Network server hacked

[Trailabite]

Our corporate server has been hacked this morning by some sort of ransomware. All of our files have been encrypted. They did leave us a letter with a process on how to recover our files. It's an actual ransome letter demanding a payment.

This pisses me off but at the same time I'm amazed at the technology.

Sent from my SM-G975U using Tapatalk

[BigMike]

@BigPrince can chime in as this is his wheel-house.  It may come back to a DFU clicking on a phishing email, but if someone came through your firewall and hacked a server, that is a serious gap in IT Security. 

Is it a single server or has it spread to workstations?  Hope the company has good/recent backups.  I think public executions of people that create this shit would help curb it.

[Trailabite]

They got through our corporate firewall in New York and it looks like it has spread to all of our servers (other offices) across the US. So far, all files on our laptops are safe. I instructed our office to either turn their laptops off or disconnect them from our network.

Sent from my SM-G975U using Tapatalk

[BigMike]

They got through our corporate firewall in New York and it looks like it has spread to all of our servers (other offices) across the US. So far, all files on our laptops are safe. I instructed our office to either turn their laptops off or disconnect them from our network.

Sent from my SM-G975U using Tapatalk

Wouldn't want to be the CISO in NY today.  Yikes.  Hope that he has recently performed a penetration test and has documentation.

[Trailabite]

Here's the note they left on the servers.

Sent from my SM-G975U using Tapatalk

[Trailabite]

It's called Maze Ransomware. The same people that attacked Southwire here in GA back in December.

Sent from my SM-G975U using Tapatalk

[tjsahara00]

Last extrusion company I worked at (15 years ago) named
Sapa Extrusions was hi-jacked last year. It hurt then pretty
bad getting back going. They never paid the ransom....

Update
I forgot they had changed the name to Hydro Extrusion and
now I heard they they did pay in December.

[patman]

"We understand your stress and worry"
Lol. These guy sound like pretty nice salesmen. How much are they asking?

[Trailabite]

"We understand your stress and worry"
Lol. These guy sound like pretty nice salesmen. How much are they asking?

I don't know yet. I know they hit up Southwire for $6M and they wanted payment in bitcoins.

There was an FBI warning about this group on January 2, 2020.

Apparently, Railworks didn't listen lol


Sent from my SM-G975U using Tapatalk

[BigPrince]

Yeah... so... sorry to hear. At this point I'm sure your IT folks are freaking out and well into responding.  It's up to your executives if they wish to involve the FBI / other feds, pay/not pay, etc.  There are a lot of devil in the details but this one is particularly nasty with their willingness to leak data not just encrypt it.  Without knowing the environment, data, etc, my suggestion would be to determine if the folks in house can handle it and if not retain an incident response team like Mandiant or SecureWorks, etc.  If it's one system/set of systems, hopefully your backups are good and recent.  Once you identify how it happened you can restore from backups.  If your prevention controls fail that is the most prevalent way to restore business continuity in a ransomeware situation.  Hopefully your company has good incident response, business recovery and continuity plans.  Working offline and NOT opening any phishy emails, questionable attachments, or clicking on funky links is email,  is a good strategy while IT eradicates, contains, and restores the rest. Hopefully if it has a large impact you have good Cyber Insurance as well.

[jc79]

Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.

I don’t know enough about it to know if you have that scenario but wanted to bring it up.


Sent from my iPhone using Tapatalk

[Trailabite]

Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.

I don’t know enough about it to know if you have that scenario but wanted to bring it up.


Sent from my iPhone using Tapatalk

Yeah, this group (MAZE) kind of helped us with that. We go through Citrix for anything outside of the company and right now we can't even access that. It's files have been encrypted as well. We did get our email service running through mime-cast so there is some communication that can take place.

For me, its just like working back in the 80's again lol, working from my C drive and making actual phone calls!