[CRTech] Christian Radio Tech [MSG 79863]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
Re: Radio automation computer got hacked
To: CRTech <crtech@crtech.org>
Subject: Re: Radio automation computer got hacked
From: Sherrod Munday <smunday@ieee.org>
Date: Wed, 17 May 2017 15:31:12 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=wPbK6lzLuxJBU5MxSHi3UHbrNK2bihVQcmraXnWMQuQ=; b=OKh/GjCFnNUD3ose1ZniyJUPUQfMgO9eK8LOplXI4a7VXXfjWWvnu6VJfgQwiF5fAR nE9cUWOoFBn0nCJZi9ssU3UTyGBvGoqos6zcaaFJ8YtM4g8ws/cY2QA+n96+HUhozXAg 3HFOJu62SIWBZr4NPbxo6AHTpgpERY+vhACj27elikShAwAklndIX0fk15izuvoOglve iB/YNkeIoEXEruW0Z54hsDgnf6GDff9+WNq5jlopmANIc/6IlLCmkzREyQQSaXRZsKmD B/ZsnW2JCP1UVNVWGNVyWI9wUnH6T0ngZCsvYAsW6cKwp8k5jM1iPzE6X/fahavcackx YGVw==
In-reply-to: <017901d2cf31$94202f10$bc608d30$@cox.net>
References: <007b01d2cd2b$befd8820$3cf89860$@cox.net> <LuJy1v00J4xsDPQ01uJz1g> <017901d2cf31$94202f10$bc608d30$@cox.net>
On May 17, 2017, at 13:18, Don Prentice <dprp1@cox.net> wrote:
> I am looking for a virus remover software to run on everything to make sure they are clean before starting over---I do have to use backup data drives that were off site but still want to check before using anything.

Sorry to hear of your woes.  That's a real bummer and sleep-depriver.

And a wake-up call for the rest of us.

You should look at https://www.bleepingcomputer.com/forums/t/643544/ransomware-decryption-xorist/ for some ideas.  From the description it sounds like you might be dealing with Xorist or some other older ransomware program, not the current WannaCrypt hot-button ransomware that's currently in the news.

If so, you should take a look at the URL above -- there is a decryption tool available to reverse-engineer the private key required to unlock the content.

Go to a clean computer and do some investigation as to the specific version of ransom ware you have and then look for a decrypt program.  Even if it's not Xorist, many ransomwares have decryption tools available.

> I will have to start over with new hard drives and reinstall EVERYTHING!!

That may be the final remedy... but some otherwise irreplaceable material may be salvageable if it's one of the types that's been reversed.  See above.

> I think they found my IP and got through my router or something.

There are many attack vectors.  The current WannaCrypt ransomware that's running around is notable because it contained a bona-fide "worm" mechanism to recreate itself and spread across any and all networks to infect any other vulnerable machine.  So it's entirely possible the outbreak started on another machine on a private LAN and found its way to the on-air machines too.

Many older/other ransomwares have not been worm-ified, if I can use that term.  :-)  Once you've identified the exact strain of ransomware that you're facing, then you will have more information as to how it propagates and launches its payload.

If you have no email client on this computer, was it possible that someone opened a browser to their personal email service (e.g. gmail.com or similar)?  We've had to deal with this at my employer in the past.  That problem mostly went away when we gave the operators a separate [easily-accessible] machine that's meant for general-purpose browsing.

It could have also come in through browsing to an infected website and allowing local execution of a script, or an exploit of an unpatched vulnerability in either the browser or the OS.  

This is possible all the more on a computer that's not supposed to be used and is normally left "un-updated" because it's supposed to be isolated and/or single-purpose for on-air automation.  Such computers may have some very widely-known vulnerabilities that could be easily triggered by going to an illicit or infected website.

One more option is through someone plugging in an infected USB "key" or flash drive from home.  You'd have to ask around to find out what happened.  While it might be a bit confrontational to ask *all* the staff what they may have done on any computer, it's critical that you find out everything you can as to what happened and what caused/triggered/allowed the outbreak to start so that everyone can learn from this process.  

Beware that there may be a fair amount of guilt and shame associated with the incident, so tread carefully.

> I am operating the station through a Barix to stay isolated from the studio drives!

Interesting and good idea to stay isolated.  I'll admit it's different than what I've heard before, but it should be effective if it allows the on-air computer to be only connected via power and audio cables without any network cables to/from it.

> I emailed “them” right away but never got a response on how much or anything!

Don't hold your breath waiting.

The general advice is to not negotiate with terrorists, which in this case means don't try to pay the ransom.  It's possible (or even very probable) that they'll happily take your money and give you no key -- after all, why should they?  Do you trust a criminal to do the "good deed" he "promises" to do after he's just attacked your system?

Unfortunately, that means you're basically up to your own resources to resolve the issue without expecting any "help" from a criminal.

> Let me know of a small virus software to strip the ransom virus before I use any drives.

Manually cleaning each system might be required, or you could use a variety of programs.  Some are free (from the Community) and some are paid.  If you pay, go to the reputable folks and don't fall for the unknown "cheap, quick and easy!" options that most likely have more spyware/malware built in.  Sad, but true.

Best of luck getting the mess cleaned up.
Sherrod Munday

References: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 15 May 2017 03:31:37 -0000)
RE: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 17 May 2017 17:18:28 -0000)
Prev by date: RE: Radio automation computer got hacked
(Andy Lynch, 17 May 2017 19:28:29 -0000)
Next by date: Looking for a Delay Unit
(Steve Tuzeneu, 17 May 2017 19:51:33 -0000)
Prev by thread: RE: Radio automation computer got hacked
(Andy Lynch, 17 May 2017 19:28:29 -0000)
Next by thread: RE: Radio automation computer got hacked
(Don Prentice, 17 May 2017 23:02:24 -0000)