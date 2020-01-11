Geekzone: technology news, blogs, forums
Has anyone ever had a ransomware attack?


# 262231 11-Jan-2020 14:44
There is an item on RNZ about the Travelex ransomware attack. I have never experienced one, or any other attack, but I am wondering if anyone has? What happened?

 

 




  # 2390272 11-Jan-2020 15:15
They had an unsecured VPN, it encrypts server disk and asks for an unlock code that you only get by paying usually via bitcoin.

  # 2390273 11-Jan-2020 15:15
The company I was at back in 2014~ got hit by a variant of cryptolocker which took one of our site offline for a couple of days caused by a user opening a email attachment. Luckily we had pretty good monitoring in place so we picked up on it early and were able to lock down the WAN to prevent it spreading to other sites / our data centers.
We ended up restoring the server from backup (daily off site backups meant at most we lost a couple of days of data) and re-imaging the PCs. 

 
 
 
 


  # 2390284 11-Jan-2020 16:16
Had a school with a Synology who decided they no longer wanted to pay anyone or company for support, rather just use one of the parents.

As a result the Syno never got patched, then the Syno cryptolock hit, immediately it was mentioned in the interwebs I logged into the Syno and immediately realised it was hit. Rang them straight away and told them to just pull the power and don't ask questions.

Luckly it had started on the backup drive first, so only a few main share files had been locked, also lucky I had setup a GDrive backup, so was able to fully recover all list files, without the backup they would have been screwed.

  # 2390427 11-Jan-2020 19:54
This is simplistic and wrong. Yes, an unpatched VPN seems to have been the vector. No the "unsecured VPN" is not responsible for encrypting the server disk, but rather someone had access by exploiting a vulnerability in the unpatched VPN and having the cryptolocker installed.

 

Interesting topic, as just this week I was communicating to someone who had their systems affected and managed to decrypt everything without paying the ransom - basically explained to the bad actor that they were not a business and couldn't afford the amount of money asked. I have screenshots and videos, will post on another thread later.




  # 2390428 11-Jan-2020 19:55
Prior to a few weeks/months ago, so long as you had good backups, there was really no need to consider paying a ransom. Since Ransomware has become such big business and IT has caught up and is moving toward doing a better job of protecting against it, the criminals have decided that to get around the "if you have a backup they won't pay" by now threatening to release a copy of the data they took when they encrypted. So even if you have a backup, there are some people who will likely need to pay to avoid the release of what could quite possibly be sensitive or privileged information.

 

IT Service Providers are now a big target. There have been some HUGE hits deployed by compromising the MSP/IT Provider, and using the IT providers links to their customers to encrypt the customers. 

 

It's a scary world out there now.

