1

My server (CentOS) recently got hacked by some Crypto Hackers. They encrypted all of my files and asking for ransom to decrypt the files. They kept a message in all folders, which start like this

Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files, located on a secret server on the Internet. After that, nobody and never will be able to restore files...
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 1 bitcoins (~240 USD). Without key, you will never be able to get your original files back...

Now they have sent me the decrypt keys and I'm still Could someone please help me how I can recover my files?
What are the possible vulnerabilities that they took advantage of? Any other tips/pointers to avoid future threats? Thanks in advance.

Edit: They send me a PHP script with the private key, which I should upload to the server and run through a URL. Here is the decrypt file they sent me.

Shameer
  • 111
  • 5
  • Can you add more details please? This is the first time I see Cryptolocker mentioned on Linux. I understand you paid the ransom? If so what file did you receive? Did it come with any instructions? According to a BBC news article victims of Cryptolocker could get their files restored without paying the ransom at https://www.decryptcryptolocker.com/ but at the moment that site's certificate has expired so I don know if it is still operational. – Bram Oct 21 '15 at 07:09
  • I assumed it's Cryopto lockers since the website (https://z54n57pg2el6uze2.onion.to - they had taken down now) they mentioned to make the payment had this title on it. – Shameer Oct 21 '15 at 07:16
  • @Bram: Unfortunately, this scheme isn't operated by only one group, and they certainly don't have a "central service" that victims of all groups can use to decrypt. They also may use the same name, as of course, no one can register or enforce a trademark for this kind of "service". From what I understand, you can just buy exploit kits, adapt them to your needs and run a "campaign", without much own expertise. – Sven Oct 21 '15 at 07:24
  • Did you recovered files? – Paolo P. Nov 05 '15 at 15:01
  • Not really. I had to use the old backups I have – Shameer Nov 07 '15 at 08:40

2 Answers2

2

Just some general tips to avoid malware infection and other security breaches:

  • keep your system up to date
  • work as much as possible as an unprivileged user and use sudo (or similar) to execute administrative commands
  • don't disable SELinux
  • don't open links in emails and the like unless you trust the source
  • disable services you don't really need/use
  • operate a firewall at least on the edge of your network
  • monitor log files for suspicious activity either manually or with the help of an intrusion detection system

And in addition to the above: make sure you have a current backup that you know you can restore.

Bram
  • 1,121
  • 6
  • 9
2

If you extract the 3 lines $so32, $so64 and $so and then decode them you get 3 binaries.

I extracted them by simply removing the PHP code in between these lines and "converted" it to a bash script that basically writes them to files.

Something like:

so32="f0VMRgEBAQMA..."
so64="f0VMRgEBAQMA..."
so="f0VMRgEBAQMA..."
echo $so32 | base64 --decode > /tmp/so.decoded
echo $so64 | base64 --decode > /tmp/so32.decoded
echo $so | base64 --decode > /tmp/so64.decoded

They appear to be UPX-packed binaries which at least according to this article matches the cryptolocker decoding application.

file /tmp/so*
/tmp/so32.decoded: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
/tmp/so64.decoded: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
/tmp/so.decoded:   ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), statically linked, for FreeBSD 10.1, not stripped
strings /tmp/so64.decoded -n 30
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

But I don't know of any way to unpack these to check what the binaries would do. Considering where you got this file you will have to decide whether you want to take the risk of running these.

And if the site was taken down in the mean time there is no guarantee this will even still work.

Bram
  • 1,121
  • 6
  • 9
  • Thanks for the answer. I was also able to decode it to binary, but couldn't unpack it. I ran it anyway as I don't have anything to loose anymore :(. – Shameer Oct 21 '15 at 08:03
  • 4
    One additional suggestion: if you succeed to restore your files I would still recommend backing up the files to an external drive or CD/DVD and completely reinstall the system before selectively restoring the files you have first checked (e.g. virus-scan) to avoid re-introducing the malware. – Bram Oct 21 '15 at 08:09