A word to the wise about ransomware

So as all good stories go “No kidding there I was….”

The FSD Penguins had been scrambling all morning to try and get the internet up and running only to find out that Missoula had a near city wide internet outage.  Then the call that any support person dreads.  “What do you know about Bitcoins?”

Here are some steps that worked out well in this case your mileage might vary.

  1. Turn the computer off!!!  At this point it didn’t really matter the damage had been done.
  2. Don’t do anything rash.  Most people’s reaction to the message is to pay up and get your data back.  WAIT

Here is where things got nerdy.

The first thing we did was make a disk image of the system.  You might ask “But why if the data is encrypted?”  Simple so we don’t make things worse.  With a disk image (not just a backup) we can always get back to the point we started fighting the battle from.

Now is when things might get questionable.  Somehow we need to identify the ransomware.  Why? Well there are a lot of really smart and dedicated researchers and law enforcement professionals and hobbyists that have dedicated themselves to thwarting the bad guys.  One site that we were able to find was https://id-ransomware.malwarehunterteam.com/.  It is required that you upload a file so that it may identify the type of ransomware if possible.  The great thing about most computers is they have a lot of crap on them.  You don’t necessarily want to upload your forest inventory or accounting information for any site to try and decrypt.  So we used the HP Printer user’s manual PDF.  After all who cares if you tell someone you have an HP LaserJet XYZ.

Upload the file and…….

In our case we find that this particular ransomware had been cracked in March.  YIPPIE.  The site provided references to the press releases to the crack.

I quickly downloaded the file and figured out what needed to be done to decrypt the hard drive.  Bad news you need an encrypted and a decrypted file for this particular crack.  Excellent I will take a file off the backup drive and have one of each right.  Except that a backpack drive that is always plugged into the computer isn’t really a backup and was just as encrypted.  What to do…  Surf the computer.  One recommendation was to use the demo files that come with windows.  Actually we used the DropBox demo files as we could download a copy decrypted from the internet.  Same idea different source.

Now to run the decryption on the whole hard drive and backup.  This is why you backup before running.  Because if you have the wrong key to crack the files they may be unrecoverable after the attempted decrypting.

What did we learn here?

Sometimes the first week of a tech support contract can be rough…

ALWAYS have a physically separate backup.  Back in the day when tapes were used for backup one strategy was to have the following tapes

  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Last week
  • Previous week
  • Last month
  • Previous month
  • Last quarter
  • Last year

Overkill well ya but that is what Sysadmins do!!  So you can chose how much you are willing to lose and adjust the schedule accordingly.

Finally DON’T OPEN EMAILS that are not legitimate!!!  Yup best guess that was the culprit.  We didn’t open it again to see if that was it.