Hi all,
Anyone could recommend any company that can help to decrypt the ransomware encrypted files? Understand that the chance is quite low but just want to give it a shot…
P.S. I'm not an IT person and doesn't involve in the IT or network backup process. I'm asking this question just for the benefits of the company I'm working for.
Yes, but he couldn't find any solutions at all. We don't have a full IT department as we're just a small business only.
There are a few projects to decrypt ransomware - may be worth a shot.
From a quick search https://www.nomoreransom.org/en/decryption-tools.html
I tried this one but the website cannot even recognise the variant of the ransomware
@mamalove: You are likely out of luck without rolling the dice and paying or waiting in the hopes that a similar project emerges for the variant that's attached.
@ihfree: Paying the ransom would be the last resort because we aren't even sure if we can get the data back after paying them
@mamalove: I absolutely hate saying this but typically they'll give you your files back because they want future victims to continue paying them. If they didn't give files back, no one would be paying the ransom.
This is a lesson that the company you work for needs some better backup solutions, and general training on what not to click on. Most likely this was a result of an admin or sales staff opening nefarious file. The person the company hires to provide IT support will no doubt be onto this after this is over.
If you have good backup solutions, a ransomware hit is more an inconvenience as you can just revert to the back up and move on with your day.
@BillyG687: Yes the all important backup.
Daily, Weekly, Monthly. Full backups, incremental.
Backup to the cloud.
You maybe painfully recover some files from your email if you attached them.
@mamalove: They will give your files back temporarily. What’s stopping them from leaving behind more ransomware for future activation?
Not sure what your company data is like but they are screwed either way, pay or not pay, think of it as an instalment after you pay this very first time.
Since it’s a small company, I imagine people have their stuffs on their PC and hardware and even USB. See if you can get an inventory of what in people’s storage that’s still accessible and then decide can you start over with whatever you have and without the past files.
They don't expect me to do anything, I'm just helping to see if there is anything I could do.
@mamalove: Are they assisting?
Did they get you to take a snapshot of memory and dump the network traffic?
I'd be happy to have a look if you want to give me access.
Step 1) Sack your IT department for not having a backup strategy.
Step 2) Reformat and start all over with a backup strategy.
You can't decrypt it but you can pay the ransom, not like you got much to lose other than lose even more.
Agree. IT person is not good enough not to have a backup in the first place.
@bathuu: They don't have an IT person. They have a high school graduate who likes to help out with the computers.
Funny you mention that… MAJOR service providers have been caught out in recent times being cheap on the redundancy and data security side lately (eg offline or even online backups).
It seems that personal information (and critically, access to said information) doesn’t qualify for literally any redundancy… a/c failure at a data centre in Perth mid summer? Bupkis…. It’s an asinine policy spurred on by “just in time” logistics and other such bold enterprises!(which incidentally have shit the bed since covid anyway rofl)
I’ve worked in the IT field for a long time and whenever you tell a customer they need a backup and that it will only cost a couple of hours to set up initially and a couple of hours across the year to ensure is working smoothly, without fail I’ve been shot down because of cost. It’s something every business seems to require learning the hard way.
Yeah even just simple as enable shadow copy in windows os would help. Its a simple 3/4 clicks in windows.
What about the daily backups?
Does your company have any backups of the server?
EDIT: Apparently not o_o
No backups?
Are there no backups?
Don't ask me why, but we had an external HDD backup attached to the server. this external HDD was also encrypted
@dowhatuwant2: I can't scratch my head either on this one but every computer in my office cannot install any .exe file unless we have the admin password. Not sure how the other employees could mistakenly installed the ransomware on the server
@mamalove: It may be that the admin password was compromised in some way. Had that happen to a client a few years back. A couple of the IT team unknowingly had key loggers on their machines and admin access was compromised that way (IT user accounts all had admin access!). The attackers then spent a few weeks keeping an eye on how things were run. They disabled their scheduled backups, encrypted all past online backups then kicked off the encryption of everything else over the weekend. It was only spotted because one of our guys was on site doing out of hours work and he noticed something weird going on with the file server. We'd spent months telling them they needed to have offline backups but they hadn't listened. They did shortly afterwards, but only after it had costs them tens of thousands of dollars to fix and audit in the aftermath.
@mamalove: May have been sitting dormant for a long time on any one of your PC's, once it awakens it will encrypt all the drives available on the network.
