Good day. You’ve Been Pwned!

The phone in my home office rang at 4AM this morning. It never rings at that time of the night. So half asleep, I had a look at the call display screen. The call was from India. Since I do have clients from India, I decided to answer it. The person on the other end was in a panic. They said that they got my number from someone who I had flown over there to help and that I came highly recommended.

If I wasn’t half asleep, I would have been flattered.

In any case, they explained their situation. One of their database servers was down. And it turned all their databases into .java files. That woke me up as I had a feeling I knew what was going on. I then requested to start a remote session using GoToAssist with the customer. Once I established the remote session, I started to poke around and I soon confirmed what I was thinking. They had been pwned by ransomware. The confirmation was this file that I found:

pwned.png

Basically, they had been pwned by a variant of the Dharma ransomware [Warning: PDF]. I say a variant because the version that I had previously seen encrypted things with a .Dharma extension. But according to this, the new variant that I was dealing with encrypted files with a .java extension. To make matters worse for the customer. He didn’t ever do backups of his databases, which were mission critical to his businesses.

#Fail. You should always backup your data. Especially if it’s mission critical.

The fortunate thing for this customer is that that there were ways to eliminate the files and possibly recover the data using file decryption software that was mentioned in the article. I then used the instructions to eradicate the virus by hand. I then confirmed that it was gone by scanning it with Trend Micro’s online scanner as the antivirus software that the server had wasn’t working. My next step was to use the file decryption software that was mentioned in the article to start encryption the databases. It took a while, but I was able to get them all back. I then was able to move them to a freshly built database server and make them accessible to the company.

Total time invested: 3.5 hours.

The thing is that this customer was VERY lucky. Ransomware attacks typically don’t have happy endings. The fact that it got in and it was able to do what it did indicates that they need a complete review of their IT security practices as clearly this ransomware was able to get in and pwn them. It could have been a human doing something dumb, or it could have come in via something like a PC that was exposed to the outside world. It could have even been a disgruntled employee. They also need to get into a backup regimen as the fact that they don’t backup mission critical data is a #fail. Thus I will be making arrangements to go there in a couple of months. But in meantime, I have some late nights and early mornings to look forward to as I plan on doing what I can from the other side of the planet.

Fun.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: