IraqiGeek's Blog

It's all distant and abstract, until it hits someone you know

Ever since Stuxnet, there has been no shortage of news, almost on a daily basis, about some high profile government or private entity or institution being hacked. Sometimes, the hackers' objective is to infiltrate the target organization, to listen on and monitor its activities. Other times, the objective is to exfiltrate sensitive information from the target. Still other times, the objective is to destroy the target and their infrastructure. Whatever the target, it all seems distant, abstract, and not something that would happen to the average Joe. After all, what would your average hacker gain from hacking our personal computers, and our data?

Then, it happens to someone you know, and it suddenly becomes all too real.

It all started when a friend, who works at a small local business, called me a few days back around the end of the day asking if I could help with some computer trouble they were having at the office.  When I asked what was the problem, she said someone had entered into their office network and encrypted all their data and files, and was now demanding a ransom in order to deliver the encryption key. Naturally, I went immediately to their office to get a sense of the gravity of the situation.

Sure enough, while their office computers were up and running, all data and files were encrypted. Not only that, the ransomware that encrypted all files and data, had left a readme file containing payment instructions in every single folder where it had encrypted files.

This readme not only identified the victim by a uniqe ID (kind of like a customer number), but gave them instructions on where to buy bitcoins, which address to sent the bitcoins to, how to get in touch with the hacker (through a Tor hidden chatroom), and how to provide evidence of payment to the hacker. The instructions were clearly translated to Portuguese using an automated translator like Google Translate, but still!

How did this happen?

Like many businesses, this one constantly sends and receives letters and parcels, and deals extensively with logistics and transport companies. So, when an email appeared claiming to be from one such company, the person attending to this email didn't think much of opening the link embedded within this email. The link sent them to a site claiming that they had a parcel awaiting, but as the site didn't look quite right, this person closed the page, and even run an antivirus scan for good measure!

But it was already too late. Despite the antivirus proclaiming that all was fine, the machine was already infected and the ransomware was already at work encrypting all files it come by.

Now, anyone's first instinct in such an incidence, is to restore the last backup, clean up the system, and give this hacker the proverbial finger. However, the backup in this instance was synchronizing all data and files to the cloud, using Google Drive. But since the ransomware encrypted files, Drive did its job and synchronized all those encrypted files, rendering the Drive "backup" all but useless. While it was technically possible to restore an earlier version of each file, there were close to 50k files to restore, rendering the task practically impossible.

Given the relatively low ransom value beind demanded, and the time and effort required to get the business minimally operational without getting the encrypted files back, my advise was to try and pay the ransom. While there were no guarantees whoever controlled the ransomware would deliver the decryption password, I thought it was worth trying.

Here is were we hit our biggest hurdle. The ransom was being demanded in the form of a bitcoin payment. Everyone and their cousin on the internet, bills bitcoin as an easy and anonymous form of digital currency payment. But if you're in a rush, and need to get your hands on some bitcoins quickly, those online exchanges which you are willing to share your credit card information with are anything but anonymous, or quick for that matter.

I tried registering with over half a dozen exchanges, including coinbase, coinmama, cex and coinpanda. All those exchanges required several forms of proof of identity, proof of address, and proof of credit card ownership in order to buy bitcoins with a credit card. Beyond that, they required those proofs in high quality digital scans, and a human reviewed each and every detail. While I'd say this is commendable under normal circumstances, it's not very helpful when you're in a hurry. In the end, we bought our 0.25 bitcoins locally using localbitcoins.com. The seller didn't respond for hours, and setting up the meeting posed its own safety and security challenges, as it was close to midnight by the time we heard from him. Luckily, he turned to be a friendly fellow, and didn't hesitate to help and was patient enough, despite the late hour, to wait with us until the transaction had enough confirmations on the network in order to provide us with the proof of payment demanded by the person controlling the ransomware.

From there, it took another 9 hours until we hard back from this person and received the encryption key. And would you look at that key!