I’ve told this story in person often enough, I might as well post a version of it up with actually accurate information. I don’t really have a Linkdin at the moment. So, I’m going to share it here in case anyone who might be wanting to hire me does some OSINT. While I’m prouder of when I literally smelled a small problem before it became a BIG one, this one might impress a hiring agent more.
A few years back I received a call from one of my clients. They told me something was wrong, and they wanted me to remote in and check it out. I grilled them for more details, but they were suspiciously vague. I remote in and it’s a big ransomware screen. It had been there for a week before they called.
“We have ur files. huehuehue. Gif monies”. You know..
I think I sat there for about an hour just staring at the screen. I may have almost teared up. This law firm was borked. A stupid fake FedEx invoice with a hidden .js extension was going to shut them down.
Eventually, I snapped out of it. I had to at least try. I’ve exterminated a lot of malware over the years. None quite on this level of totality, but I was certainly the right tech for the job.
First off, I had to identify just what the hell I was dealing with, and I needed to see just how bad things were. The Windows 7 boxes still ran, and Server 2012 was still chugging along. The damage was limited to the documents. I had briefly hoped that a security through obscurity situation would have shielded the special legal database. Nope, it was assimilated along with every document.
Ok, so it’s bad. However, the machines are running and doing what I want them to. So I’ve got some control of the situation. I grabbed some of the encrypted files and I figured out the exact type of ransomware though a web based solution. It was encrypted with the Nemucod ransomware. It also looked like it had some flaws within it at the time, and I might be able to decrypt it.
Before I go on, I’d like to stress that BleepingComputer.com provided invaluable information during the incident. They had the guides and software. I do believe this saved a lot of time vs me learning how to decrypt it on my own.
Learn more about Nemucod and how to clean up after it: HERE. That link sure did help me. I spun up a Windows 7 VM to grab the needed files to decrypt, and it all went smoothly.
The day was saved and all was well. However, I wanted to make sure that this wouldn’t happen again. That goofy malware was trying to get into the admin accounts and it racked up around 30k in login attempts. Although, it kept using a default domain name and never actually tried to login into the real account. It had more than enough time to brute force the login. Luck was with the firm.
While I imagined they would not open any attachments in the future, I like to do a thorough job. I setup their computers so all .js and .wst files would open in Notepad. If you’d like to know how, I recommend checking this LINK out. It worked out great, and I heard no complaints.
Thank you for reading. Check out my REAL early posts to learn more of my background.