Suddenly, 1,000s of files have been encrypted on our network drive. DO WE PAY THE RANSOME?
Suddenly, 1,000s of files have been encrypted on our network drive. DO WE PAY THE RANSOME?
Thousands of files in our ShareFile directory were encrypted between 12:01 PM and 12:59 PM yesterday. Of course in a matter of hours the encrypted files updated the good files on every laptop and employee's home machines that were running ShareFile.
The following string has been added to the name of every encrypted file:
.crypted_hoboblin@torquech
Removing this string from the end of the filename does not help. Regardless of the type of file, .doc, .xls, .pdf, etc. the file will not open. Depending on the opening program says the file is damaged.
One file in the root drive of the ShareFile directory, named how_to_back_files.html, does open and reads like this when opened (the wording is exact):
YOUR FILES ARE DECRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.
Without a secret key stored with us, the restoration of your files is impossible
--------------------------
To start the recovery process:
Send an email to: hoboblin@torquechat.com with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
--------------------------
Your personal ID:
93 C7 AC 4B ... (This goes on for several lines!)
Do we contact them? Obviously, they are going to want money. Do we pay? Go to backups and start over? Close the doors? Any suggestions?
Thousands of files in our ShareFile directory were encrypted between 12:01 PM and 12:59 PM yesterday. Of course in a matter of hours the encrypted files updated the good files on every laptop and employee's home machines that were running ShareFile.
The following string has been added to the name of every encrypted file:
.crypted_hoboblin@torquech
Removing this string from the end of the filename does not help. Regardless of the type of file, .doc, .xls, .pdf, etc. the file will not open. Depending on the opening program says the file is damaged.
One file in the root drive of the ShareFile directory, named how_to_back_files.html, does open and reads like this when opened (the wording is exact):
YOUR FILES ARE DECRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.
Without a secret key stored with us, the restoration of your files is impossible
--------------------------
To start the recovery process:
Send an email to: hoboblin@torquechat.com with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
--------------------------
Your personal ID:
93 C7 AC 4B ... (This goes on for several lines!)
Do we contact them? Obviously, they are going to want money. Do we pay? Go to backups and start over? Close the doors? Any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The generally accepted wisdom here on EE is to never pay the ransom.
You would be giving money to criminals if you do so.
Restore and use your backups
You would be giving money to criminals if you do so.
Restore and use your backups
Probably not overly useful information right now, but I'd suggest completing a systems vulnerability assessment once this is all said and done, implement controls to cover any discoveries, and maintain a disaster recovery plan going forward.
I hope you are able to recover from backups and that this will be incentive to beef up overall security.
I hope you are able to recover from backups and that this will be incentive to beef up overall security.
Take Iamthecreator's advice to solve your immediate problem. Don't pay. Restore from backup.
Ransomware is very common on Windows machines, so be sure you have an iron clad backup system in place + your backup files live on remote storage.
Remember, if your backup media is attached, then you can end up with all your backups encrypted also.
Ransomware is very common on Windows machines, so be sure you have an iron clad backup system in place + your backup files live on remote storage.
Remember, if your backup media is attached, then you can end up with all your backups encrypted also.
RESTORE A BACKUP!
PURCHASE ADEQUATE ANTI-VIRUS, ANTI-MALWARE, ANTI-TROJAN software and PROTECT YOUR NETWORK WITH FIREWALLS ON PCS!
PURCHASE ADEQUATE ANTI-VIRUS, ANTI-MALWARE, ANTI-TROJAN software and PROTECT YOUR NETWORK WITH FIREWALLS ON PCS!
What cloud backup do people recomend ?
Amazon, Azure, Google, Tresorit, Backblaze, Dropbox, Box, Onedrive
Hi Andrew ...
Dropbox and One drive are more of a sync option Ive heard, if you get hit and those files get encrypted locally, its synced to your cloud and your goosed. You can ask for a revert within 30 days perhaps depending on what version you have of what ...
Whats the best backup protection?
