Georgia Trail Riders Forum
MEMBERS DISCUSSION AREA => General Discussion => Topic started by: Trailabite on January 27, 2020, 10:20:00 AM
-
Our corporate server has been hacked this morning by some sort of ransomware. All of our files have been encrypted. They did leave us a letter with a process on how to recover our files. It's an actual ransome letter demanding a payment.
This pisses me off but at the same time I'm amazed at the technology.
Sent from my SM-G975U using Tapatalk
-
@BigPrince can chime in as this is his wheel-house. It may come back to a DFU clicking on a phishing email, but if someone came through your firewall and hacked a server, that is a serious gap in IT Security.
Is it a single server or has it spread to workstations? Hope the company has good/recent backups. I think public executions of people that create this shit would help curb it.
-
They got through our corporate firewall in New York and it looks like it has spread to all of our servers (other offices) across the US. So far, all files on our laptops are safe. I instructed our office to either turn their laptops off or disconnect them from our network.
Sent from my SM-G975U using Tapatalk
-
They got through our corporate firewall in New York and it looks like it has spread to all of our servers (other offices) across the US. So far, all files on our laptops are safe. I instructed our office to either turn their laptops off or disconnect them from our network.
Sent from my SM-G975U using Tapatalk
Wouldn't want to be the CISO in NY today. Yikes. Hope that he has recently performed a penetration test and has documentation.
-
Here's the note they left on the servers.(https://uploads.tapatalk-cdn.com/20200127/226abecf9367c6aeab01a1fffc8e4067.jpg)
Sent from my SM-G975U using Tapatalk
-
It's called Maze Ransomware. The same people that attacked Southwire here in GA back in December.
Sent from my SM-G975U using Tapatalk
-
Last extrusion company I worked at (15 years ago) named
Sapa Extrusions was hi-jacked last year. It hurt then pretty
bad getting back going. They never paid the ransom....
Update
I forgot they had changed the name to Hydro Extrusion and
now I heard they they did pay in December.
-
"We understand your stress and worry"
Lol. These guy sound like pretty nice salesmen. How much are they asking?
-
"We understand your stress and worry"
Lol. These guy sound like pretty nice salesmen. How much are they asking?
I don't know yet. I know they hit up Southwire for $6M and they wanted payment in bitcoins.
There was an FBI warning about this group on January 2, 2020.
Apparently, Railworks didn't listen lol
Sent from my SM-G975U using Tapatalk
-
Yeah... so... sorry to hear. At this point I'm sure your IT folks are freaking out and well into responding. It's up to your executives if they wish to involve the FBI / other feds, pay/not pay, etc. There are a lot of devil in the details but this one is particularly nasty with their willingness to leak data not just encrypt it. Without knowing the environment, data, etc, my suggestion would be to determine if the folks in house can handle it and if not retain an incident response team like Mandiant or SecureWorks, etc. If it's one system/set of systems, hopefully your backups are good and recent. Once you identify how it happened you can restore from backups. If your prevention controls fail that is the most prevalent way to restore business continuity in a ransomeware situation. Hopefully your company has good incident response, business recovery and continuity plans. Working offline and NOT opening any phishy emails, questionable attachments, or clicking on funky links is email, is a good strategy while IT eradicates, contains, and restores the rest. Hopefully if it has a large impact you have good Cyber Insurance as well.
-
Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.
I don’t know enough about it to know if you have that scenario but wanted to bring it up.
Sent from my iPhone using Tapatalk
-
Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.
I don’t know enough about it to know if you have that scenario but wanted to bring it up.
Sent from my iPhone using Tapatalk
Yeah, this group (MAZE) kind of helped us with that. We go through Citrix for anything outside of the company and right now we can't even access that. It's files have been encrypted as well. We did get our email service running through mime-cast so there is some communication that can take place.
For me, its just like working back in the 80's again lol, working from my C drive and making actual phone calls!
-
Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.
I don’t know enough about it to know if you have that scenario but wanted to bring it up.
Sent from my iPhone using Tapatalk
Yeah, this group (MAZE) kind of helped us with that. We go through Citrix for anything outside of the company and right now we can't even access that. It's files have been encrypted as well. We did get our email service running through mime-cast so there is some communication that can take place.
For me, its just like working back in the 80's again lol, working from my C drive and making actual phone calls!
Are you having to train millennials how to use a phone and write stuff down?
