Server encrypted by hacker.

[ggadrian]

Yesterday the server of one institution was attacked by a hacker and all the files are encrypted (even the backups, because they where not doing off-site copies...) and the hacker is demanding some money to decrypt the data (I don't know how much).

I was wondering, it is possible to decrypt the files? Do they have to pay? Not that I care, it's not my server and not my money, but I was curious if you might be able to solve that with any software and a couple of xeons.

What do you think? Do you know a similar case? How did it end?


BTW, this is my first thread and I like to present myself: my name is Adrian and I usually live in Barcelona (Spain) although now I'm temporary living in Oslo (Norway). I'm a mechanical engineering student, and I'm in charge of the IT of a small business (one server, 2 computers and 3 laptops). I'm also trying to learn web design and development as a hobby and I really like to build computers.

 

[Crusty]

Well I sure hope the police are involved for one thing. Without knowing what kind of encryption software the attacker used it will be hard to say what can be done.

Do you know if their server was running Linux or Windows?

 

[MontyAC]

Definitely contact the police since this is a crime, extortion. Maybe they can capture the hacker and make him give the password.

 

[lxskllr]

Paying wouldn't be a bad option if you could guarantee the files would be decrypted. Write it off as a valuable security lesson. A forward thinking extortionist would be sure to decrypt the files as promised, but a casual glance at the world shows people don't think ahead.

 

[ggadrian]

I don't know the specifics, because I'm not involved in the institution, neither I know if the server was running windows or linux, but as far as I know the police is involved.

I was just curious if it was possible to decrypt AES-256 (I suppose that that is the used encryption) using brute force.

 

[lxskllr]

You'd have to know what the encryption was, and anything reasonably strong would be difficult/impossible to break. Sometimes you get lucky though. I'd image the computers, and work on breaking it.

 

[Vaux]

I don't know anything about decrypting, but paying them? Screw that. Hopefully the information isn't absolutely vital.

 

[unokitty]

Yesterday the server of one institution was attacked by a hacker and all the files are encrypted (even the backups, because they where not doing off-site copies...) and the hacker is demanding some money to decrypt the data (I don't know how much).

I was wondering, it is possible to decrypt the files? Do they have to pay? Not that I care, it's not my server and not my money, but I was curious if you might be able to solve that with any software and a couple of xeons.

What do you think? Do you know a similar case? How did it end?


BTW, this is my first thread and I like to present myself: my name is Adrian and I usually live in Barcelona (Spain) although now I'm temporary living in Oslo (Norway). I'm a mechanical engineering student, and I'm in charge of the IT of a small business (one server, 2 computers and 3 laptops). I'm also trying to learn web design and development as a hobby and I really like to build computers.

ggadrian,

While this type of attack is unusual, it is not unheard of. For example:

Ransom hackers encrypt medical centre's entire database

Attackers breach and encrypt TV station's email server

Russian hackers hold Gold Coast doctors to ransom

My perception is that the best defense in these situation is prevention and a good set of offline backups.

Would it be worth trying to decrypt the files? Depends on your expertise and what you think your time is worth...

You're from Barcelona?

One of my college professors showed us a film that he made about Gaudi's work that was made primarily in Barcelona.

Ever since then, I've wanted to see the Park Gruell, the uncompleted La Sagrada Familia Basilica, and Gaudi's other works in Barcelona.

Anyway,
Best of luck,
Uno

 

[Vic Vega]

How much data are we talking here?

I work in enterprise storage and any significant amount of data takes quite a long time to encrypt.

Has anyone actually examined the data to see if it really is encrypted or did this "hacker" just take over the server and isn't letting anyone in? If this is the case the storage should be moved to another server and recovered.

 

[SecurityTheatre]

You won't have any luck decrypting AES-256, unless it's using an extremely trivial cypher, which I seriously doubt.

Best bet it so rebuild from scratch.... or pay up and see what happens, but I suspect that might not have any result.

 

[PrincessFrosty]

Are you sure this is a targeted attack and not a virus? There have been viruses released in the past that do this and automate the demand for file decryption.

If you can determine if it's from a virus then the authorities might be able to help you, several of the virus writers for these kind of attacks have been busted despite the virus still propagating.

If it's an actual targeted attack by a hacker then you're probably stuffed, if they're smart enough to beat the security and encrypt everything silently then they're going to be smart enough to use a long and random password for the encryption which would make brute forcing it impossible.

My advice, contact the authorities.

If for whatever reason you don't want to pay and you don't want to go to the authorities, your only other option is to look at data recovery from any old backups even if they've been wiped, for example if you have some backup media that stored backups and was deleted but not re-written to then data recover there might get you some data back, it wont be possible on any drive thats been encrypted though.