Dropbox and One drive are more of a sync option Ive heard, if you get hit and those files get encrypted locally, its synced to your cloud and your goosed. You can ask for a revert within 30 days perhaps depending on what version you have of what ...
Whats the best backup protection?
@feck1
Please post your own new question, to discuss this with experts further.
Please post your own new question, to discuss this with experts further.
Yes Andrew I will do as yo instruct
And instruct personnel to NOT open suspicious letters. Or have all external originating mail go through an un privileged workstation (and unprivileged account) without access to other systems, shared storage etc., for checking out.
Be sure that any backup solution is not continously connected, otherwise it will be overwritten as well. You will need some kind of off-line backup, prefereably with media that alternates.
Be sure that any backup solution is not continously connected, otherwise it will be overwritten as well. You will need some kind of off-line backup, prefereably with media that alternates.
As Andrew suggested, best open a new question about backup solutions.
The subject of backups is a vast domain of information.
The subject of backups is a vast domain of information.
As others have mentioned; I wouldn't pay the ransom.
You might have an option with versioning if it's turned on which I believe it is by default. Of course if the share was accessed directly, and the ShareFile encrypted files were encrypted again this probably will not work. It's worth a try though.
The ShareFile location should only be accessible with the account the StorageZones controller is using to authenticate.
What kind of storage are you using and can you restore from the ".snapshot" or "~snapshot" directory?
You might have an option with versioning if it's turned on which I believe it is by default. Of course if the share was accessed directly, and the ShareFile encrypted files were encrypted again this probably will not work. It's worth a try though.
The ShareFile location should only be accessible with the account the StorageZones controller is using to authenticate.
What kind of storage are you using and can you restore from the ".snapshot" or "~snapshot" directory?
DO WE PAY THE RANSOME?
Of course not. Unless you LIKE supporting terrorists. This is a popular way for criminals and terrorists to extort money and fund their activities. If you like contributing to this kind of activity, yes, of course, pay the ransom. If you don't (and I would think most honest, good people don't), then NO, DO NOT PAY THE RANSOM! And as others have said, there's no guarantee you'll even get the files unlocked.
You can use one of the several online tools to try to determine which ransomware hit you and see if there's currently a decrypter, but if not, then I do recommend restore from backup or go out of business and learn from your mistakes for the next business you're in.
Understand, backups are insurance. If you do everything right and never get hit with malicious software and never have a computer crash, backup is a complete waste of money. Just like Car Insurance, home owners insurance, and other forms of insurance *IF* you never need them. BUT, when you do need them, you know you're very happy to have it and very thankful you've been paying your premiums.
There are many forms of backup... personally, I like having more than one. Most of my clients have two or three kinds of backup JUST IN CASE.
Of course not. Unless you LIKE supporting terrorists. This is a popular way for criminals and terrorists to extort money and fund their activities. If you like contributing to this kind of activity, yes, of course, pay the ransom. If you don't (and I would think most honest, good people don't), then NO, DO NOT PAY THE RANSOM! And as others have said, there's no guarantee you'll even get the files unlocked.
You can use one of the several online tools to try to determine which ransomware hit you and see if there's currently a decrypter, but if not, then I do recommend restore from backup or go out of business and learn from your mistakes for the next business you're in.
Understand, backups are insurance. If you do everything right and never get hit with malicious software and never have a computer crash, backup is a complete waste of money. Just like Car Insurance, home owners insurance, and other forms of insurance *IF* you never need them. BUT, when you do need them, you know you're very happy to have it and very thankful you've been paying your premiums.
There are many forms of backup... personally, I like having more than one. Most of my clients have two or three kinds of backup JUST IN CASE.
Look at CrashPlan Pro for a reliable cloud backup.
https://www.crashplan.com
https://www.crashplan.com
When faced with a this issue and you have no good alternative backups,pay them.
If you go out of business without the data ,you are screwed either way.
If it works ,lesson learned.
If you go out of business without the data ,you are screwed either way.
