Ransomware attacks small business-Kryptoro

jamesd

A friend who works for an IT company came across this on a clients server today.
All the data shares are empty
All backups have been edited to just backup the windows folder so they showed as sucessful when sending its job report.
There is a folder in the c: drive with this note beside it.
Anyone come acrosss this before?

"
Hello
Welcome to our little ransom project, the Kryptoro.
This is our job, we do this every day to many, many people.
Do not think that you are unique or special, you are one number on our list of hacked servers.

First of all, your server was accessed by the Kryptoro team, and your backup files were securely erased.
[brightstar ARCServ]

Selected data folders and files were moved to a new location and encrypted using standard AES 256 bit encryption.
[c:\encrypted files]

Do not delete files with the extension .cpt as these are your files, but encrypted.
Do not think that you can recover your stuff without paying us, we assure you that it is not possible, as we have taken every step to rewrite the empty space on the disk with random data and to securely delete the backups etc.

There is no way to recover them without the encryption key/decrypt software.
The decryption file / passkey costs 700$ USD

If you are willing to pay, email back, we will provide payment instructions.
The solution is a small file, which you run one time, and which will decrypt your files.
It will take approx 2-3 hours to run through.

Welcome to RansomWare.

kind regards,

Kryptoro

If you want your files back, our contact details are:

kryptoro@safe-mail.net"

LoLth

Sounds like a trojan along the lines of Trojan.Ramvicrype (symantec name).

Most likely it isnt using the encryption algorithm it is claiming to use, though that is of little comfort, you still need to find out which version it is and find a way to remove it.

some of these ransomware trojans also install a keylogger / password sniffer and upload the data to a central server. So, step 1, disconnect the server from the network and the outside world.

step 2: check your backups and find when the last complete backup was performed

step 3: look for a removal tool

or

pull the hard drives and restore your last successful backup to a fresh set of drives (and run an AV scan to make sure it isnt infected). then, change all security credentials and patch it up as much as you can.

You also need to work out how you got hit. some forensics on the server would be useful as well as making sure the server is blocked from direct internet access (no-one should be browsing the internet from a server anyway)

check your firewall. take an image of it as it is now and then start locking down ports. Start by locking down everything and then only open what you absolutely need. Deal with other requirements on a case by case basis.

top priority right now is the data. Next is making sure it doesnt happen again.

jamesd

From what i gathered they dont have a set of backup tapes now that are complete as he said the backups were all changed to backup only the system files and not the data as he can see the backup sizes has dropped over the last week or so.

LoLth

well, at worst they should have a monthly backup tape set aside so thats what, February? End of January? End of Year from December?

that should get them up and running until they can work out which trojan hit them and retrieve their more up to date files.

tsheerin

one of my customers have the same problem today.

we have only 5 tapes and all are empty, we reported it to the Garda computer crime prevention unit. i sent them a copy of one of the encrypted files and the ransom note.
they sent the file over to UCD and there is no way of cracking it.
eircom are reporting 6 complaints to of the same thing.

RoadKillTs

Article about this on RTE.

Link

seamus

The fact that the attacks appear to be localised in the west/midlands suggests that it may be spread via email.

In any case, it's time for me to audit my Dad's place, as they're a small business that would be vulnerable to malware like this.

KoolKid

Off site back-ups all the time.

probe

While it is unclear what operating system the victims of Kryptoro are using, it never ceases to amaze me that Microsoft sells Windows Small Business Server products as a solution to run a company’s critical systems (eg accounts receivable and payable, general ledger, and perhaps hold personal information of customers, spreadsheets with business plans, cash-flow projections, whatever else private and critical to a business). On a single “all in one server” platform that can also host email, host the company's website, provide web access for staff to access Facebook, read private emails, download attachments, surf websites with nasty code that exploits vulnerabilities in flash, pdf and other file formats.

In my view Microsoft is grossly negligent in this type of sales pitch and the manner in which this product is delivered to end users. I don't believe that small print terms in an EULA would absolve them from financial exposure - certainly not in a civil law country.

They should perhaps require each chief executive of a company who attempts to buy these products aimed at small business users to sign off on a letter or other document which points out using detailed examples of the risks of running applications, in big print, such as an accounts receivable or payable ledger on the same box that is connected to the internet. Perhaps a brief summarised case story from the victims of Kryptoro (if in fact they use this or a similar product). Best to send them the same reminder every year or so, because people forget and new applications creep in without due consideration of the security implications.

A “Dickensian” era retailer would not put his quill pen written current “debtors ledger” book in his shop window – no more than a jeweller would leave a €200,000 diamond encrusted Rolex watch in their shop window overnight in many cities. Allowing the same information to be stored on a system connected to the internet is akin to displaying it on a street window in front of which pass several billion people each day, with all sorts of motivations and agenda. A window that they can break in a “passive manner” without any noise of glass breaking or other signals that something wrong is going on.

If someone wants to provide customers with online access to their debtors ledger or other similar functionality, put a copy of the ledger on a separate machine connected to the net, and update it on a timely basis.
If you want to allow staff to access an online banking or some other “trustworthy” website from a system connected to your “crown jewels” perhaps OK – but limit it to a list of critically essential and trusted sites.

If a company wants to host a website, or provide email services, either outsource it or put it on a separate machine using a separate internet connection (or at least use three routers in a Y configuration) to protect it.

http://www.microsoft.com/sbs/en/us/default.aspx

probe

koolkid wrote: »

Off site back-ups all the time.