@mamalove: Does the server have remote access, i.e. Microsoft Remote Desktop? If so it's very easy to get into a server if there's no RD gateway setup with SSL. Older server operating systems like 2008, SBS and older are very easy to get into with RDP if it's not protected properly. Alternatively 3rd party software like AnyDesk that's really old and unpatched.
If you're running an unpatched Exchange Server that's another way to get in. A lot of high profile ransomware attacks that have hit the news in recent years has come through on premise Exchange.
@dowhatuwant2: You'd be surprised how often this happens. I see it all the time in smaller businesses.
These days as-well, offsite backups aren't expensive. Backing up direct connected storage (be it USB or network) is never a good idea, needs to be back and forth with a segregated server / client.
@knk: I do this at home with all free software and it's 100% automated including the downloading and testing of the cloud backups. A minimal attack surface with only local login allowed.
Even if this box somehow got compromised the cloud service has rolling snapshots (zfs) which need entirely different credentials (different to the ones used during backups) to delete. These credentials were only used when I signed up to the cloud service so the chance of any ransomware getting at those is highly unlikely.
It blows my mind that stuff like this happens in actual companies. I don't even work in IT or a related field nor have a degree or training. I work a basic entry level job.
@TightLikeThisx: Yep exactly, you're doing everything right and thinking "well shit, my data's here it needs to be elsewhere and it's current location needs to not be able to mess it up"
It's not exactly anything further than common sense.
The analogy I like to use is you have a business and your revenue cannot be made without a vechicle, let's say it's a truck and you're a removalist. Sure, you do regular maintenance and cover all bases but shit happens and vehicles need to be off the road every now and then for whatever reason.
Are you going to cop a week of 0 income? Or are you going to have another company on speed dial who you can hire a vehicle from, if you need a fleet of 5 trucks, maybe you should have 7 for redundancy. Regardless of what it is, you need to account for the unexpected….
@knk: Thats a good way to frame it.
Another way is "Whats the cost of not having a solid backup plan if something unfortunate were to happen?"
I think getting someone to put a dollar figure on the worst case scenario and to really think and feal about the impact is a great contrast to the cost of whatever solution is being proposed.
@kiitos: I've got it set up as follows:
Primary NAS
Runs TrueNAS Scale operating system. This PC serves files to devices on the network.
Backup NAS
Runs TrueNAS Scale operating system. This PC is setup to turn itself on at a certain time of the day. It does a pull replication of the Primary NAS then using a program called Restic it backs up my files to the cloud provider rsync.net. I use Restic because it keeps everything encrypted and does not expose the encryption key to the cloud storage provider. I use Rsync.net because they use the ZFS file system, seperate admin credentials for mangaging ZFS snapshots and they don't charge for traffic. Once it's finished it shuts itself down. I have a script set up so that once a week it will use Restic to test the last backup. This is a feature of restic. I do this only once a week because my internet is slow and I don't want to leave the Backup NAS on 24/7. If my internet was faster I would do this daily.
Honestly though this is a very complex setup for most peoples use case. The advantage is I have it setup (with scripts) so that it is automatic and informs me via email if anything is an issue. For the average person using just Restic and Rsync.net on their computer will get them 90% of the way. There are many tools the key is just making sure that the NAS or cloud that is storing the backed up data does not have it's admin credentials exposed and the snapshots cannot be deleted by a non admin user.
@TightLikeThisx: Thanks, that sounds very good! Do you know much data are you storing in rsync.net, and how fast it grows?
@kiitos: I only keep normal files in my cloud backup no video files so it’s not that much. I don’t know growth rate but you can increase your account size.
They give you the last 7 days of snapshots for free too.
Hey mate, I run an IT business servicing smaller companies.
You're welcome to give me a call and tell me what variant you have been hit with and I'll check if anything is available. PM me for my number.
However if your IT fella has already said it's not possible, pay the ransom or lose your files are probably your only options. If you're lucky there's a shadow copy of something somewhere that hasn't been deleted but it's very unlikely.
Was Attached
Try a pair of safety scissors to see if you can detach the issue.
Sorry, typo, updated the title
Would be easier and quicker to just wipe it and restore the back up.
The thing is we don't have the backup file
sigh
shame shame shame
pay the ransom. consider it the prize for not having backups
where is your data stored anyway? cloud? local server?
Hackers server 🤣
pay the ransom
But decryption of data is not guaranteed after payment.
@coffeeinmyveins: The majority of them do decrypt after payment. It is a business to them, if it gets out that they don't decrypt after payment everyone stops paying.