If it works ,lesson learned.
You mention that all the file names now end in:
.crypted_hoboblin@torquech
This sounds similar to what happens with the CryptXXX ransomware. Kaspersky has a tool for decrypting these files if so:
https://www.kaspersky.com/blog/cryptxxx-ransomware/11939/
There are many variants of this ransomware and many different potential free decryption tools that have been released. I suggest that you try to identify the exact variant of the ransomware. Here is a tool that can help you:
https://id-ransomware.malwarehunterteam.com/index.php?lang=en_US
.crypted_hoboblin@torquech
This sounds similar to what happens with the CryptXXX ransomware. Kaspersky has a tool for decrypting these files if so:
https://www.kaspersky.com/blog/cryptxxx-ransomware/11939/
There are many variants of this ransomware and many different potential free decryption tools that have been released. I suggest that you try to identify the exact variant of the ransomware. Here is a tool that can help you:
https://id-ransomware.malwarehunterteam.com/index.php?lang=en_US
Cloud backup is not enough, unless they also provide offline backups of your cloud data for you to recover from. You'll need to have backups that can be taken offline to recover from encryption malware.
I'll share my on-site effort to combat against these criminals.
First and foremost, use an AV with known good Ransomware detection. That being said, nothing is full-proof, and the next thing to do is plan for an instance of what just actually happened to OP. (Hope for the best / plan for the worst).
Most ransomware will traverse the reachable network and find file shares to also include in the encryption.
I combat this by having a special backup server behind a simple NAT firewall, allowing it to initiate and pull backups from machines, but other machines on the network can not initiate contact to it.
On the backup box itself, I perform daily snapshots using linking (cp -al) so that, just in case a backup runs AFTER a ransomware encrypt event, we still have, say, yesterday's data to pull from. Day or two old stale data is much better than a 100% loss, and may just help you retain your position! :)
First and foremost, use an AV with known good Ransomware detection. That being said, nothing is full-proof, and the next thing to do is plan for an instance of what just actually happened to OP. (Hope for the best / plan for the worst).
Most ransomware will traverse the reachable network and find file shares to also include in the encryption.
I combat this by having a special backup server behind a simple NAT firewall, allowing it to initiate and pull backups from machines, but other machines on the network can not initiate contact to it.
On the backup box itself, I perform daily snapshots using linking (cp -al) so that, just in case a backup runs AFTER a ransomware encrypt event, we still have, say, yesterday's data to pull from. Day or two old stale data is much better than a 100% loss, and may just help you retain your position! :)
use INCREMENTAL backups, so corrupt/encrypted files do not end up silently overwriting proper ones.
and some other insight that are mostly my own opinions. use different operating systems for desktops and backups, try not to use windows if possible. never ever use a single domain for your backup and regular machines, never use windows shares for that same purpose, never locate the backup machine on the same lan as the regular machines, never setup a windows machine that is part of a domain face to the internet, use reverse proxies, don't share unnneded stuff among users, use a star or multiple star network topology rather than the archaic fat dmzs, do not provide admin accounts if possible, avoid using outlook, filter incoming email as best you could : if you can afford to forbid executables and office documents, you're much safer... and that's only covering about 10% of the basics...
and some other insight that are mostly my own opinions. use different operating systems for desktops and backups, try not to use windows if possible. never ever use a single domain for your backup and regular machines, never use windows shares for that same purpose, never locate the backup machine on the same lan as the regular machines, never setup a windows machine that is part of a domain face to the internet, use reverse proxies, don't share unnneded stuff among users, use a star or multiple star network topology rather than the archaic fat dmzs, do not provide admin accounts if possible, avoid using outlook, filter incoming email as best you could : if you can afford to forbid executables and office documents, you're much safer... and that's only covering about 10% of the basics...
ASKER
Thanks to everyone. We did not pay. Able to restore from backups.
ASKER
Thanks to everyone. We did not pay. Able to restore from backups.
Restore from backup.