These intruders appear to have tampered with the backups and the process that creates them. If they got root access to a system, they could also tamper with offsite backup systems - be they over the web services like www.carbonitepro.com or something that backs up to a USB hard drive that a staff member takes home with them.

The malware appears to lie in waiting for some time to damage multiple backups before it reveals itself. There is nothing to stop them from hanging around silently for six months if experience shows that they need to. They can also of course increase the "restoration fee" to a much larger figure.

You probably really need a second box with a mirror image of the software installed and patched up to date, and copy the required data files over to the standby system. Use different passwords on the standby system. If an attack arises, this leaves one with a ready to run system to take over in place of the damaged server.

LoLth

or, admins should test the backup tapes once a week, just restore a file to make sure its actually on the tape. Had an issue like that before but it was the tape drive itself that couldnt read what it had written successfully. Only found out when I went to restore a file. A new tape drive later and I started restoring a test file at random intervals to make sure the drive still worked.

@probe:
most businesses use SBS edition software because they cant afford to have multiple boxes. Same goes for spending money on a mirror box so it can sit there and do nothing. The vast majority of financial controllers would never understand that kind of spend, especially as it would be seen to be ongoing and open ended. (beyond the hardware there's software licensing to consider. most businesses dont have mirror site maintenance in their DRP for this very reason)

But yes, hosting a website internally shouldnt be done from a DC or other fileserver, host in a datacentre on colocated or hosted boxes. Use SBS to host your intranet etc. As for Microsoft being grossly negligent, I dont think they are. they provide a box that *can* do multiple roles, doesnt mean the end user has to hook it up to the big bad world with no protection. That comes down to ill-educated admins or companies cutting costs by not bothering with correct training or hardware.


@tsheerin: 5 tapes? minimum 10 on two week rotation + 12 more for monthly and end of year backups.

probe

LoLth wrote: »

or, admins should test the backup tapes once a week, just restore a file to make sure its actually on the tape. Had an issue like that before but it was the tape drive itself that couldnt read what it had written successfully. Only found out when I went to restore a file. A new tape drive later and I started restoring a test file at random intervals to make sure the drive still worked.

Tape is not very reliable - especially if it has to restore to another device - eg you have a failure or theft and have to buy a new box with a new tape drive. Head alignment different by a micron and restore to the new box won't work. (Better to have the replacement box on cold standby at an offsite location to drop it into place in an emergency, where your ability to restore can be proven without any risk to the production system).

@probe:
most businesses use SBS edition software because they cant afford to have multiple boxes. Same goes for spending money on a mirror box so it can sit there and do nothing. The vast majority of financial controllers would never understand that kind of spend, especially as it would be seen to be ongoing and open ended. (beyond the hardware there's software licensing to consider. most businesses dont have mirror site maintenance in their DRP for this very reason)

If you do a test restore to your only (ie production system) kit to see if your backup is OK, and the file has been messed up by hackers, or if the restore doesn't work properly and corrupts your server's files, you have simply accelerated the speed at which the damage is done....

(1) Microsoft shouldn't be charging license fees on SBS for a second spare box that is not in production - it is there primarily to make up for inadequacies in the security of their software, one way or another. It is just like having backup DVD media for the software in a safe - only it is not in a safe, it is stored on a machine that isn't used normally.

(2) Speaking with an FD's hat on, there is no way that I would want anyone to walk into my office with the blackmail note at the root of this thread. The cost of losing a company's financial records are massive. If you can't stay on top of your accounts receivable in a timely manner the asset vanishes very quickly and becomes less and less collectible. If your general ledger is lost, you can't produce financial accounts and risk having a qualified audit report in a best case scenario! An auditors' report qualification about a company's inability to keep proper books of account could lead to a bank withdrawing facilities, breach of loan covenants, and lots of other issues. Aside from the damage to customer relations. Inventory control systems breaking down..... The cost of a spare server box is tiny by comparison!

A spare server box doesn't have to be expensive and doesn't have to be fully kitted out for full capacity. Additional disks and other stuff can be added in case it needs to be put into place.

Aside from Kryptoro and who knows other threats in the future, a spare box stored at an offsite location is very useful in the event of a fire or theft of hardware or flooding etc. It makes it faster to re-start the show in the event of a calamity. Does a business really want to wait 3 weeks to get a replacement server delivered?

As for Microsoft being grossly negligent, I dont think they are. they provide a box that *can* do multiple roles, doesnt mean the end user has to hook it up to the big bad world with no protection. That comes down to ill-educated admins or companies cutting costs by not bothering with correct training or hardware.

SBS is not aimed at companies with an IT department. The risks of using certain features of the product (as a webserver, to provide internet access to users, to use it as a mail server, etc) have to be spelled out in Sesame Street lingo to the people in authority at the client organisation. Microsoft has been sleep walking into the internet age for about fifteen years across all their product ranges. This is just another example of how dysfunctional monopolies are.

probe

Cross reference to a posting I wrote about using multi-factor authentication to control user logins to Windows systems. This solution would prevent hackers (and people who break in to premises) from extracting ransom money.

You'd obviously need up to date offsite backup and ideally a spare machine stored offsite to confidently be able to tell someone who does these things to get lost. You might as well encrypt the hard drives on your server as well to prevent a burglar from misusing your company data.

http://www.boards.ie/vbulletin/showthread.php?p=64792909#post64792909

CrinkElite

So, how'd it go?
I hope you got your Data back.