Hi all,
Anyone could recommend any company that can help to decrypt the ransomware encrypted files? Understand that the chance is quite low but just want to give it a shot…
P.S. I'm not an IT person and doesn't involve in the IT or network backup process. I'm asking this question just for the benefits of the company I'm working for.
All that's missing is underpaying workers.
You should contact an organisation that does incident response to help clean this up, however it may be expensive. I wouldn't recommend paying the ransom as this only encourages the criminals to find more victims
Really only 2 options.
Regardless of which way you choose you need to wipe everything anyway, just with option 1 if successful you can backup your data before wiping.
Backup , backup, backup
Restore previous backup prior to attack = Problem solved
Reformat. Good luck
Contact a data recovery company or a cyber security company. I think the reality is unless they have the decryption key for this specific ransomware which they may do you are out of luck.
What I don’t understand is what would have happened if an event fried your server or drives - what was your company strategy for recovery? Surely someone has backed up something to even maybe an external drive even if older data.
Good point!
Id pull the drive out the PC, stop it from infecting your network. Then run virus scan every PC on the network to try to contain this.
Some possible leads, seems there are tools out there. Only try to on a throw away offline PC
https://www.reddit.com/r/hacking/comments/y5ayl6/decrypt_fil…
Yep you want to isolate the attacked computer from the rest of the network. Better yet, isolate all the computers from each other and only have them rejoin the network after each has been scanned and cleared of ransomware.
There's plenty of advice already on getting back your company's server data back, but let this be a lesson for your company to have multiple backups, backups of backups, and offsite backups.
Hey there.
Do you know which specific ransomware you were hit with?
Emsisoft has a variety of tailored decryption tools and if they don't have a decryptor on file you can submit a sample and ask for assistance.
We can't even ID the ransomware, looks like this is one of the newest ransonware
So submit it to emsisoft and ask for assistance….
Submitting can be a pain depending on what and where is encrypted. But if you have access you can submit an encrypted file here.
https://www.emsisoft.com/en/help/contact/?c=submit
If you can't submit an affected file, a screenshot of the ransom demand and some details regarding the encrypted file extensions can be a good place to start.
Much of the time, "New" ransomware is a reskin of one of the more popular variations.
I wish you luck.
I've just submitted the encrypted file to emisoft, thanks
@mamalove: While you wait for a response, you may be able to identify the ransomware that hit you by using the following tool.
You haven't said what is running on your server. It all comes down to what was running your hardware. There are different methods & viable workarounds. And no, you are not allowed to pay the ransom, if you get caught by eSafety Commissioner, you'll cause yourself more grief.
"And no, you are not allowed to pay the ransom, if you get caught by eSafety Commissioner, you'll cause yourself more grief." Please cite a source. It isn't recommended, but you can.
Go find it your self. It's now a Federal act.
pretty sure you have mixed up sexual extortion.. nothing to do with this particular issue
So your source is that you made it up then. You're the one making the statement, back it up with facts.
Only optus and sony are allowed to pay ransoms ;P
having worked in IT for 20 years the main thing most small businesses cheap out on is a backup. They dont take the time to set it up properly
We had a similar issue where a clients server was encrypted and he had no choice but to pay
The ransomware person did give us the tool to decrypt the server at the cost of 10k
We did advise him not to pay but he was desperate.
Be advised you best course of action should be
1. Disable the virus asap on the server, find ways to clean it out. The IT guy should have done this
2. Try and salvage what you can
3. Wipe the server and start fresh
4. Setup a network backup using datto or shadowprotect to a NAS. If its a VM use Veeam.
5. Educate your staff
Hope that helps
I always remember when doing a cert course for something - jr engineer for a rival consulting mob - proudly stating they did not recommend backups for small bossiness as they always make sure the servers they sell have RAID. Never seen someone lose all respect in a room as fast as that poor guy.
lol thats the silliest thing ive ever heard
RAID is for data redundancy or performance depending on the RAID, not backups….
We all though he was joking being sarcastic at first.. and then the entire room all pretty much at the same time realised .. nope this IS happening.
that's ok, I have seen Enterprises and Government departments that were using Geo-replication on storage and thought this meant they had backup covered. shockingly common for people to not understand the difference between HA and DR.
And backup. Neither HA or DR are substitutes for backups.
@gromit: Agree, Unfortunately many companies rely on replication technologies, either infrastructure or logical. These are not backups that is the point I was making.
