Help - customer got hit with ransonware, any info on this one?

dbwillis

[H]F Junkie
Joined
Jul 9, 2002
Messages
9,349
Customer called me this am to report they couldnt get into anything....
Checked the VMWare ESX host......it boots up into ESX...but the datastores are empty....ESX logon was not domain bound, was not ROOT
Checked the HyperV machine.....encrypted
Checked the old file server....encrypted
Checked the new file server....encrypted (was moving to new file server Wednesday)
2 computers in the office (out of 6) are encrypted. (admin account was disabled, new unusual named Admin account was created, with hard password set)

basics:
(2 Win10, updated, AV protected, non admin users...down)
(3 2016 servers, updated, AV protected, Admin account disabled..used by a different named, hard password account) (1 physical 2016, 1 esx 2016, 1 hyperv 2016)
(1 2008R2 server, updated, AV protected, Admin account disabled, used by a different named account than above)
 

Attachments

  • 20200316_111030.jpg
    20200316_111030.jpg
    155.2 KB · Views: 0
Last edited:
Yeah, backups were good, I rebuilt the entire domain. But I'm stumped add how the thing got in
 
Last edited:
Frequently ransomware is used as a smokescreen for data exfiltration or as a parting gift from attackers once they're done in your network. Aside from the OS take a look to see if you have any other applications running on local workstations and see if there are any RCE vulnerabilities present that could be used by an attacker.
 
Yeah, backups were good, I rebuilt the entire domain. But I'm stumped add how the thing got in

Someone let them in and they are not telling you by getting phished or clicking links, or you have a perimeter exploit.

Also even with everything patched there are exploits to get past AV and such.

What is the perimeter firewall?
What rules are in place
What NAT rules allow access in
Remote access tools at all? (Windows / Citrix / TeamViewer?)
What AV are you using?
What email service are they using, can you review logs for emails sent in to employees

Chances are someone was in that network for weeks or months side stepping to learn about it and best cripple it to assure payment. This also means your backups are likely going to keep the access they had letting them back in.
 
Just got called by a company that got hit by an exact looking one... didn't dig too deep just suggested reverting to backups.
 
I've dealt with 2 RYUK attacks this past year. Both were from attackers that spent some time setting things up before dropping the bomb.

If your backups were network connected or created within the last few months then get ready for another phone call. Definitely don't restore any full machine images from them. Build new machines and do minimal data pulls as needed. Restore your SQL server from an image? Nope. Build a new SQL server and pull the SQL database from your dirty image? That's probably OK.
 
servers were on bitdefender, workstations were on Vipre
only 2 employees have email, 1 is so they use it only for sending out messages to the customer database..email isnt setup on any workstations, its setup in the main program, RO Writer, the other is the owner, access was via webmail
i forget the router, Asus something running ddwrt, no open ports other than 1701 for l2tp vpn to the server, i only had vpn access, vendor connects in via gotoassist, only with help from an employee..not unattended access
as for needed data...couldnt boot any of the workstations or servers, they came up with that bios type screen, tried some winpe offline tools, couldnt see any files on the hdd, I had a cloud (iDrive) backup of the important data (150mb Quickbooks file and 920mb MDB file)
everything got rebuilt (new usernames that were different than before, different pc names, different server names, different password formats), router set to default and reconfigured, printers reset and reconfigured (in case they did some firmware hack there)
 
It was.
He's all back to normal now though.
One thing I forgot was the music on hold device... had a static ip and I used different dc/dns ip's

Was able to fire up a vm, static it to 169.254.x x, and use the VMware remote console to connect to the device and update the tcp settings.
One cool thing about running a vm
 
Yeah, backups were good, I rebuilt the entire domain. But I'm stumped add how the thing got in

Had a brand new customer hit with another type or ransomware last summer.
Didn't even have a chance to go through the server and network stuff for analysis before they got hit.

Found that the previous IT company had port 3389 forwarded to the server, no VPN required.
Bad guys hacked the login.

When I got to their office and looked at the server, there was actually a data theft in progress.
Confused at what I was looking at for a few seconds and then yanked the network cable. lol

Got them recovered 100% because of good backups.

Also installed new router and made VPN required for the RDP.


.
 
Customer called me this am to report they couldnt get into anything....
Checked the VMWare ESX host......it boots up into ESX...but the datastores are empty....ESX logon was not domain bound, was not ROOT
Checked the HyperV machine.....encrypted
Checked the old file server....encrypted
Checked the new file server....encrypted (was moving to new file server Wednesday)
2 computers in the office (out of 6) are encrypted. (admin account was disabled, new unusual named Admin account was created, with hard password set)

basics:
(2 Win10, updated, AV protected, non admin users...down)
(3 2016 servers, updated, AV protected, Admin account disabled..used by a different named, hard password account) (1 physical 2016, 1 esx 2016, 1 hyperv 2016)
(1 2008R2 server, updated, AV protected, Admin account disabled, used by a different named account than above)
https://techcrunch.com/2020/03/23/windows-unpatched-zero-day-bug/

this is likely how
 
Microsoft security is usually, "If we didn't tell you, then it doesn't exist." So, sort of weird that Microsoft would tell people they are getting hacked without hope (until fix after April 14th).

Note: Attack seems limited to Windows 7 (but worded in a way that shouldn't make anyone feel safe... especially since they're going to patch it anyway for 10).
 
"Asus something running ddwrt, " ddwrt i think also had a recent exploit, also what version of the VPN are they running as that also could of been an entry point. I would suggest ditching the Asus router and getting a Ubiquiti at a minimum or something a little more SOHO and secure.
 
the DDWRT didnt have any cleared logs, so i checked and didnt see anything coming in, or being reconfigured, VPN was Server 2008R2 L2TP
 
I think its just pptp that has the issues since its so old.

Too bad since it was super easy to setup.
 
Ya, just went back to do some reading, L2TP+ IPSec is secure, as long as IKEv2 is being used. OpenVPN has still been rated as the most secure method over others. I thought I had recalled hearing that L2TP was also no longer suggested, but not finding anything except there are no known vulnerabilities.
 
Back
Top