0

Today I got a message when I logged on the server:

Hi, please view: http://pastie.org/private/tlixxvclirxmut6djqyacq for further in formation in regards to your files!

Text from link:

Greetings,

Your server has been hacked and your files have been deleted.
Before they were deleted, we backed them up to a server we control.
You must send a total of 3 BTC to the address: 1M71Lt6RtrdwB43UFWZCBt8FQ7dMqjqNsd
Failure to do so will result in your files being deleted after 5 days.
We may also leak your files.

You can e-mail onewayout@sigaint.org for support. We will not give any files before a payment has been made.

Goodbye!

Can I restore my files? And How can I protect myself against this in the future?

Yuriko
  • 941
  • 1
  • 6
  • 21
Nitor
  • 123
  • 1
  • better protect your server and running services. It is usually the first thing you do when you start using server. If you don't have backup, then you have 2 days to pay for your data. – Jakuje Apr 23 '16 at 11:41
  • 3
    That's blackmail. You should contact the police. As for preventing this in the future - we have a number of questions about [tag:hardening]. We've got a few canonical questions on the subject too, like the one on [hardening Linux servers](http://security.stackexchange.com/questions/993/hardening-linux-server). Good luck! – S.L. Barth Apr 23 '16 at 11:41
  • 3
    Possible duplicate of [techniques to detect & mitigate Crypto-ransomware?](http://security.stackexchange.com/questions/121200/techniques-to-detect-mitigate-crypto-ransomware) – Philipp Apr 23 '16 at 12:09
  • To the reviewers: this is no ransomware; thus this is not a dupe. – Tobi Nary Apr 23 '16 at 16:17
  • They've already made 0.4 bitcoins from this scam. That's sad... It's so easy to write ransomware, so I don't see why these people don't at least allow people to get their files back. On the upside, it's easier to undelete data than it is to decrypt well encrypted data. – forest Apr 24 '16 at 02:31
  • 3 BTC is quite a lot of money. While they *may* give you your files back, I suggest investing those 3 BTC into better security instead and restoring from backups. – André Borie May 04 '16 at 11:57

1 Answers1

5

Depending on how the files have been deleted (and your file system) there might be forensic tools that evaluate the journal and retrieve as much information still alive behind the scenes of the filesystem.

For example, if you are using ext3 or 4, extundelete may help when the attackers were sloppy with deletion and didn't overwrite the files.

There are some steps to be taken to prevent this; some of them are:

  • always keep your system up to date and apply all security fixes
  • disable all unnecessary access methods (for example ssh password auth)
  • have a firewall in place that only allows specific ports and protocols to be used
  • have a backup in place to just wipe the system and start fresh without loosing the data

As has already be mentioned, this is a crime (blackmail, and in many jurisdictions the break-in is actually a crime as well), so you should inform law enforcement.

Also, do not pay them - there is no guarantee they actually will give you the files after that; they most probably won't - or ask for more money.

Side note here:

If user data has been compromised, this might result in legal issues for yourself/the company. The best way to go about this is to be open with law enforcement about everything.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 1
    "*do not pay them - there is no guarantee they actually will give you the files*" -- Ransomware folks are customer focused and have good [tech support](http://www.networkworld.com/article/2894507/opensource-subnet/some-cybercriminals-are-improving-customer-service-for-their-victims.html). It is in their interest to keep victims happy. Of course, there are black sheep everywhere. – Daniel Apr 23 '16 at 16:12
  • 1
    It's not randomware, nothing is encrypted and still on the device in question. To hold the infrastructure for actually keeping the data around for a lot of victims does not seem a viable path for hackers when they can use encryption as well with less costs – Tobi Nary Apr 23 '16 at 16:14
  • Ah, you're correct. It seems I missed that crucial point. – Daniel Apr 23 '16 at 16:15