This last 10 days has been interesting.  On Sunday September 4th a business  I know of (NOT a client until AFTER this attack) was hit by the new CRYSIS ARENA virus.  I was called in by management once their IT support told them they had been hit and bitcoins would be needed.  The fact bitcoins became involved was an immediate flag something was bad.

The criminals infiltrated the network through typical channels found in poorly secured networks.  They uploaded a NEW variant of CRYSIS which proceeded to encrypt not only the local disk, but any network shares (mapped or not).  Needless to say, a lot of damage was done.  The recovery time will be measured in weeks, and working their way through poorly managed backups was going to be a struggle.  The company, against my advice, decided to gamble and pay the funds in hopes of obtaining files quicker and easier.

We followed instructions, and opened communication with the criminal (  Norris – we all know that won’t be the real name but it is what I will refer to them as – responded with delays, beginning by asking how many computers.  He proceeded to request 1 BTC (1 bitcoin), threatening 2 BTC if we didn’t pay in 1 day.  To setup a BTC account and get funds into it that quick can not be done, so we enlisted an expert to help and had dialogues back and forth with the criminal until a reasonable payment, albeit a ransom, was agreed on.  After several days of delays between emails, agreed on a ransom of .25 BTC.  He sent instructions on how to extract keys to send to him, and we did just that.  The criminal was paid in BTC, and guess what?  Norris did NOT release a decrypt key.  he asked for MORE Bitcoins.  NOW, I know you all say I could have told you that, but some criminals have realized if they release the files after an agreed ransom is paid, they perpetrate their scheme and will succeed in the future.  I want you all to know that the criminals do NOT decrypt the files, no matter what they lie to you and say.  They tease you, draw you in, and coerce you to give them money, and then demand more.   Paying them only aggravates the problem, furthers their cause, and leads to MORE criminals doing this.

IF you get a cryptovirus such as CRYSIS ARENA, here is what you do:

IMMEDIATELY SHUTDOWN EXTERNAL CONNECTION TO YOUR NETWORK:  disconnect the actual internet from the building, isolating your network from further control.  You don’t know how the remote control has happened, or where it is coming from.  it could be the server, it could be an employee workstation, it could be a wireless user.

ISOLATE THE INFECTED MACHINE, and if it is currently encrypting files, turn it off.  If it is not, leave it on and analyze the processes to determine what is happening.  You will need experienced IT on hand to assist you in cleaning it.

ONCE OFF, DO NOT REBOOT. You need to preserve any chance of having good data left, remove the drive, clone it, and use a clone for detective work and investigating.  The original stays intact, untouched, and may become your salvation in the future once a resolution or decrypt tool comes along.

DETERMINE SCOPE OF BREACH:  How deep is the criminal in?  did they get into a server directly?  Did they compromise admin accounts?  if so, you now need to sanitize the entire network to ensure all traces of malware, backdoors, viruses, user account, etc are fixed.  They may have reset password on user accounts to simply use those again, or have installed remote control software such as ProcessHacker.  In this case, you are now building an entire new AD.

RESTORE FROM BACKUPS:  use your offsite backups to do a restore, or your onsite backups if network penetration was not catastrophic.


No Backups?  Then you will find yourself in a pickle, and need to plan your recovery.  You had better talk to IT about why you had no backups.


MORAL OF THE STORY: or any other cyber criminal is not your friend. He doesn’t want to restore your data.  He does not even know how to decrypt the data.  He is nothing more than a lowly criminal using canned software to exploit poorly secured networks and honest people who trust their emails.  Do NOT PAY CYBER CRIMINALS.  Let them starve and use your funds to reset your IT and network back on a clean path, and if required improve how you do business with new forms, new files, and a fresh starting point.

At Rivercity Technology Services we offer support for securing your network, and can help avoid cybercriminal attacks.  We use geosecurity, network security, and physical security among other strategies to mitigate these problems before they happen.  AND we make sure you have backups.  Because accidents and other events can happen and you need to know your recovery plan.  Call us today at 306-986-8888 for advice, a consult, or assisting you in your IT strategy.

Jeff Shirley

Jeff Shirley

Founder & CEO
Jeff brings over 27 years of experience to the table, along with numerous awards, certifications, and real-world implementations.  His database solutions are currently running in industries including government, mining, agriculture, finance, education, science, research, non-profits, and healthcare businesses around North America and serve thousands of users day to day.  Jeff is a five-time MVP Award recipient for Microsoft Access, acknowledging contributions to community projects, evangelism, and educational outreach on Microsoft technologies.  Today there are less than 50 Access MVP’s worldwide. While Jeff focuses day to day on business management, IoT development, IT integrations and design, database architecture or other typical complex tasks, he also is a co-owner of Blue Heron Gardens, a commercial apiary running over 200 beehives.  Fresh honey is a small perk for many of our clients!

Mitch Redekopp

Mitch works with our clients day to day ensuring web development and IT projects are done to exceed customer expectations.  His background includes formal training in IT, Microsoft and CompTIA certifications, real-world business experience, and a true dedication to ensuring clients receive timely and professional support on their projects with Rivercity Technology Services.  Given the most difficult requests for IT solutions, Mitchell can assist our clients in finding a path to the best options which deliver results for our clients.  Mitchell is an avid soccer player and Manchester City fan, be sure to talk soccer with him when you can.