Sent from my SM-G960U using Tapatalk
-
Chuck, given the industry you’re in, be thinking what access your systems might have to your customers systems. If you have folks with remote access into your customers to do maintenance or troubleshooting you should think about whether there’s a risk of you spreading it to them.
I don’t know enough about it to know if you have that scenario but wanted to bring it up.
Sent from my iPhone using Tapatalk
Yeah, this group (MAZE) kind of helped us with that. We go through Citrix for anything outside of the company and right now we can't even access that. It's files have been encrypted as well. We did get our email service running through mime-cast so there is some communication that can take place.
For me, its just like working back in the 80's again lol, working from my C drive and making actual phone calls!
Are you having to train millennials how to use a phone and write stuff down?
Sent from my SM-G960U using Tapatalk
The company has sent everyone home until further notice! Right now we only have a handful of people (payroll) working.
-
Day 4 and network servers are still down!
-
Day 4 and network servers are still down!
What are your corporate leaders telling the managers? How much are you able to do? We would be dead in the water without our servers and data but we would be back up in 4 hours the IT team says!
-
Not trying to make light of it but this would make a killer movie [spectator2] Following.
-
Day 4 and network servers are still down!
Are you putting in any resumes at other places yet?
-
Day 4 and network servers are still down!
What are your corporate leaders telling the managers? How much are you able to do? We would be dead in the water without our servers and data but we would be back up in 4 hours the IT team says!
We have a slue of IT people (in-house and contracted) working on this and the FBI. This MAZE Ransomware is some serious stuff. We are pretty much dead in the water, we about 2500 people waiting to get back to work. Yesterday I was told that we (managers) should have access later tonight but, I just received text message about 30 minutes ago saying that the corporate network system was on total shutdown. That could be because they are re-booting to establish new IP addresses. Who knows.
Not trying to make light of it but this would make a killer movie [spectator2] Following.
Yep, we are trying to contact Netflix now for a movie deal lol.
Day 4 and network servers are still down!
Are you putting in any resumes at other places yet?
My resume is always out there!
-
Were they able to work something out @Trailabite ?
-
Were they able to work something out @Trailabite ?
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Sent from my SM-G975U using Tapatalk
-
Were they able to work something out @Trailabite ?
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Sent from my SM-G975U using Tapatalk
Need to hire someone with a "specific set of skills" to hunt down those mf'ers/
-
Were they able to work something out @Trailabite ?
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Sent from my SM-G975U using Tapatalk
Need to hire someone with a "specific set of skills" to hunt down those mf'ers/
Liam Neeson?
-
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Either someone dropped the ball on preparedness and disaster recovery or some bean counter/higher up in management axed the plan and budget for it.
-
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Either someone dropped the ball on preparedness and disaster recovery or some bean counter/higher up in management axed the plan and budget for it.
DR/BC plans are a lot of work and who really needs one - until you need one. It's like having a great "pull-out" technique until she gets knocked up. lmao lmao lmao lmao
-
So it sounds like y'all didn't end up paying?
-
So it sounds like y'all didn't end up paying?
Nope and yesterday my Identity Guard found 5 hits on the dark web of my work email address and possible password. As soon as all of this happened I had already changed my work password and all of mine and my wife's personal passwords lol.
-
We're still not at 100% and the services that are up and running are running in a temporary mode. Apparently, our whole network system is being rebuilt from scratch.
Either someone dropped the ball on preparedness and disaster recovery or some bean counter/higher up in management axed the plan and budget for it.
I'll go with the latter, and I bet their bonuses were good for the last few years :) Now they'll just fire the CTO/CIO (probably don't have a CSO/CISO) and reduce costs elsewhere to pay for the recovery.
I'm cynical when it comes to CFO/CEO funding pro-active protections versus beating financial targets.
-
Surprised @BigPrince hasn't weighed in here. BTW, WhereTF has he been?
-
Surprised @BigPrince hasn't weighed in here. BTW, WhereTF has he been?
He chimed in at the beginning.
-
We just now got our network server back up and running. Now I'm just waiting for my Outlook to be restored!
-
Wow, they really got you guys good! What pieces of shit
-
Glad y'all got it back up and running. My company got hit with it before I worked here (2015). We wound up paying cause there were 20 years or so worth of AutoCAD files we didn't have properly backed up.
-
Glad y'all got it back up and running. My company got hit with it before I worked here (2015). We wound up paying cause there were 20 years or so worth of AutoCAD files we didn't have properly backed up.
That sucks. At least they got he data back.