Windows, Linux Servers Beware: New Malware Encrypts Files Even After Ransom Is Paid

spdragoo

Expert
Ambassador
Usually, the business that says "it's too expensive" is only considering the actual cost of backing up their data & system (or to invest in preventative software protection)...& not considering the potential cost should they be hit with ransomware & didn't back their data up. The cost of data backup software & extra storage devices (even including the extra cost to pay the personnel to run the equipment) is almost 100% guaranteed to be much, much lower than the revenue they'll lose because of halting operations while rebuilding their data from scratch...not to mention the cost to their reputation among their customers (although it's considered an "intangible" asset, it tends to have a profound impact on the bottom line).
 

stdragon

Admirable


Loss of data is one of many reasons a company can go out of business.

Its one thing to have a natural disaster strike an take out physical assets and property. Those can be replaced (if you have insurance). But if you've lost all your data, essentially you've lost your entire business with the exception of starting all over with repeat business via an existing customer base. And even then, they will have to come to you if you don't have any documentation on how to reach back out to them.

 

USAFRet

Titan
Moderator


Which is more expensive?
A good backup routine, or loss of all your data and multiple days/weeks of downtime?

I know...many managers can't think that far ahead. Or home users.
But we see that here every day, multiple times a day.

Be it a dead drive, or some virulent virus, or whatever.
"PLEASE!! I need my stuff back!"

For a business, with 50 users at $200/day each...doesn't take much downtime to justify the cost of a backup situation.
Or..."That was our whole order chain from the last 6 months."

Too bad, so sad.
 
A friend of mine got hit by ransomware. She's CFO of her family's business and all the salesmen report to her. The malware got lucky and created an email appearing to be from one of her salespeople to her, with a spreadsheet attachment. Exactly the kind of email they send her all the time, so she went ahead and opened it.

The moment she realized it was malware, she yanked the network cable (physically tore it out of the wall socket - they had to replace it with a new one). She then called IT, who took the compromised computer, and replaced it with a spare they kept for emergencies like this. They restored her old computer onto it from the previous night's backup, and she was back at work by late afternoon Because they had good backups, the total effect of the ransomware was less than if she'd taken a sick day.

Interestingly (and somewhat relevant to this article), the ransomware offered to let her decrypt one file for free to prove that it was capable of decrypting the encrypted files. There was one file she had been working on that morning which wasn't in the previous night's backup. So she chose to restore that file, and got out of the situation without losing any work.

As stated above, backup, backup backup.
 

stdragon

Admirable
Ransomware can be initiated via a spear phishing attack. At first, they will attempt to trick a user into providing their e-mail credentials (password reset) to a fake website (often looks like Office 365 if that's the provider per MX records). They're given an error, and soon ignore it. Meanwhile, the criminal logs in, creates e-mail rules and a forwarder to an external GMAIL account or whatever. Now that they have full access to the account (including a copy of the outbound e-mail signature), they can proceed to spam all contacts with fake documents containing ransomware in an embedded macro.

the malware proceed to crawl on every share and encrypts the files. Most of the time, on a Friday or weekend after 5pm so as to have as much time as possible to 0wn the files without much suspicion until it's too late.

In most cases, I can restore all the data via shadow copy (assuming the quota was large enough on the volume to begin with), local backup, or from the cloud. Typically servers themselves never get hacked, only the shares, as the executable can't run on the OS of said server. The only time a server itself gets hacked is if a user account is a member of the Domain Admin group in AD - and that's because the previous IT admin was incompetent to be granting that to users in the first place.

Remember, Ransomware as I know can only encrypt enumerated volumes; be it mapped drives or direct attached storage. Perhaps the newer versions will crawl the network and attempt damage to whatever the user has access too. In any case, if you must backup a local machine, it's best to do it over the network where the backup network credentials are initiated and stored in the backup application, and not with an existing user account. Meaning, you don't want want the Ransomware to take out your backups as well, because if it has access to IT WILL TAKE THEM OUT (along with purging shadow copies via the VSSADMIN command) . After all, it wants the ransom payout. If you have access to backups, there's no need for that. The malware authors know that.