[CRTech] Christian Radio Tech [MSG 79869]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
RE: Radio automation computer got hacked
To: "'CRTech'" <crtech@crtech.org>
Subject: RE: Radio automation computer got hacked
From: "Don Prentice" <dprp1@cox.net>
Date: Wed, 17 May 2017 16:02:16 -0700
Authentication-results: cox.net; auth=pass (LOGIN) smtp.auth=dprp1@cox.net
Content-language: en-us
In-reply-to: <MXXb1v02m4xsDPQ01XXciS>
References: <007b01d2cd2b$befd8820$3cf89860$@cox.net> <LuJy1v00J4xsDPQ01uJz1g> <017901d2cf31$94202f10$bc608d30$@cox.net> <MXXb1v02m4xsDPQ01XXciS>
Thread-index: AQESSGU0BInP0iNMXF10k12fot4DEgFCoOseAp9fTpcCvhH5jKNFMSAg
Wow,  Thank for the response and ideas!  Yes, I hope if any good comes, we
ALL learn/think how to protect ourselves!

(See next email for next ideas on loading Meta data.)

Thanks,
Don


-----Original Message-----
From: Sherrod Munday [mailto:smunday@ieee.org] 
Sent: Wednesday, May 17, 2017 12:31 PM
To: CRTech <crtech@crtech.org>
Subject: Re: [CRTech] Radio automation computer got hacked

On May 17, 2017, at 13:18, Don Prentice <dprp1@cox.net> wrote:
> I am looking for a virus remover software to run on everything to make
sure they are clean before starting over---I do have to use backup data
drives that were off site but still want to check before using anything.

Sorry to hear of your woes.  That's a real bummer and sleep-depriver.

And a wake-up call for the rest of us.


You should look at
https://www.bleepingcomputer.com/forums/t/643544/ransomware-decryption-xoris
t/ for some ideas.  From the description it sounds like you might be dealing
with Xorist or some other older ransomware program, not the current
WannaCrypt hot-button ransomware that's currently in the news.

If so, you should take a look at the URL above -- there is a decryption tool
available to reverse-engineer the private key required to unlock the
content.

Go to a clean computer and do some investigation as to the specific version
of ransom ware you have and then look for a decrypt program.  Even if it's
not Xorist, many ransomwares have decryption tools available.


> I will have to start over with new hard drives and reinstall EVERYTHING!!

That may be the final remedy... but some otherwise irreplaceable material
may be salvageable if it's one of the types that's been reversed.  See
above.


> I think they found my IP and got through my router or something.

There are many attack vectors.  The current WannaCrypt ransomware that's
running around is notable because it contained a bona-fide "worm" mechanism
to recreate itself and spread across any and all networks to infect any
other vulnerable machine.  So it's entirely possible the outbreak started on
another machine on a private LAN and found its way to the on-air machines
too.

Many older/other ransomwares have not been worm-ified, if I can use that
term.  :-)  Once you've identified the exact strain of ransomware that
you're facing, then you will have more information as to how it propagates
and launches its payload.


If you have no email client on this computer, was it possible that someone
opened a browser to their personal email service (e.g. gmail.com or
similar)?  We've had to deal with this at my employer in the past.  That
problem mostly went away when we gave the operators a separate
[easily-accessible] machine that's meant for general-purpose browsing.


It could have also come in through browsing to an infected website and
allowing local execution of a script, or an exploit of an unpatched
vulnerability in either the browser or the OS.  

This is possible all the more on a computer that's not supposed to be used
and is normally left "un-updated" because it's supposed to be isolated
and/or single-purpose for on-air automation.  Such computers may have some
very widely-known vulnerabilities that could be easily triggered by going to
an illicit or infected website.

One more option is through someone plugging in an infected USB "key" or
flash drive from home.  You'd have to ask around to find out what happened.
While it might be a bit confrontational to ask *all* the staff what they may
have done on any computer, it's critical that you find out everything you
can as to what happened and what caused/triggered/allowed the outbreak to
start so that everyone can learn from this process.  

Beware that there may be a fair amount of guilt and shame associated with
the incident, so tread carefully.


> I am operating the station through a Barix to stay isolated from the
studio drives!

Interesting and good idea to stay isolated.  I'll admit it's different than
what I've heard before, but it should be effective if it allows the on-air
computer to be only connected via power and audio cables without any network
cables to/from it.


> I emailed “them” right away but never got a response on how much or
anything!

Don't hold your breath waiting.

The general advice is to not negotiate with terrorists, which in this case
means don't try to pay the ransom.  It's possible (or even very probable)
that they'll happily take your money and give you no key -- after all, why
should they?  Do you trust a criminal to do the "good deed" he "promises" to
do after he's just attacked your system?

Unfortunately, that means you're basically up to your own resources to
resolve the issue without expecting any "help" from a criminal.


> Let me know of a small virus software to strip the ransom virus before I
use any drives.

Manually cleaning each system might be required, or you could use a variety
of programs.  Some are free (from the Community) and some are paid.  If you
pay, go to the reputable folks and don't fall for the unknown "cheap, quick
and easy!" options that most likely have more spyware/malware built in.
Sad, but true.

Best of luck getting the mess cleaned up.
—
Sherrod Munday
<smunday@ieee.org>


---------------------------------------------------------------------
For CRTech resources visit http://CRTech.org/ To unsubscribe, e-mail:
crtech-unsubscribe@crtech.org List problems?  E-mail: TechStaff@CRTech.org

Follow-Ups: RE: Radio automation computer got hacked
(Jesse Diller <jdiller@weec.org>, 19 May 2017 15:07:23 -0000)
References: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 15 May 2017 03:31:37 -0000)
RE: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 17 May 2017 17:18:28 -0000)
Prev by date: RE: Looking for a Delay Unit
(Bill Hurne, 17 May 2017 20:45:39 -0000)
Next by date: Bulk loading Meta Data software???
(Don Prentice, 17 May 2017 23:20:12 -0000)
Prev by thread: Re: Radio automation computer got hacked
(Sherrod Munday, 17 May 2017 19:31:24 -0000)
Next by thread: RE: Radio automation computer got hacked
(Jesse Diller, 19 May 2017 15:07:23 -0000)
CRTech.org