Hi All,
I dont know what to do but our server got hacked last night. All files are encrypted with OSAN extension and hacker just confirmed the file decryption and asking for 0.4btc and now on requesting, dropped it by 0.3btc
Any advice will be good. We need business data and I dont know what is the guarantee that they will decrypt it.
Upload some samples, maybe he's just a skid and the encryption has already been broken.
That's cool 🙂
There should be decryption master keys floating around. Try Kaspersky as well and see if they have it.
https://noransom.kaspersky.com/ and https://www.mcafee.com/enterprise/en-au/downloads/free-tools…
I feel your pain.
I was attacked with mushtik 2 months ago, via my webserver php admin.
It has been in the news, but some guy paid the ransomwhere, got his encryption key and hacked the hackers.
Which helped me with decrypting my files….
https://www.bleepingcomputer.com/forums/t/705604/muhstik-qna…
so yes, he paid and got the decryption key
My QNAP is now less fun, since I increased security massively.
I also bought a Microsoft family subscription where I use the 5TB to backup my NAS
It is defenitely an expensive lesson for the need to backup (which I did via USB drive, which also became infected)
I keeping going back to hacker and they came down to 0.15btc. My boss is asking if we can make it 0.1btc and then get everything decrypted and complain to cyber security something of government.
Complain? What is that going to do? Your security must be weak to be a victim of this, there is only yourselves to complain to.
Not necessarily. The wrong person clicking on the wrong thing is enough.
Previous employer had a high up manager do it - said manager had write access to pretty much the whole server (due to role). IT (external) had fun fixing that mess - huge restore from backup.
Backup your stuff peeps - and remember one is none! 3 versions - one live, one offline, one offsite.
While a fair point, there are mitigations that OP could implement to prevent users executing malware in the event it does enter the environment. E.g. whitelisting, restricting privileges, mail filtering of attachments, plenty of other things.
No disrespect to OP but it doesn't seem that they are that experienced or something since they seemingly paid the ransom out of fear of being fired… I'd bet the environment was in shambles to begin with.
Chuck it on Scomo's pile.
Also which company to use to buy and transfer bitcoin. Please this is urgent. Thanks
btcmarkets
Thanks. I will do it. Hacker just asked for 0.1btc
Able to create account :)
BTC Market is taking too long for verification.
I am really stressed and might lose my job. I have to repay everything to my boss as it is my mistake due to security issue
dont do that
I have family and job market is really tough.
It's illegal for your manager to ask you to reimburse them if you are an employee!
In some states too, it's also illegal to provide negative references to your future job checks too!
@holisticboy: Didn't know it was illegal to provide negative references.
Had a manager do that at my last job when he was competing for a job with a subordinate after they were retrenched.
It's illegal for your manager to ask you to reimburse them if you are an employee!
Depends if standard-level incompetence or higher level negligence/fault. But in 99% of cases, yes you're right.
On the other hand, if OP is given the choice of paying the losses or being let go for cause (which may well apply in this case), that would arguably legal, and in any case not having a job is not having a job.
Everybody makes mistakes mate…repaying is not part of any job description
Thanks for your reply. My main concern is server to be back up and running.
would that fall under unfair dismissal laws?
I think I wont be sacked.
Sacked for cause? No.
No backups?
Local external hard drive, windows backup. Hacker encrypted the backup as well otherwise I would have created a new virtual machine. Learned my lesson now.
Windows backup?
No "Previous Versions" at all under Right Click > Properties?
No
I know and please dont judge me. my bad.
@191919: ! ATTENTION !
STRICTLY FORBIDDEN TO USE THIRD-PARTY DECRYPTION TOOLS - DATA WILL BE LOST!
Due vulnerability in yor system all files have been protected with OSAN private key to safe them from unathorized access.
To RESTORE your files, follow this few steps:
OSAN service charges a payment for file decryption;
Contact us with attached OLSAN-README.txt containing your unique ID-Key;
Receive OSAN decryption tool;
Run the tool and successfully restore all files.
We guarantee:
100% Successful restoring all of your files
100% Satisfaction guarantee
100% Fast and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
STRICTLY FORBIDDEN TO USE THIRD-PARTY DECRYPTION TOOLS - DATA WILL BE LOST!
Our e-mail: [email protected]
Payment type: Bitcoin, DASH
ID-KEY:
90VfxVj5Lm0oucRaIFyNqX2y5OWExYpXlkpobP1txf7kmfIUdy/IRDiB7mQIarZK
5akQvfAaFIBRdaG8B4yOVETxF+Hn0699wRcIBsWcjZpibKx42zG7HwiJYjVD/EF2
rBJPa8JQli9VCsnNyq+OmWOMQm1FnjkalwaJ2WN76bM=
~ OSAN VRF ~
ZFYBZR3fbxUXZhUIwB+6RQ==
this might sound obvious, but why is it so hard to track down these thief's if they have payment detail made available?
crypto harder to track than a bank account
Is there anyone here who can transfer money and I will transfer money to them. I can do it before hand as well. It is for 0.1 BTC
What are you talking?
I have never done Bit coin before and I just want to pay this guy and get server up and running. I am flying tonight overseas for my wedding and this thing is stressing me out.