@coffeeinmyveins: I gather you are quite clueless in this area. There are literally rooms of operators being paid to handle the ransom components of this, it is very much run as a business and a very lucrative one at that. This isn't likely to be some kid in his basement sending out ransom requests.
@coffeeinmyveins: these are the same type of people who think hostages are taken to be killed anyway, hostages are taken for leverage, just like ransomware
@DoctorCalculon: Is it not in their interest to decrypt the data after payment? If it becomes common to take payment and still not decrypt, that would then encourage people who are hacked to not pay the ransom. If every time the ransom is paid, decryption is provided then people are far more likely to bite the bullet and pay as the easiest fix… to the hackers, this is not personal, they likely don't know and don't care who you are beyond your capacity to pay the ransom.
@DoctorCalculon: I've seen a lot of businesses pay the ransom (I came in AFTER they got ransomed I should point out) and get their files back.
You can usually bargain with them and they'll drop the price heaps, unless they've had access to financial data then they'll know what they can sting you for. Really depends what level of access they've had.
I have never seen anyone pay a ransom and not receive their decryption keys.
Good luck
I'm not at all surprised, when I was doing it very few small and medium business did. Many were outright against it and saw it as an unnecessary expense. Even with ones who agreed and had something set up rarely stuck with maintaining it.
Oh well, at least all the money saved from not hiring someone to implement a back up strategy and not doing backups for X time will cover a tiny percentage of the costs that'll now be incurred.
Play stupid games, win stupid prizes…
Also known as "(profanity) around and find out"
That's a good line, can I use it in song.
As yours is a small organisation, I wouldn’t be expecting the IT department to keep up with all security issues. But the most important thing any IT department should do is to back up the data locally (on a different machine) and also on the remote server (if you have funds allocated for this) If your IT department have not taken this basic step to safe guard your company data then there is no point in having a IT department as your company is just flushing the money into the drain.
You can pay the ransom. I gather that is successful about 3/4 of the time. But it is costly.
There isn't a way to unencypt the files otherwise.
Most small businesses just restore the last back up, get on the phone with their customers and say "we've had IT issues, can you send us your most recent order again."
I wish we had the backup file
Sounds like it may also be time to detach your support person and find someone who can implement a proper AV and backup strategy.
Remember that 50% of the time it's not the support person's fault especially in small business, it's that proper IT strategy, structure and governance are seen as not worth spending money on.
I've had businesses where you can blatantly tell them if their 2003 server fails their business is done, and they still won't fix it.
This is in companies with over 4m of revenue and the fix is 10k.
@Zondor: I had one "client" call me about 12 months after I setup their 365 tenant, just basic SPO site and a migration from G Suite.
They declined the support package or any level of ongoing support, they also declined backups of 365. I didn't hear from them after this until…
I get a call asking how some files went missing and how (profanity) they were if they couldn't find them. "How could this happen, I thought it was all backed up".
Despite me having emails to them detailing why they should have backups (retention periods on sharepoint aren't great) and then them acknowledging and declining my suggestion as it was too costly they still had the nerve to bitch and whine about it.
They didn't want to even pay me to log in and take a look.
I had part of one drive encrypted by ransomware (filenames in Total Commander suddenly became scrambled). I managed to stop further infection simply by pulling out my internet cable and rebooting. That was about 7 years ago. They wanted 500 Euros worth of cryptocurrency to decrypt my files. I declined.
I suspect they will want far more now just from individuals, and if they know you are a business they will probably demand a fortune.
As had been mentioned, there are some decryption tools for older forms of Ransomware. I hope you can find one.
Cybercriminals deserve to be fed into a wood chipper, slowly, feet first. They get rich by stealing from other people.
I have a proper firewall now; if any non-whitelisted executable tries to phone home it automatically blocks it and pops up a message. Only if I create a rule, can it contact the internet. Most malware does little harm if it cannot phone home. If you download anything potentially dodgy, run it in a Sandbox (either SandboxIE, or the Windows Sandbox that has to be manually installed).
My Office Server Was Attached by a Ransomware
Attached? Hmmmm then unattach it and the problem is solved!
P.S. I'm not an IT person and doesn't involve in the IT or network backup process. I'm asking this question just for the benefits of the company I'm working for.
If you're not involved in these things normally, then let them resolve it.
