Ransomware.

AvocadosGuac · March 31, 2018

Hey All,

Just wanted to post a story of one of the clients at my work.

March 5th, 9:00AM.

The call comes in, "We cant access our accounting software". Using TeamViewer, I remote in. Every file is encrypted with .java file extensions (Dharma Ransomware). I find the email address(In the new file name) and send them an email. After a couple hours, i get a reply. They want 1.5 BTC to unencrypt the files. Informed client- They say restore from backup.

Well here's where things really hit the shitter, this client only calls us when there's an issue with a PC. The last time we were there was about 6 months ago. Well, about 6 months ago, one of my coworkers, another tech, told them their backups were not functioning. This is because when you try to backup 700GB to a 500GB drive, you'll have issues. The last time the server had less than 500GB on it, well, that was mid 2016. We get their accounting software going (FTP backups to our office, THANK GOD) and most of their stuff is stored in dropbox. We have been working to get a new system in place.= with new drives, but the client is being stubborn, and not listening, claiming that everything is our fault.

Today (March 31st, 12:00PM)

Spoiler

All your important files were encrypted on this PC.
All files with .SUSPENDED extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email suspendedfiles@india.com send us an email your !!!RestoreProcess!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.

Your personal id:
--REMOVED FOR SECURITY--

E-mail address to contact us:
suspendedfiles@india.com

Reserve e-mail address to contact us (if you don't recive our unswer within 12 hours):
suspendedfiles@cock.li

6

Saturday, the day of relaxing, where you're not worried about work at all, well that is until your boss calls you. I get a call saying the client cannot access their accounting software. I figure its a storage issue, where I need to go in and clean up the drive from unused files, as it happened before. I remote in, and to my disbelief, all of the file shares, encrypted with .suspended ransomware. Again. Well, now the clients gonna be pissed. Still no working backups(other than the FTP backups to our office). No antivirus. No firewall. NOTHING.

Well, moral of the story, please guys, if you work in the tech industry, push and push for clients to get this shit fixed, and MAKE SURE they have a working backup.

RollinLower · March 31, 2018

Well, this is actually a shitty position for the client, but after all it is the cleints fault isn't it? And you can prove it too because it is ransomware!

Imbellis · March 31, 2018

Yeah, this could've been fixed by using the 3-2-1 system. If only people knew what it costs to recover data (from a broken HDD or ransomware etc.) .

SkaTim · March 31, 2018

JRock, are you gonna lay down some sick beats for us? I've been waiting for you at the trailer park!

AvocadosGuac · March 31, 2018

51 minutes ago, RollinLower said:

Well, this is actually a shitty position for the client, but after all it is the cleints fault isn't it? And you can prove it too because it is ransomware!

We defiantly can prove it, but when a client loses a couple days worth of work, they get mad, and we lose a customer that's been with us for almost 30 years

vanished · April 1, 2018

On 3/31/2018 at 11:40 AM, Jrock said:

We defiantly can prove it, but when a client loses a couple days worth of work, they get mad, and we lose a customer that's been with us for almost 30 years

I've seen this time and again: whether it's hiring an employee or contracting another company, they somehow get the idea in their head that it's a good idea, but then don't listen to anything they say and don't make use of their expertise/services. Inevitably it comes back to bite them, whether they realize it or not. In this case, it appears they have realized it - or at least, they've noticed the problem but still can't comprehend they're standing in their own way when it comes to a solution.

Evidently the only reason they were a client for 30 years was that nothing had gone wrong yet. I guess it's sort of a "you find out who your real friends are" moment when things do go bad. You warned them, you managed to save them, twice, even after they ignored you about the backups. Nothing more you can do. You've provided a good service and done all you can. If they're not interested in using that service, then move on to someone who is.