A Northern Territory business has been forced to pay a $3000 ransom to hackers who encrypted its financial records.
The business last week found it was locked out of accessing vital credit and debitor invoice information stored on its network.
Hours after discovering the data, TDC Refrigeration and Electrical received an email demanding cash for the password.
Hackers had encrypted the data with 256 bit AES, IT manager Matt Cooper told CRN sister site SC.
“They had demanded the ransom within seven days, or it would go up another $1000, and again for every week the payment is late,” Cooper said. “I guess this is their way of making sure victims don’t try to crack the encryption.”
The money was paid by the request of the hackers through Western Union and Liberty Reserve, a favourite method of money transfer in underground circles.
Attackers had in broken English claimed that child pornography was detected on the victim’s computer and payment must be made to unlock files, owner Jeremy Spoehr told ABC radio Alice Springs.
Two further Queensland businesses were also recent victims of ransomware attacks, according to Queensland Police. Those attacks appeared to use “unbreakable” encryption and were difficult to properly investigate and identify a source of the infection.
Detective Superintendent Brian Hay said those attacks were likely linked to drive-by-download websites which used web browser exploits to compromise machines.
While the origin of the TDC hackers has not yet been determined, several indicators pointed to Eastern European nations.
The hacking hotbed of Romania was linked to similar ransomware scams in many victim accounts. The method of attack also linked the attacks to the Eastern European nation: The hackers had accessed the financial data by a series of brute force password guesses likely using the DUBrute tool against vulnerable active Remote Desktop Protocol (RDP) connections, a method which the Australian Federal Police have linked to an organised criminal gang operating in the region.
That method was used in the attack which saw half a million credit cards fleeced from an Australian business, and 146,000 cards stolen from US merchants, including Subway restaurants.
Romanian cyber crime officials told current affairs program Today Tonight in March that cybercrime in that country was surging amid large raids by police.
Correspondence from the gang was professional too. Cooper said attackers immediately replied to correspondence and had provided detailed instructions to pay the ransom.
Moreover, Cooper could not find any similar victim accounts were attackers had taken ransom and not unlocked data, an act that could undermine the ransomware business model.
“We had to make sure they wouldn’t just run off with the cash, leaving us in a worse state,” he said.
The attackers had used a new malware variant designed for ransomware attacks. A new fourth variant of the ACCDFISA malware – so called because it purports to demand payment on behalf of the fictitious Anti Cyber Crime Department of Federal Internet Security Agency – was deployed by the attackers once the vulnerable RDP connection was accessed.
The first ACCDFISA malware strain was detected by Emsisoft in February. The subsequent three variants had increased in complexity and used different password generation methods and application names. It was capable of displaying a ransom notice and locking users out of their machines, encrypting files and deleting backups.
Later versions prevented users from entering safe mode and used two different passwords to encrypt files, preventing users from recovering data.
Cooper said that attackers were demanding larger ransoms be paid with each new variant.
“It started off with them asking for a hundred bucks, and now they’re up to $3000. I guess they are realising that can hit up businesses for a lot more money.”
Emsisoft said the best defensive measure was to increase RDP password security. It said there was no evidence to suggest the recent RDP vulnerability (MS12-020) was used in the attacks.
Queensland Police urged victims to contact police and anyone with knowledge of the attacks to contact Crimestoppers.
“While the loss of significant customer information is a distinct possibility, the risk you may have just provided a large volume of data to the attackers is very possible and must be addressed. The most important thing to do is to not respond to the emails and contact police,” Det Sup Hay said.
Copyright © SC Magazine, Australia
Issue: 345 | December 2015