A True RansomWare Story

“I think we got hit with Ransomware!  Can you decrypt it?”.  These were the exact words spoken to me by a prospective client that I had been trying to sign for over a year.  I was excited to see their company name on the caller id.  Perhaps this was the day.  And it was the day, but only it had to happen under the worst circumstances.

At some point during October 13, 2017 – Friday the 13th, this company was infected with a new variant of the BTCWare Ransomware virus called Payday.  Most files had been encrypted with a .payday extension.  Fortunately only one server was affected, however it was a storage server.  This storage server was being used to store all of their “paperless” files.  You see, this client decided to go paperless and scan in every scrap of paper they had and store it on this now infected server.

I told the future client that all he needed to do was restore from backup because this variant could not be decrypted.  When I mentioned this there was a long and uncomfortable pause on the line.  I knew what he was going to say before he even said it.  “That’s the problem, I wasn’t backing up this server.”.  I know it was difficult for him to say that to me because I had been discussing backup solutions with him for close to a year.  He was now desperate for some sort of solution and was panicking.  He didn’t want to lose his job.  He didn’t want to go and tell his boss that their files were encrypted and he did not have a backup.  We are good, but we cannot decrypt files from this infection.

The payday virus infected via Microsoft’s remote desktop connection using a brute-force technique.  This client also had public remote desktop connections open on their firewall instead of using VPN.

We will call our victim Billy.  Billy was ready to pay the ransom.  Before calling he had sent an email to the listed email address in the ransomware letter.  They wanted 1 bitcoin ($7,700) within 24 hours or it went to 2 bitcoins, after 48 it went to 3 bitcoins, after 72 it went to 4 bitcoins and that is where it topped out.  He was so desperate that he was willing to beg, borrow and steal the money to get the decrypting program.  I recommended against paying the ransom because it would only encourage this and other groups to continue making these malicious programs.

According to Cybersecurity Ventures, in their Ransomware Damage Report, global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015.  Additionally they report that ransomware is growing at a yearly rate of 350%.  Based on these numbers I could not recommend that he pay the ransom.  He simply needed to take his medicine and learn from the experience.

Human beings have a hard time accepting defeat.  He thought he might be able to negotiate with these criminals and secure the decryption program for $1,000 or less.  He would not take my advice and decided he would go down the path of negotiation.  I recommended that he at least use a VPN software and setup a fake gmail account to communicate with the criminals.  He should at least try to maintain some anonymity when communicating with them.  I also recommended that he assume a character, such as a junior network manager who has just received his first job after getting parole from prison.  Maybe an honor among thieves approach.  Additionally, I didn’t think it was a good idea to let the criminals know that he was desperate, that this was a minor server that they could afford to lose, but if he could get the decryption key for under $1,000 he would do it.

So, a journey began that would not conclude for another 4 weeks.  Billy setup his fake gmail account.  He adopted the famous “what is your porn star name” angle for his gmail account.  Take your middle name and the street you grew up on and that would be your porn star name.  He purchased a solid VPN software.  He made his connection through Toronto and sent his first email as our recently paroled and reformed junior network manager.  Per the instructions in the ransom letter, he sent a sample, encrypted file and mentioned that his minor server had been infected and respectfully requested the decrypting software.  About a week later he received his first reply.

The reply was simple and a canned response.  Again, they gave the amount and urged promptness in sending the bitcoins.  They also replied with the decrypted sample file as evidence of their ability to decrypt the files.  Billy was visibly excited.  He had received evidence that they could decrypt his files.  Now, if he could only convince them to do it for $1000 or less, he would be golden.  So, the negotiating began.  He replied back that he did not have that much money and could only afford $500 (or .07 bitcoins).  After a few short minutes, “Locker James” replied back that his boss would accept $1,500 or .21 bitcoins as the lowest price.

It was at this point that Billy invoked his character.  He again stated that he did not have $1,500.  He stated that he was a low level, recently hired IT guy and his main responsibility was this infected server.  He goes on to say that his boss is not aware that the files have been encrypted and that he will lose his job if his boss finds out (which is true).  Billy throws in additional heart-wrenching pieces of information such as his low salary, difficulty in making rent payments, that the $500 he has to spend is actually rent money.  He lays it on thick.  Locker James replies that his boss is the one that sets the prices and that he is also a low level employee who will get a very small percent of the ransom paid.

