remote Desktop (RDP). I was aware of potential threats on the port and masked them to something completely different. Because of our travel, we use RDP quite regularly. After deeper searches, this was a known weakness of RDP. So, we have a general idea of the how. Did I mention that our Cloud Backup IT service had not been running for 60 days? Because of this, we were stuck with dealing with the ‘bad guys’ to get our data back. When it rains… it pours.
While our IT service was working on the encrypted files, I began the process to wipe all of our workstations. That next Monday, I brought in 4 personal computers to setup an old style ‘sneaker’ net. For those who don’t know what that is, it is when you share files via floppy disk (or in our case thumb drives). Our router & switch was still offline, and I did not have a way for the workstations to talk to each other. I was able to get our firewall back online, followed by the wireless access points. Once this happened, I started working on getting my 4 workstations &and laptops to talk to the internet and each other. This was a lot of manual settings on each workstation since we no longer have a server and other protocols, we take for granted.
Once the network was stable, I began wiping the workstations. 12 of the 14 workstations were hit with the Dharma Trojan. The process was to pull the hard drive (all of them were SSD) and then plug them into a Linux Station not on anykind of network and format the drives. I would then return it to the workstation and begin the process of a clean Windows 10 install followed by our Production Software. Each Machine took about 6 hours and we were doing 2 at a time. By late Wednesday, we had completed all 12 workstations. Slowly returned them to the users to continue working.
The biggest challenge we had was, how to share files without a server? We setup an older workstation with Linux and created a file share. This was a nice adhoc fileserver. I scanned all of the laptops and other 2 system not hit. I was able to find some local copies of files to keep production moving forward. Within 2 days, we started to get caught up on some of the lost production. By the following Friday, I had all of the workstations done, we had a bout 10% of the files decrypted and started to pull the critical projects with deadlines. Yesterday seemed a little normal, except for meeting with the FBI, and we are still limping along with the systems. But are breathing a little easier, we have internet, email and our core applications running. One good sign is that this a is clean network with very little overhead.
Best suggestions I can give from my personal experience with this ransomware before you are hit. Know what is going on with your backups. Stay away from any kind of ‘click bait’ on your emails. Attachments and Links are never good. Improve your firewall, there are no shortcuts. If you are using RDP, change the standard port. Make sure your antivirus is current and active. Install Malwarebytes (shameless plug) it works against ransomware and pay the $40 a year, it is less than the Thousands of Dollars you will pay in ransom. There are no guarantees that these steps will protect you 100%, but it certainly won’t hurt. Finally, I’m heading north of the Arctic Circle for work, no cell and no internet. This adventure started with no cell and no internet. After the past week and half of too much computers, I’m ready for a technology break.
…and now for something completely different.
In New York, it is illegal to sell a haunted house without telling the buyer.