[CRTech] Christian Radio Tech [MSG 79894]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
RE: Radio automation computer got hacked
To: CRTech <crtech@crtech.org>
Subject: RE: Radio automation computer got hacked
From: Jesse Diller <jdiller@weec.org>
Date: Fri, 19 May 2017 15:07:02 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <01fb01d2cf61$a131d2a0$e39577e0$@cox.net>
References: <007b01d2cd2b$befd8820$3cf89860$@cox.net> <LuJy1v00J4xsDPQ01uJz1g> <017901d2cf31$94202f10$bc608d30$@cox.net> <MXXb1v02m4xsDPQ01XXciS> <01fb01d2cf61$a131d2a0$e39577e0$@cox.net>
Thread-index: AdLNKxBv6Gx2OXVzRIeEyj4AXIvEhwFCoOseAp9fTpcCvhH5jKNFMSAgo3MkyaA=
Thread-topic: [CRTech] Radio automation computer got hacked
Also, see: https://arstechnica.com/security/2017/05/windows-xp-pcs-infected-by-wcry-can-be-decrypted-without-paying-ransom/

- Jesse Diller

IT Director, Strong Tower Christian Media
WEEC 100.7FM / WFCJ 93.7FM

-----Original Message-----
From: Don Prentice [mailto:dprp1@cox.net] 
Sent: Wednesday, May 17, 2017 7:02 PM
To: 'CRTech'
Subject: RE: [CRTech] Radio automation computer got hacked

Wow,  Thank for the response and ideas!  Yes, I hope if any good comes, we ALL learn/think how to protect ourselves!

(See next email for next ideas on loading Meta data.)


-----Original Message-----
From: Sherrod Munday [mailto:smunday@ieee.org]
Sent: Wednesday, May 17, 2017 12:31 PM
To: CRTech <crtech@crtech.org>
Subject: Re: [CRTech] Radio automation computer got hacked

On May 17, 2017, at 13:18, Don Prentice <dprp1@cox.net> wrote:
> I am looking for a virus remover software to run on everything to make
sure they are clean before starting over---I do have to use backup data drives that were off site but still want to check before using anything.

Sorry to hear of your woes.  That's a real bummer and sleep-depriver.

And a wake-up call for the rest of us.

You should look at
t/ for some ideas.  From the description it sounds like you might be dealing with Xorist or some other older ransomware program, not the current WannaCrypt hot-button ransomware that's currently in the news.

If so, you should take a look at the URL above -- there is a decryption tool available to reverse-engineer the private key required to unlock the content.

Go to a clean computer and do some investigation as to the specific version of ransom ware you have and then look for a decrypt program.  Even if it's not Xorist, many ransomwares have decryption tools available.

> I will have to start over with new hard drives and reinstall EVERYTHING!!

That may be the final remedy... but some otherwise irreplaceable material may be salvageable if it's one of the types that's been reversed.  See above.

> I think they found my IP and got through my router or something.

There are many attack vectors.  The current WannaCrypt ransomware that's running around is notable because it contained a bona-fide "worm" mechanism to recreate itself and spread across any and all networks to infect any other vulnerable machine.  So it's entirely possible the outbreak started on another machine on a private LAN and found its way to the on-air machines too.

Many older/other ransomwares have not been worm-ified, if I can use that term.  :-)  Once you've identified the exact strain of ransomware that you're facing, then you will have more information as to how it propagates and launches its payload.

If you have no email client on this computer, was it possible that someone opened a browser to their personal email service (e.g. gmail.com or similar)?  We've had to deal with this at my employer in the past.  That problem mostly went away when we gave the operators a separate [easily-accessible] machine that's meant for general-purpose browsing.

It could have also come in through browsing to an infected website and allowing local execution of a script, or an exploit of an unpatched vulnerability in either the browser or the OS.  

This is possible all the more on a computer that's not supposed to be used and is normally left "un-updated" because it's supposed to be isolated and/or single-purpose for on-air automation.  Such computers may have some very widely-known vulnerabilities that could be easily triggered by going to an illicit or infected website.

One more option is through someone plugging in an infected USB "key" or flash drive from home.  You'd have to ask around to find out what happened.
While it might be a bit confrontational to ask *all* the staff what they may have done on any computer, it's critical that you find out everything you can as to what happened and what caused/triggered/allowed the outbreak to start so that everyone can learn from this process.  

Beware that there may be a fair amount of guilt and shame associated with the incident, so tread carefully.

> I am operating the station through a Barix to stay isolated from the
studio drives!

Interesting and good idea to stay isolated.  I'll admit it's different than what I've heard before, but it should be effective if it allows the on-air computer to be only connected via power and audio cables without any network cables to/from it.

> I emailed "them" right away but never got a response on how much or

Don't hold your breath waiting.

The general advice is to not negotiate with terrorists, which in this case means don't try to pay the ransom.  It's possible (or even very probable) that they'll happily take your money and give you no key -- after all, why should they?  Do you trust a criminal to do the "good deed" he "promises" to do after he's just attacked your system?

Unfortunately, that means you're basically up to your own resources to resolve the issue without expecting any "help" from a criminal.

> Let me know of a small virus software to strip the ransom virus before 
> I
use any drives.

Manually cleaning each system might be required, or you could use a variety of programs.  Some are free (from the Community) and some are paid.  If you pay, go to the reputable folks and don't fall for the unknown "cheap, quick and easy!" options that most likely have more spyware/malware built in.
Sad, but true.

Best of luck getting the mess cleaned up.
Sherrod Munday

For CRTech resources visit http://CRTech.org/ To unsubscribe, e-mail:
crtech-unsubscribe@crtech.org List problems?  E-mail: TechStaff@CRTech.org

For CRTech resources visit http://CRTech.org/ To unsubscribe, e-mail: crtech-unsubscribe@crtech.org List problems?  E-mail: TechStaff@CRTech.org

This email was scanned by Bitdefender
References: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 15 May 2017 03:31:37 -0000)
RE: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 17 May 2017 17:18:28 -0000)
RE: Radio automation computer got hacked
("Don Prentice" <dprp1@cox.net>, 17 May 2017 23:02:24 -0000)
Prev by date: Re: Awesome and FREE backup software
(Willie Barnett, 19 May 2017 14:07:07 -0000)
Next by date: Re: RDCatch (WAS:Delay Unit)
(Matthew Chambers, 19 May 2017 15:23:22 -0000)
Prev by thread: RE: Radio automation computer got hacked
(Don Prentice, 17 May 2017 23:02:24 -0000)
Next by thread: Re: Radio automation computer got hacked
(Kevin Kidd, 19 May 2017 00:46:18 -0000)