Every website I am going to is asking for verification and taking time.
asking people in forum to transfer bitcoin surely raise many red flag.
plot twist
I am flying tonight overseas for my wedding and this thing is stressing me out.
You said you had a family to support… Interesting.
at your own risk but might be worth a shot?
FWIW: I work for a multinational with over 10k employees globally. A few years ago we were hit with a ransomware attack (because someone with DA access was careless). This screwed pretty much every PC connected to the network at the time - including servers and backup servers. While we didn't pay the ransom, we later found out that the attacker didn't have the decryption key anyway.
so what happened to the company?
I know a similar company too, probably the same one let's just say you can find their products in the confectionery isle.
They hired a multinational company even bigger than them to deal with it and paid a lot of money to fix it pronto. It was bau after a stressful week.
What's the BTC address they want it transferred to?
1NAr7NnuYPzrYbc4FFC9aJmo4bihbbWFGk
Excuse my ignorance with this whole bitcoin stuff, but what is that a picture of? A receipt?
@Argenti Fox: That random string of letters and number is a bitcoin address. That image is a snapshot of the scammer's Bitcoin address, along with a record of the transaction that just went through. In total they have received 1 transaction to that particular address.
However for privacy reasons, you usually create a new address for every payment you intend to receive, and never reuse the same address. This is to prevent people from knowing just how much you have received in total. So in this case, we do not actually know the running total amount of Bitcoin the scammer has managed to extort.
Looks like it has been moved now.
wait did you pay him??
I have just transferred 0.1BTC to this person through Coinspot and now I am going to wait for hacker to send me file to decrypt myy files.
Thoughts and prayers
Have you also tried "thinking about" or "praying for" his files to become decrypted and his ransom money returned?
If so then send some my way, too!
Keep us updated.
good luck!
You better hope they give you the key…
And I hope for your sake you didn't use your own money to pay them.. jesus
Hacker asked for the file from C drive of both virtual machines.
He/She also asked following thing
Payment received.
Before we start, tell us such thing - what type of relationship you have with altea?
You probably shouldn't post where you work? Your boss wouldn't want people to know you were hacked.
WHY ALTEA IT ?
We work with you to create and implement the vision
Complete End-to-End Solutions
Outstanding Technical Support
Focus on System Security
Tested and Verified Disaster Recovery systems
Ouch!
Are you saying OP's business uses Altea? This is surely a disaster recovery scenario for the business. Why then is OP asking OzB for help instead of Altea?
Don't know whats really going on here but from what I gather you already paid and now they want more? Feels like they have you by the balls and attempting to manipulate you even more by taking advantage of your emotional situation and stress.
Let this be an expensive lesson, always have an offsite/cold backup that is completely separated from your network.
Hopefully you get everything back mate
Couldn't agree more.
An on site duplicate copy is not a backup, it's a copy.
A backup is for cases of disaster. For a business, that means off site, preferably offline where practical.
Is OP being tested?
I know pretty much nothing about IT/security but reading this is making me nervous for the OP. Hope everything goes well. Some people are just so cold hearted.
To me it's simple. Anything you care about put on Dropbox / OneDrive (etc) so if something like this happens they just roll it back to yesterday & it's as good as new.
The rest you lose, format the hard drive and start again.
Not so easy for the OP, feel for ya.
This won't help his current situation but after this mess is straightened out, he/she really should get some professional education. Hopefully he can get work to cover it, this situation shows that they may be a bit out of their depth in their current role. And getting some certs would certainly help their career down the line.
Yep, where's the shadowprotect offsite backup/Veeam etc. etc. at?
A whole server (host?) backed up to one external HDD using Windows backup? What could go wrong.
update pls
Firstly, really sorry to hear this. It must be heartbreaking to have this happen to you. Hopefully you will get through this.
As someone who went through this ordeal early last year, with backup that then killed itself (long story)… we had to go to a Ransomware recovery specialist. They cost was in the thousands (2*10k) but we got 99% of all files back.
We didn't go to the malicious actors as who knows what they would've done.
If you need the contacts of who we used PM me and I'll seems it there. (They're based in Sydney but not cheap).
Likely the recovery specialists just paid the ransomware fee and pocketed the rest
My thoughts exactly. But at that time was very stressful as you can imagine and there was no way we would go to the Ransomware creators.
Regardless behind me now and a scary learning to have an offline/unplugged backup always (and more than one).
Crashplan.com is also an option for those contemplating cloud backup with minimal costs. (Apparently Ransomware/versioning proof).
I wouldav taken your money, paid the guys in Bitcoin, and got your data back…all happy 😅
Anyone have a simple backup procedure for uneducated and or small businesses?
Suggest a cloud backup service like Crashplan www.crashplan.com for business or https://www.backblaze.com/cloud-backup-c.html blackblaze for home
How about not running random .exe files from complete strangers???
Or if your company is full of tech illiterate old people, disable running any .exes that are not a web browser or part of office suite.
None of this was possible before bitcoin came along. Two steps forward, but a huge step back in enabling ransomware, drug dealers, and child molesters to ply their trade.
Rubbish, how did the Catholic Church do it for so long.
Excellent
No guarantees. Restore from backup?