@gromit: BTW your reply was clear,
I was attempting to re-enforce your point not correct what you said.
Appologies if I was unclear.
@UltimateAI: no probs, I never have issues with people correcting me or making what I said clearer :-).
Nice tips! For my server backups, I use Macrium Reflect and store them on an external hard drive. However, I'm worried ransomware targeting the server could encrypt my backups too (ext hdd always attached to the server). What non-cloud alternatives do other businesses use for offline backups that would be safe from ransomware?
Otherwise, if cloud storage is an unavoidable way, which is the most economical provider to go for. I have around 8TB on the server.
Thanks!
One approach is to disconnect external drive after backup. Another is to take a copy of a backup offsite.
Do you have say, an old laptop with a smashed screen or a low power consumption computer lying around?
Try this out if you do, you could connect your USB harddrive as storage:
https://www.infscape.com/
It's just urbackup but as a commercial package which would make it easier for less IT savvy people to use. You can also backup offsite to s3 with it which is pretty handy (idrive is cheap for storage if you ever wanted to go this route).
You'd then install a piece of software on the computer, and that would communicate with the server. This can just be on your home network.
The advantage to doing it this way is urbackup/infscape isn't actively exposed to the internet (if not using s3 you could just disable external traffic) and it's a separate system that'd need to be compromised. The backup server will retain the prior versions of files and the client (your computer) can't go ahead and delete them.
The way you're doing it with macrium the computer just has to read/write to the USB harddrive and maintain everything on it's own end. Ie if this end gets compromised goodbye.
Realistically for most people that's too much work, and you could just pay for a backblaze subscription for under $10 a month with unlimited storage.
+1
Nice run through. I would definitely consider this.
But I still dont quite fully understand why you recommended to have an extra laptop.
I have a windows server, can i just run the backup program to s3 from it?
@notewar: The laptop I just meant you could use it as the server. They're very low power consumption, and repurposing one with a smashed screen as a server just makes sense.
Not to s3 no, infscape requires it's own virtual machine. If your windows server is running hyperv you could use infscape on a virtual machine inside of this though. It does kinda defeat the purpose to some extent, but infscape if you use it for s3 will keep a database backup online so you could recover.
You could install urbackup on the windows server and backup directly to that, however then if the windows server gets compromised so do your backups. The crux of it here is that you need your backup systems to be somewhat segregated from others, and how segregated depends on how much risk you are willing to take.
For my personal files/servers I have a server running Proxmox with infscape and idrive running on it. I'm happy enough with this because if the worst happened, I can boot up a VPS somewhere online and restore infscape, and pull all my files.
For a business that would be too time consuming though.
A popular modern hacker strategy is what could be called "double jeopardy ransomeware".
The goal here is to extort a first ransome to decrypt the data, followed by a second demand for an additional payment to stop the hacker leaking customer data.
Why extort someone once if you can extort them twice?
yep, this! ^^^
Often they'll try to extort you months or even years later. I've even been called into multinationals where the actors have impersonated the off-shore IT helpdesk to gain further access weeks later.
Weighing in late here, and don't know if it was mentioned before, but you can test to see what encryption has been used, sometimes the threat actors are lazy and use encryption that has publicly available decrypt keys. You may not get anything or everything back but it's worth a shot.
I won't bang on about what you should have done, just deal with the current crisis first, oh and make sure you disconnect your network from the internet and anything internally unaffected, and don't reboot any infrastructure until everything has been scanned and verified in isolation. Get an reputable MSP or cybersec company in.
Nuke from orbit and use it as an opportunity to start over with appropriate backup strategies and DR plans.
was the the encrypt files and a notepad shows on every file and then ask you pay in bitcoin or western union and they will decrypt one?
Yes, there's a readme file. They just asked to contact them via a chat app. Didn't ask how much is the ransom
encountered this one before
what they do is usually send an email link looking like a legit email and then some co worker would of clicked on it revealed a backdoor
over like couple of weeks they slowly turn off your backups and then all in one hit overnight encrypt all your server folders in one go and then the readme file would give you instructions on how to pay like western union and such
usually after you pay they will decrypt it but of course no guarantees… if the files are critical your boss should pay and hope for the best
get some good security measures and place afterwards
there's not much that can be done unfortunately
Honestly if I was in your position, since you do not have a plan, you really should pay the ransom regardless of what the government recommends if you need to recover your data.
