Any ideas how could I’ve been ransomware hacked?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Any ideas how could I’ve been ransomware hacked? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, python, executable, ransomware, .

A couple of days ago our clients reported our Solarwinds website was down. So I connected to check through remote desktop and there it was, a fullscreen html-like interface where you could only use the mouse to type using the interface buttons.

Fullscreen html-like interface

Our team first action was to isolate the cluster from the network and then locally connect to each member on site to see if all got hijacked. To our surprise, all servers from the cluster of 4 were compromised.

I started making tests on our Web and DB server, while my teammates were formatting the least important members of the cluster like the poller servers which hold close to none critical data for the operation.

I was able to get all our data back from the DB and Web server by booting from a Fedora live CD/USB and accesing Windows’ filesystem (of course it was not encrypted as they claimed) then went into System32 folder and found their script, then changed its main folder name so it could crash (I decided to only change the name in order to later on try to analyze it and gather some information from it).

I have spent a couple of hours looking at it, but most of the code was compiled into an .exe (they also used some .bat and .ps1 scripts, so those I have already seen). I opened the .exe as plain text and found what it seems to be Python comments from libraries and some other text (including the html-like interface message) I think the code is written in Cython and then compiled the .c file thrown by the cython setup file but I am not sure if I’m right or if there is a possible way to decompile it and get as much code as possible.

And other thing that I don’t know if it is possible is to see how could have they possibly got into the server, like which protocol, I have some dates where they created tasks in the Windows task scheduler, I also checked the event viewer logons but couldn’t understand it since there are a lot of logons. I am not very skilled with Windows and my programming skills are medium level, maybe you know of other stuff I can check in the server that could provide valuable information. If you need me to attach the .zip containing most of what the hacker put into our server let me know, because I need to put some instructions in order for you to prevent to infect yourself. Btw, we have Windows Server 2016.

UPDATE 1: First of, thank you guys for the help and recommendations. I work in a very unorganized company, these servers didn’t even have Window’s Firewall enabled. The company does not have any kind of insurance, procedure or politics for what to do or how to act in this kind of situation, probably because they had been lucky enough that it hadn’t happened before.

The guys up in the organization chart pacnicked, the first instruction was say nothing about what really happened and if questions are asked, answer as obscure as possible.

Of course my boss first reaction was to tell us we need to restore the service ASAP. So while I was working trying to find and break the hacker’s ransom script in the web and db servers, 2 engineers were formatting the first 2 poller servers. When I found the solution it was already too late, the data of 2 servers were already lost. I convinced my boss to leave the web server just as it was, so I could check all the available logs, the code and anything else I could find.

Now that I’ve extensively reviewed all the logs in the web server (it took me 2 days) and readable pieces of the script (non-compiled code) I realized that the one server I took home was not the entry point of the hacker, I can only see sessions from other members of the cluster which were previously compromised so I was not able to determine how did the hacker get into the server in the first place or which server was compromised first. I was able to make assumptions that he gained access through some file transfer protocol, since I later found PsExec application installed manually by the hacker.

Also, I didn’t think to get a copy of the volume and then format, next time I will have this in mind in order to keep all the evidence.

You’ve broken a cardinal rule of dealing with a security/system breach: Preserve evidence.

You’ve likely destroyed or at the least severely hindered your ability to determine what happened and how by reformatting servers and restoring data. Not only that, but if you had planned on submitting a claim to your insurance company for any losses incurred you’ve likely jeopardized that as well. Additionally, if you had planned to notify law enforcement you’ve seriously impeded their ability to perform an investigation.

Here’s my suggestion to you if this should happen again:

  1. Disconnect from the internet.

  2. Disconnect all systems from the internal network.

  3. Contact your business insurance company, explain the situation, and ask for their guidance. If they’re a large insurer they likely have specific protocols and steps that they’ll need you to follow, and if you’re lucky they’ll have a dedicated team to help you deal with this.

  4. Do everything the insurance company tells you to do, exactly as they tell you to do it, in the order they tell you to do it in.

  5. Do not take any actions beyond what your insurance company or law enforcement instruct you to take.

What Joe is saying is very sound, but I would also wonder why the need to boot up into a Linux USB stick, last time one of our customers (a health institution) was hit by a ransomware attack we could clone the affected volumes for forensic analysis and restore from a snapshot in less than 30 minutes.

Get a good backup and snapshot plan (they are not the same!) and a good quick recovery plan, ransomware becomes useless when you can restore in 30 minutes and have someone look at how you got infected to prevent it.

As for your question, there are many decompilers, but honestly, this seems to be just a basic startup script trying to scare people off to pay up.

EDIT: I can’t add a response below as I don’t have 50 reputation on the site (I’ve mainly been a lurker for years). But I want to answer OP’s follow-up question:

We are talking about different ways of deploying servers. Basically the old “pet vs kettle” argument, may sound rough but in my opinion, a deployment where any problem in your server’s local drive causes data unavailability/data loss is a flawed deployment.

There are dozens of different technologies to answer this problem but I understand in small companies it’s hard to make a push to make the production servers more resilient to attacks or even hardware failures. If anything this could be a blessing in disguise this could be used to push for proper storage with either fc/iscsi and proper backups/syncrep and so on!

Competent ransomware does not destroy the host operating system immediately. Keeping the host functional enables showing you the ransom screen while continuing to exfiltrate or encrypt valuable data.

Identifying the initial access requires a very broad search, especially as the attacker may have moved laterally between systems. Who logs into these hosts, and did they run software of questionable origin? How are software updates verified to be authentic? What known vulnerabilities exist that have not been patched yet? See MITRE ATT&CK Initial Access to get a general idea.

Scan the malware to get an idea of what it could be. VirusTotal covers many detection engines, and sharing a link to VT results is safer.

Full forensic investigation, reverse engineering the malware, and installing mitigations like allow listing are all involved projects. Hire a security person to study your environment and give specific advice.

Leave a Reply

Your email address will not be published. Required fields are marked *