It's much easier to setup a system with software that blocks ransomware than it is to try and recover from ransomware :/
Most idiots believe "MS Defender is enough", but is does SFA against ransomware :(
nothing protects against gullible staff in the office clicking malicious links.
Sure there is, plenty of software filter the links before opening …
BitDefender, Kaspersky, Eset, GData are just a few that not only filter links that are clicked before opening, but they also have active detection and blocking of mass file encryption events …
You can even whitelist apps via windows with Applocker if you prefer that …
oh wow. im behind the times
@FoxJump: If a business is using Office 365 they can add a lot of protection like URL and attachment scanning that'll happen before the email even hits their inbox. A lot of cyber security insurance companies are now checking for these kind of settings.
You can whitelist apps via applocker if you hate yourself. It's a nightmare lol
What about application whitelisting, security keys, etc?
Most idiots believe "MS Defender is enough", but is does SFA against ransomware :(
The exception to this is Microsoft Defender Endpoint, for Office 365 and XDR that provides more 'enterprise' level protection. Even then I'd still be employing something like Crowdstrike, SentinelOne, Sophos Intercept X or Blackpoint. I've never had sophisticated ransomware attacks get through with these products.
Not to say they're 100% bullet proof ofc.
Defender is pretty good for what it does. But when it comes to protecting data and ransomware you absolutely need more.
first and foremost a proper backup strategy
secondly staff security training
thirdly App whitelisting
then if you still have budget you can look at more comprehensive security solutions like defender for endpoint or crowdstrike etc.
Post the ransom note, so others can figure out what malware it is.
Paying the ransom just encourages more randoms. You should also check that's it's not illegal to pay.
How much do they want?
$25 and a pizza.
We talking large pizza or extra large….?
Extra large of course. Could even upgrade them to a family size if they provide the code instantly!
https://www.cyber.gov.au/report-and-recover/recover-from/ran…
Follow that. Well, not this bit
Step 5: Recover your information
Check your backups
But really, you should let the IT people deal with it and you should start to worry about what you need to start recreating that was stored on there.
it people
Op said it’s a small business, the it guy is either op or the boss… or op is the boss… (if this is the case I feel extra bad for op)
Does the business have cyber security insurance? If so your policy may provide cover (financially) for the breach and often they'll want to employ a Cybersecurity consultant to investigate the breach.
If your server contained client information you will be required by law to report the breach and you can do this at ASD's ACSC. I wouldn't stress too much about self reporting, as you're not going to be in trouble. They can help with the cyber incident and provide further advice (i.e. if you have to notify OAIC and clients). Edit: I see that you've already reported. Don't be afraid to ask for help when they reach out!
Out of curiosity what antivirus (if any) were you using on the server?
Cyber security insurers would have required security software and backup strategy is in place at a minimum. They're not silly enough to insure small businesses with zero security and no disaster recovery plan.
We don't know the specific circumstances of OP's IT infrastructure. It's possible there was security setup and backup software, albeit not working. If so under some policies there would be a form of cover for financial loss.
OP's IT infrastructure
I like to imagine its a beat up pentium 4 just barely running windows xp and a pirated copy of office 2003, and compromised avast
They don’t do backups. What makes you think they’re insured?
They don't have backup infrastructure or they don't have working backups? There is a difference. Having a cyber security component to insurance is pretty standard these days.
This could be as simple as incompetent IT. Shame on me trying to be helpful though for anyone else reading.
They don't even have proper backups, so can assume they will have massive holes in security policy which would void insurance even if they had it
The insurance is quite strict about your responsibility to provide a competent level of security.
Not in my experience working in security for the last decade. A lot of insurance policies (not just cyber insurance) provide financial cover for business downtime. Having failing backups doesn't void all parts of insurance.
If you pay a ransom you'll be listed as a easy target on TOR and probably be hit even by more hackers
Probably, although maybe after this they will actually have working backups. Test it in production ;)
Just restore from yesterday's backup.
If there is no backup then pay the ransom and sack the IT guy, maybe also try to sue him lol
sack the IT guy, maybe also try to sue him lol
Unfortunately op is probably the only dude keeping the place goin
Not getting a proper IT consulting company to manage IT - small business too expensive yadda yadda yadda..
Help we been encrypted and held to ransom - only option is to pay - and that will be more than if we had of got proper IT support to start with..
It is a cost, just like all other costs of running any size business - final goods and services the small business provides need to account for all business costs.
There are small businesses ..then there are smart small businesses.
Is there an IT department or support person?