The first thing to do would have been to take the system offline, but it is already this late into the attack to recommend that you do this now.
What files do you have on there? If it is something you can just rebuild from scratch, just nuke everything and start again. Most small businesses are simple, i.e. do invoicing, communicate via email, basic tasks that do not require you to pay a ransom.
There would not even be a point in calling in a cybersecurity professional because you would just be wasting money for them to tell you the obvious and any garbage forensic report would not help you at all. If it is a simple business, just buy a new HDD, reinstall genuine Windows 11/10, install basic office productivity tools. Get the business back up and running to generate revenue. That's what you need to do.
Username definitely does not check out.
Sucks mate. This is the very reason why we are moving to Sharepoint for our data.
make sure you back sharepoint up aswell
@mamalove I work in IT and have for the past 20+ years. Happy to catchup in detail and give it a onceover for you. If interested shoot me a reply :)
Thanks for that, we've consulted a few cybersecurity companies and none could offer us any solutions other than negotiating with the hackers and hope for the best
Yes but without any lucks
How does one get infected by ransomware?
Hundreds of ways, but most common is either clicking on a link in email or opening an email attachment.
Some of the advice given here is absolutely atrocious.
NEVER PAY A RANSOM. FFS. As much as this is the number one rule, people still do it under the cover and most of the time they don't get their data back anyway. This cannot be said enough.
Follow the directions here: https://www.cyber.gov.au/report-and-recover/recover-from/ran… and report it to the ACSC.
The only time you would get external professional help to assess and attempt restoration is if the data costs more (i.e. is more valuable) than the bill to hire someone. If it isn't, then you're better off taking it on the chin, rebuild your system from scratch and learn from this experience, to then what everyone is saying, backup.
The funny thing about ACSC's warning about never paying the ransom is that their specialists will often say to do it if the data is critical and there's no other way. I can understand why they have the warning of course.
With what I've seen most people do get their data back after paying
Lol, you really don't know what you're talking about. If they don't have backups the options are either pay the ransom or wipe and start again. If its mission critical you pay the ransom and roll the dice.
Unless you're being purposefully obtuse, wiping and starting again is clearly stated in my last paragraph. The difference in opinion is that I look at it from a bigger picture angle and not feed the ransomware business.
Yeah never feed the ransomware business - unless you're an insurance company….
https://www.businessinsider.com/cna-financial-hackers-40-mil…
Or you're part of the 80%
https://www.forbes.com/sites/daveywinder/2023/05/30/the-sobe…
@Intoxicoligist: Again, don’t know if you’re being purposefully obtuse, read my first paragraph if you think I don’t know what I’m talking about. I don’t know what point you’re trying to make either but from the sounds of it you are encouraging paying the criminals and justifying feeding into their business model?
@BatmanBeer: If its the only way to keep your business operating, then yes you pay the ransom.
This is the reason why it was never legislated to make ransomware payments illegal.
Most organisations are able to decrypt their files after paying the ransom. The times i've seen it fail is because it was a new ransomware group with a poor encryptor. The business wiped the server so the encrypted files no longer exist. Or someone has tried to use random decryptors on files and not taken a backup.
Sorry for your loss. try to recover what you can and start over, but never ever pay the scummies what they want.
Be sure to thank every cryptobro and crypto spruiker for their fine work in prompting ransomware. Before crypto currencies, ransomware did exist but it was very rare and highly ineffective. Crypto currencies uniquely made this form of crime possible.
Don't be cut because you didn't buy the dip
Are they still using Windows 7 ?
I lead a team in IT Infrastructure and also deal with Cyber Security Threats. I'm not a subject matter expert but can only give you advice based on my experience. Once your data is compromised, your only way out is a backup that also hasn't been compromised and by the sounds of it you probably don't have that in place.
We see this a lot in small business as they can't afford it and build up cyber security debt. Going unprotected for so long and eventually you'll get compromised and will end up paying.This is where MSP's come into play as they can provide an affordable IT solution without the huge costs of running an IT dept. No offence but your IT is probably is beyond their depth and probably wasn't afforded the proper resources. It's not his/her fault, many small businesses brush off IT/Security and don't allocate resources. If you cheap out in this area, it doesn't matter if you get some IT guru working for you, he's not going to be able to stop or recover from this without proper resourcing.
