A Brush with Modern Day Digital Pirates

1464211864135So I would like to apologize, its been a while since my last news letter. Between children being home and wanting to go places, I took what could only be defined as a summer sabbatical and I will be the first to admit that it is really hard to find work related topics to write about when your not really working. And to be honest I was really enjoying my time with my son right up till last Thursday, when someone in Russia decided it was time for me to get back to work. Ironically it was also Josh’s first day back at school.

So the day started out great. I woke up a earlier (like 4am) and went for a nice walk. Got home around 5:30am to the first email message hinting to a possible issue with a customer unable to connect to the website. So just as we have done thousands of times before, I jumped on the server and restarted the service. Odd, the desktop looks more cluttered than usual, but that is not why I’m here. Besides its always cluttered, I restarted the service and went on about my day. 6:30am brings another email about the web server. Ok, maybe a server reboot is needed. So I log back into the server (still not paying attention to the extra clutter) and proceeded to run through the reboot procedures. Headed in to the kitchen for breakfast and it time for Josh to get to school. 7am brings my first phone call, they have been trying to connect all morning. Told them I would check it out and see if I can figure out what is going on and by now I’m starting to get a little concerned. This is odd, the normal desktop image has been replaced with a letter hidden under all the icons. This is the extra clutter I was referring to earlier; something about encryption. So I cleared the desktop to uncover the following letter.

RansomNote

So to be honest it took probably 4 reads of this letter and halt a dozen checks in different directories before it finally dawned on me what had happened. In short, every non-binary file on the “C:” drive had been encrypted in place and was inaccessible. Not to mention the letter, though factual initially sounds more like a sales brochure for CryptoWall than a demand letter. Really, they should lead this letter with large letters that say “Congratulations, You have been hijacked” or something of that nature, I’m pretty sure they would get a faster response time. Below is a picture of the app that did all the damage, a file called “smrss32.exe”. This file was placed here by a bot originating from a partner companies network on 8/2. That same bot waited 2 days before it came back and executed the program, resulting in the content of this news letter.

encryptor

 

First off I started researching BitCoins, the currency of choice according to the letter. After finding out setting up a BitCoin account was a bit more complicated than the letter makes it out to be and finding out that BitCoin accounts are still partially illegal in the US. I decided to seek a second opinion. Enter Team Microfix, a Canadian company that appears to have found itself a new calling in making sure all the demands of these pirates are met and your data is fully restored. At this point Team Microfix took the lead researching the damage (240k encrypted files) and coordinating the ransom payment. Once the ransom was paid, we had a nearly 18 hour wait before the key and decrypt instructions was received.

Un-encryptProgram

Once installed the decrypt process took roughly 4 hours to complete and there were still about 40 files that could not be decrypted because for some reason the cleaner.exe app has a problem decrypting something previously saved in a .rar compression format prior to the encryption.

EncryptedFiles

The process (not including the time) was pretty straight forward, I pay money, they send me a key. As a computer geek I’m pretty sure I could have figured this out myself; however, having a guide like the employees at Team Microfix proved valuable for 1) getting past the BitCoin process (a process I hope to never need again) and 2) keeping the emotions in check. Yeah I’m pretty certain I would have had a problem with this one. Even in light of very explicit instructions, I still would have written a 10 page nasty gram giving the pirates a piece of my mind.

The price tag: 1 BitCoin $700. 4 billable hours of Team Microfix’s time $500. And honestly I can not even begin to put a price tag on our customers expectations. The feeling of asking our customers to hold off processing their data for nearly 24 hours was quite the wakeup call and somewhat overwhelming. There are some changes coming down the pipe for Van-On-Demand, but I will leave the details of those changes for future posts. At this point, I only want to thank our customers for their patience last week and apologize for allowing our policies to lack in lieu of my absence and better judgement; and assure our customers that I am fully vested back on the job and am starting to put together a plan of attack for the issues people are talking to me about, along with insuring that an incident such as this one will not happen again.

Thank you,

Stephen

Leave a Reply

Your email address will not be published. Required fields are marked *