Help! looking for server main./ sec asap! got hacked!

Hackerspace Information Security
#1

hi my name is justin,
got to work today found out our server has been hacked.
our info is now being held ransom unless we pay BTC to this random address.

the info has been encrypted and the promise is that they will unlock it after payment… our (former) computer/server maintenence company has said we should pay them the money… i disagree and think i can find someone local that can either:
A) decrypt our data and restore us.
B) from here forward maintain our servers.
C) thoroughly secure our data once recovered.

from what ive found online it seems very similar to this situation…
http://nabzsoftware.com/types-of-threats/cryptowall-3-0

we are located in Haltom ctiy off 35.
please please help i dont want my family to pay these ahes

i want to pay good money to have things done right. please send me your details asap
682-553-2466 is my cell feel free to call/txt email me your company details and what we can do from here.
[email protected] is my personal email.

thanks again look forward to working with some of you hopefully!!

#2

Just get one of these…

https://www.fixmestick.com/images/fixmestick.png
http://www.fixmestick.com
It will fix all your computer problems.

#3

That is unfortunate, I doubt anyone would be able to decrypt the data, but that’s just a guess without knowing what algo they actually used.

1 Like
#4

How will the FixMeStick fix a drive that has been hacked and then (maliciously) encrypted, i.e. not a virus?

1 Like
#5

yeah thats what i figured. just what to do from here?? what companies can i trust locally to do good work?

#6

I’m assuming this is a Windows system? If so, take a look at this page. MS gives several recommendations on what to do about Ransomware

https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

-Robert

1 Like
#7

EXTREMELY unlikely. It doesn’t take much effort to encrypt data and make it essentially unreadable without the key. But it is even easier to just over write the data with random numbers and just say it is encrypted. The latter would mean the data is lost forever.

Finding someone qualified to do this is a very good idea.

It is impossible to achieve perfect security, but yes, ‘good enough’ isn’t too terribly tough. Of course, it isn’t security that likely cause this problem but rather some user getting a computer infected with a virus.

If it were me I wouldn’t pay and just start rebuilding data, you do have some form of back-up right? If you do pay, expect that there is a reasonable chance you still will not get the data recovered.

Also, being former, I would have a suspicion that the computer/server company may be the ones who did this. They certainly had oppotunity and by letting them go they have motive. That said a lot of these extortion efforts come from overseas. I would contact the FBI/Secret service.

1 Like
#8

One company I highly recommend is TGRnow. The company’s owner is a Dallas Makerspace member and has over 15 years of experience with network systems and security. You can call or text him at 469-554-5511.

#9

Can you post a picture of the ransom message.

Walter is spot on as well

Your next steps

Disconnect the Machine

Do you have Backups? Snapshots? Images?

Links that could be useful.
https://www.decryptcryptolocker.com/

Also are you sure it’s encrypted it could just be a pop up?

Explorer may be fake have you confirmed?

You could try accessing it from another PC.

4 Likes
#10

Always, always, always have backups!

Never, never, never run things as root (or Administrator under Windows)!

And, in this case, you might have to accept that you’ll never see that data again. Wipe the machine, live, and learn never to open random email attachments or run arbitrary programs off the Internet.

Sorry,

— Zach

1 Like
#11

i cant post pics since im a new user aparently?

#12

we do have backups and thats part of whats encrptyed. we also paid this company to store our data offsite and aparently we dont have that either because they didnt set it up right… also we have not officially fired the company thats been half asssed helping us so i dont think they are doing it out of spite.

#13

My apologies on adding to the advise. However, this is something where I have a smidgen of experience, so you’re getting my amalgamated advice. Some of it may not apply to you or your scenario since I know nothing of your particulars.

I’ll get the painful piece out of the way first:
NEVER, ever, under any circumstances use your server to browse the web. Infections by cryptowall are 90% browser induced, with the remainder being email induced. Servers doing server jobs do not get cryptowall as a rule.

The link you provided in the original post gives very good info on cryptowall, and basically following it will give you your options.

My take:
RDP into the machine with some other user account than is being used now. With earlier versions of cryptowall, the “encryption” was user specific, and going in as another user would allow you to copy off the files. But if it’s actually @ version 3.0…

Wipe the server, restore from backup.

If you don’t have a good backup, pay the ransom, backup copy the files, wipe the server, build anew, and don’t use the server as a desktop.

I’d follow David_Walker’s advise and contact the recommended company, since it’s the only referral given so far, if you really want a company. It’s generally my opinion, though, that no amount of company involvement, if the server is abused into being a web browser, will save it from this kind of issue.
Following best practices, too, like not being logged into any computer as a domain admin, or having different local admin creds for servers and desktops if you’re not on a domain, will help keep these types of things at bay as well. Desktops used for browsing the web, especially for entertainment, should be considered disposable.

2 Likes
#14

pic hyperlink maybe?

pic here

1 Like
#15

Exactly my thoughts Robert.

Also, you might check out some of the Malware video makers on youtube…
Specifically Danooct1 and Rogueamp. (Danooct1 is local)

They might have run into this before in some of their research.

2 Likes
#16

nobody is using the server to surf the web. it sits in the back room and gets backups to it. nobody is at it logged in shopping alibabba…

1 Like
#17

So…
This stores backups, and backups only?
From that description, the infection is actually somewhere other than the server, and the encryption is happening to the files on the server via a client infection, rather than the server itself being infected…

However, this is all speculative. I hope you can find someone competent who can actually put eyes on your situation. I am sorry I cannot do that for you, but if you’ll find competent help anywhere, it’s here. I’ll stop wasting your time so you can follow the other leads presented.

4 Likes
#18

the infection was caused by a user and we know which user. but the files that are now encrpyted are on the server. so it is the server that now has the problem as well as the user’s cpu. which has been taken off line

2 Likes
#19

OK, last bit from me.
Assuming a windoze server, have you check for shadow copies? Last I knew, cyrptowall did not know to infect those, though if they were already infected before copied, they would show up as infected, so you may have to go back a few days or weeks…
OK. Shutting up now so you can pursue competent, dedicated help.

Er, bump TTT! :smiley:

1 Like
#20

I can’t guarantee that the files can be recovered, but it’s possible. Could you bring the affected server to DMS for a day or so?

2 Likes