I suggest you try recover what you can from cloud storage accounts you may have used, i.e dropbox, one drive etc. Check they're not compromised. I have heard of business paying up but it depends on how much that data is worth to you. These guys do run their criminal activity like a business and will decrypt it. It's in their best interest otherwise no one would ever pay up. IF you do go down that path, seek some guidance with a 3rd party company. You'll want to make sure everything is sanitised because most who end up paying ransomware and up getting their data encrypted again.
Good luck and hopefully your small business learns and recovers from this experience. I really do feel sorry as i've seen many small business fall victim to this especially the older generation running a small business with no real IT knowledge. It's a different world to what they grew up with and the tactics used are getting more and more clever even fooling the best of us.
Looks like you have to wait for help or rebuild. Stop collecting customer data, then you have nothing to be ransomed against. As long as you have access to your emails, you should be able to rebuild everything. It doesn’t look like you are capable of hosting your emails so that’s a plus.
Some of the advice here is terrible
Paying the Ransom is against most practitioners advice.
As others have suggested, ransomware is a big business particularly for highly skilled, poorly utilised hackers based in Russia, Turkey, China and Czech but others are starting to prop up.
Contact cyber.gov.au for the reporting obligations on the incident and the office of the information commissioner oiac I case there are potential leaks of personally sensitive information on employees, suppliers or customers.
They also have a brief on what's classed as sensitive information (dob, address, TFN, license numbers, proof of citizenship etc).
It may sound old school, but off location backups greatly assist, off cold, detached storage.
The synchronisation of data in the cloud can mean replication of the ransomware unless there is revisioning present to roll back.
I bluntly shared my basic idea's above previously getting negged to oblivion, and I concur with everything your saying, having been in the IT space for many years, I can vouch that trying to disseminate too much info, disguised as help is really wasted on some people. There's been some thoughtful IT blokes give their advice yet, the original poster was classically stupid. I've done two separate de-cryptions from malware a long time ago.
Best thing I can offer is, set aside the original infected hardware & wait for decryptors to come out, but setup anew with some IT consulting first.
Ultimately this is a bargain site, not an advice forum for professionals.
But I am coming up to 25 yrs experience.
But still learn everyday.
Thanks, mousie. Again, agree with what you say. The expectations to prove your knowledge are a bit much sometimes here. I do really wish I could 'air' my knowledge to help the poster, I'd just be ridiculed though. I loved IT though, but found it was full of d'heads. I've been through the trenches.
@jonkvh: Probably because you tried to say something was illegal and when challenged you told them to look it up. Had you actually backed up your claim it would have been different.
It's not illegal to pay a ransom.
@jonkvh: Where? Given the eSafety Commissioner has nothing to do with ransomware (unlike ACSC) I'm even more intrigued where this apparent law comes from.
I can tell you now they did not encrypt and most likely deleted the files and replaced it with name 1 kb files. Encryption takes a while. Your only hope is to restore from back up or use windows system restore befire the attack. After you restore it run virus scanner checks.
Just throwing this out there in the rare case that this may help at all
If the ransomware encrypts it I am speculating it probably writes a new file (encrypted) and deletes the original file. When deleting a file the operating system does not actually delete the file from the disc, but usually marks it as free space. If you have plenty of free space on the disc left, it may still be recoverable through file disc recovery tools. The recovery is may not be perfect but better than nothing. For example files that have been emptied in recycle bin, may be recoverable with some luck.
I have not used one in the last 15 years easily, but may try out the free version and pay for it if that works - https://www.ccleaner.com/recuva. There are other similar tools out there like one for Windows - https://www.howtogeek.com/680458/how-to-use-microsofts-windo…
Some modern ransomware, not all, rites and overwrites space on the volume similar to a file shredding operation used in the military, depending on the variant.
If you don't have backups and need the data I have heard that it is possible to negotiate the "fee" they charge.
Maybe come to some agreement where you can part payment to check if they can restore your files.
Search for air gapped backups and 3-2-1 backup strategy for future
P.S. I used to work for a major Backup software vendor
How many users affected and how large is your organisation?
If it's a large organisation with potential for multiple users affected, I would get a professional cyber organisation involved…
Probably an employee at Optus/Medibank/Tangerine lol
Delete the encrypted files and restore from back up after you know the system is clean
Oh, you want to run a business, but skimp out on business critical services?
Guess you don't really want to run a business….