Billy and Locker James continued to carry on a conversation for another few hours and it seemed they started to bond together as two low-level guys who are working for mean bosses.  The plan was working.  Locker James ever said that he would try to get the decrypter and send it to Billy.  I knew it was too good to be true.  Suddenly the emails changed, and you could tell he was now dealing with a different person.  Billy’s fear was that the person he had been dealing with got in trouble for attempting to go behind his bosses back.  However, the price was now down to $1,000 and he had to make the payment right away or it would go back up to the original price.  The bitcoin wallet code was provided.

Billy had a tough decision to make at this point.  He could pay the ransom and hope that these criminals would send him the decrypting software.  Or, he could walk away, tell his boss the truth and lose his job.  I urged him to tell the truth to his boss and learn a lesson.  But, once again, he chose to pay the ransom.  Per the ransom instructions, he purchased some bitcoins, which took over 12 hours to receive.  Once he confirmed he had the bitcoins, he initiated payment to the bitcoin wallet code that was provided by the criminal.  The ransom was paid on November 2nd around 20:20.

November 3rd came and went.  On November 4th, Billy sent another email asking for the software.  No reply.  He did the same on November 5th, 6th, 7th and 8th.  It had been a long and sleepless week.  But on the evening of November 8th, Billy received a 4 word reply.  “We send you software”.  But what did this mean?  Did this mean they were going to send the software or that they already sent him the software.  He was dealing with foreigners with bad english, so he wasn’t sure what they meant.  He was more stressed now than he was before.  So he replied with a thank you and asked them which email address they would send the decrypting software.

On November 9th, Billy received a reply.  “man send again file crypted”.  Billy assumed they wanted another encrypted file.  So Billy emailed back with another encrypted file.  Another day would pass before Billy would hear back from the criminals.  The reply he received on November 10th said “billy please wait!”.  A few hours later the criminal sent a link to download a software program with a 3 word instruction “run with root”.

This obviously raised all kinds of concerns.  “run with root”.  Were they going to infect him more?  Was this additional infection software?  These were all genuine concerns, but Billy was desperate.  His boss and his end users were asking questions.  He was making excuses, because he felt he was close to a solution.

Billy downloaded the software to his laptop.  He unzipped the file and ran several antivirus programs against it.  They all came back clean.  Billy put the program on a thumb drive.  After hours he disconnected the network cables from his server.  He inserted the thumb drive into his server, copied the file over to the desktop.  He hovered his mouse over the program for a good 30 to 40 seconds before finally double-clicking the program provided by the criminals.  His heart was now in his throat and he could hear his heart beating loudly.  He watched as white text flashed quickly across the black-screened window.  He couldn’t read what it was doing, it was moving so fast.  He opened up his file viewer and started digging into the directories containing the encrypted files to see what was happening.

He couldn’t believe it.  The decrypting software was doing what it was supposed to be doing.  It was decrypting the files.  It was doing it quickly.  Billy sat there for 30 minutes, watching the progress.  Tears filled his eyes.  The weeks of stress were slowly leaving his body.  It was a Friday, late afternoon and he was ready for a drink or five.  The files had been decrypted!  He was relieved!

Billy called me to spread the great news.  He thanked me thoroughly for the angle and advice in dealing with these criminals and invited me to a local pub for a drink.

I met a relieved Billy and he bought me a beer.  He thanked me again (and again, and again) for helping him through this ordeal.  He apologized for not listening to me when I spoke to him about disaster recovery and backup plans.  He promised me he would send me a P.O. the following Monday for a Barracuda Backup Server 890 so he would never have to go through something like this again.  He also asked about the Barracuda Net-Generation F-Series Firewall so he could lock down his remote desktop connections and use VPN.

Billy got out of this for $1,000.  However, he was lucky.  Many companies have paid upwards of $17,000.  It is hard for me to understand how these organizations are not using an offsite backup solution like the one we provide with Barracuda.  It is an easy solution and does not take a lot of time and effort to implement.

Billy sent his PO to me on the following Monday.  We installed his new Barracuda Backup 890 on November 17th.  All servers have been backed up and are now replicating to the cloud.

Backup solutions and a good end-user awareness program can significantly protect organizations from these type of infections.  Tubesock provides both.  We offer a solid on premise to cloud backup solution and in-house employee awareness training to spot suspicious emails or files.  Give us a call or send us an email.  Don’t be the next victim.