This last 10 days has been interesting. On Sunday September 4th a business I know of (NOT a client until AFTER this attack) was hit by the new CRYSIS ARENA virus. I was called in by management once their IT support told them they had been hit and bitcoins would be needed. The fact bitcoins became involved was an immediate flag something was bad.
The criminals infiltrated the network through typical channels found in poorly secured networks. They uploaded a NEW variant of CRYSIS which proceeded to encrypt not only the local disk, but any network shares (mapped or not). Needless to say, a lot of damage was done. The recovery time will be measured in weeks, and working their way through poorly managed backups was going to be a struggle. The company, against my advice, decided to gamble and pay the funds in hopes of obtaining files quicker and easier.
We followed instructions, and opened communication with the criminal ([email protected]). Norris – we all know that won’t be the real name but it is what I will refer to them as – responded with delays, beginning by asking how many computers. He proceeded to request 1 BTC (1 bitcoin), threatening 2 BTC if we didn’t pay in 1 day. To setup a BTC account and get funds into it that quick can not be done, so we enlisted an expert to help and had dialogues back and forth with the criminal until a reasonable payment, albeit a ransom, was agreed on. After several days of delays between emails, [email protected] agreed on a ransom of .25 BTC. He sent instructions on how to extract keys to send to him, and we did just that. The criminal was paid in BTC, and guess what? Norris did NOT release a decrypt key. he asked for MORE Bitcoins. NOW, I know you all say I could have told you that, but some criminals have realized if they release the files after an agreed ransom is paid, they perpetrate their scheme and will succeed in the future. I want you all to know that the criminals do NOT decrypt the files, no matter what they lie to you and say. They tease you, draw you in, and coerce you to give them money, and then demand more. Paying them only aggravates the problem, furthers their cause, and leads to MORE criminals doing this.
IF you get a cryptovirus such as CRYSIS ARENA, here is what you do:
IMMEDIATELY SHUTDOWN EXTERNAL CONNECTION TO YOUR NETWORK: disconnect the actual internet from the building, isolating your network from further control. You don’t know how the remote control has happened, or where it is coming from. it could be the server, it could be an employee workstation, it could be a wireless user.
ISOLATE THE INFECTED MACHINE, and if it is currently encrypting files, turn it off. If it is not, leave it on and analyze the processes to determine what is happening. You will need experienced IT on hand to assist you in cleaning it.
ONCE OFF, DO NOT REBOOT. You need to preserve any chance of having good data left, remove the drive, clone it, and use a clone for detective work and investigating. The original stays intact, untouched, and may become your salvation in the future once a resolution or decrypt tool comes along.
DETERMINE SCOPE OF BREACH: How deep is the criminal in? did they get into a server directly? Did they compromise admin accounts? if so, you now need to sanitize the entire network to ensure all traces of malware, backdoors, viruses, user account, etc are fixed. They may have reset password on user accounts to simply use those again, or have installed remote control software such as ProcessHacker. In this case, you are now building an entire new AD.
RESTORE FROM BACKUPS: use your offsite backups to do a restore, or your onsite backups if network penetration was not catastrophic.
DEPLOY NEW USERS, WITH NEW PASSWORDS.
No Backups? Then you will find yourself in a pickle, and need to plan your recovery. You had better talk to IT about why you had no backups.
MORAL OF THE STORY: [email protected] or any other cyber criminal is not your friend. He doesn’t want to restore your data. He does not even know how to decrypt the data. He is nothing more than a lowly criminal using canned software to exploit poorly secured networks and honest people who trust their emails. Do NOT PAY CYBER CRIMINALS. Let them starve and use your funds to reset your IT and network back on a clean path, and if required improve how you do business with new forms, new files, and a fresh starting point.
At Rivercity Technology Services we offer support for securing your network, and can help avoid cybercriminal attacks. We use geosecurity, network security, and physical security among other strategies to mitigate these problems before they happen. AND we make sure you have backups. Because accidents and other events can happen and you need to know your recovery plan. Call us today at 306-986-8888 for advice, a consult, or assisting you in your IT strategy.