Share to Facebook Share to Twitter Share to Google Plus
View Comments

This week one of our clients was attacked. Their main server is a Windows Server 2003 machine. On Monday the IT team got reports that their main software was not functioning. When they rebooted their server they found all of the files and databases encrypted. They had been attacked by a ransomware. They had multiple backups on and off-site but as it turned out they were encrypted as well. A very awful scenario for any company.

Looking at the logs they realized the attack was made through the Remote Desktop Protocol which was reachable through the firewall. As it turns out it is quite vulnerable since you can brute force the login and password rather easily.

The files had the extension .TaRoNiS and each directory had a file named HOW TO DECRYPT FILES.txt with the following text:

 

ATENTION!!!

I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
Atention!! I do not offer for free the decrypt key, for that you have to pay 0.08 BITCOIN.

Step 1: Create an account on www.localbitcoins.com
Step 2: Buy 0.08 BITCOIN
Step 3: Send the amount on this BTC address: 13oiwC4kgTvzjJNzEXe2n8ubxJyCvHrKfJ
Step 4: Contact me on this email address Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo. with this subject: ID-RESTORE-008TARONISPCID0381723
After this steps you will receive through email the key and a decrypt tutorial.

Here is another list where you can buy bitcoin:
https://bitcoin.org/en/exchanges


As Windows Server has no automatic recovery backups things didn't look good at all. We used a tool that shows all the Shadow Folders but the server didn't have anything. We later found out the malware deletes them.

We started calling every expert we could find and doing research for hours. By a struck of luck, using the site https://id-ransomware.malwarehunterteam.com we managed to find out that the name of the malware was xorist. Everything started looking better after that. We found out that there was a way to decrypt files. There is a tool developed by Emsisoft, available at https://www.nomoreransom.org/en/decryption-tools.html that saved us. After trying with several files (and several hours) the decryptor managed to give us a key which we used to decrypt all of the files.

BLOG COMMENTS POWERED BY DISQUS