What It Feels Like When Your Server Gets Hacked and Held for Ransom

       What is it like when your server gets hacked and held for ransomware? Today, let’s share a real case study.

First, when a server is infected and ransomware is involved, the following typically happens:
1. The attacker may change your system password.
2. After you forcibly reset the password and log in, you will find ransom note documents placed on the desktop or other conspicuous locations.
3. Critical information in your system gets locked; to unlock it, you must follow the instructions in their document.
4. The ransom notes usually use anonymous contact forms like Telegram.
……

The content of a typical ransom note document looks something like this:

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1. In the letter include your personal ID! Send me this ID in your first email to me! 2. We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3. After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4. We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: xxxxxxxxx2xxx In case of non-payment of the ransom, your data may be published in the public domain. Our page in telegram with data leaks: https://t.me/mallox_leaks


Attachment:

RECOVERY FILES.txt
79985cefbeeef584172f0a43e07e83fd.txt (957 Bytes)

The translation roughly means the following:

YOUR FILES ARE ENCRYPTED!! 
TO DECRYPT, FOLLOW THE INSTRUCTIONS: 
To recover data you need decrypt tool. 
To get the decrypt tool you should: 
1. In the letter include your personal ID! Send me this ID in your first email to me! 
2. We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 
3. After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 
4. We can decrypt few files in quality the evidence that we have the decoder. 
Do not rename, do not use third-party software or the data will be permanently damaged 
CONTACT US: 
[email protected] 
If first email will not reply in 24 hours then contact with reserve address: 
[email protected] 
YOUR PERSONAL ID: xxxxxxxxx2xxx
In case of non-payment of the ransom, your data may be published in the public domain. 
Our page in telegram with data leaks: https://t.me/mallox_leaks

System ransomware often occurs in scenarios where there is critical data on the system, such as financial software like Kingdee or Yonyou running on it while remote ports are exposed. When the ports for these software applications are open to the internet, they get picked up by scanning tools. Whether you are using Huawei Cloud or Alibaba Cloud, you are likely to fall victim, especially during holiday periods, which tend to be peak seasons for attacks.

Here are some prevention strategies:
1. Backup: For important data, regular and frequent backups are the ultimate solution.
2. If the critical software in your system is only for internal use but requires remote access and open remote ports, it is recommended to use a whitelist policy so that only your company’s own IPs can gain access.

Of course, many may encounter situations where the company’s IP is not static. In that case, we need to use the IP whitelist interfaces provided by relevant cloud service providers to regularly push the local IP to the server’s security group.
Taking Alibaba Cloud as an example, you can refer to the following documents for the interface and debugging address:
https://www.alibabacloud.com/help/zh/elastic-compute-service/latest/authorizesecuritygroup
https://next.api.aliyun.com/api/Ecs/2014-05-26

Leave a Comment

Your email address will not be published.