Gather round... I'm about to share with you a tale of the biggest series of screwups in my history just being an overall IT nerd and professional.
As I'm sure, like me, many people here have their own interesting setup's at home. Everyone probably has a little something different going on. My setup isnt all that intricate. Our lovely pfsense router, and behind that an access point, network TV tuner, 3 HTPC's, and the brains... a Dell R710 with a bunch of storage running various VM's from a domain controller, a web server, and game servers (KF2, Rust, Minecraft, Mumble). In that storage is all my (legally
) acquired TV's and movies, and photos from the places I've traveled as well as wedding photos. So nothing extravagant by any means...
So one morning we wake up and we dont have internet. Now I've been playing around with an Active Directory domain migration lab so DNS has been acting funky. DNS definitly turned out to be the culprit, but not because of any lab I was completing. I cant reach the domain controller so I log into the hypervisor and all my vm's are stopped. When I tried to start them I was presented with an error that the vhd's werent there. My initial thought was the array took a dump on me, but nope everything was there. Navigating to the folder with the vhd's is when I discovered the problem. They were all renamed with an extension .aes256. There was also a text file at the top of every directory named "READ ME". It was at that moment I stared blankly at the monitor not wanting to believe what I saw. I had been... crypto locked. EVERYTHING! Everything I mentioned above as well as my backup drive. Nightly, there is a job that exports each vm to the backup drive and runs a robocopy of the photos folder. All of it crypto locked.
BUT HOW!!!!????
Like I said, this was a series of screwups and just overall negligence on my part. I didn't take the time or effort to secure anything like I normally would, like for instance, at my job.
The first thing I did was looked in the Event Viewer and saw Security Audit failures. About 10 or so every second. The associated hostname with the logins was "FreeRDP". There is no such hostname on my network so I dug a little deeper and discovered screwup #1: A NAT entry for RDP that was still open that was supposed to only be temporary. I remember opening this a few months ago when I needed to do something from work. This was right after I did a fresh install of pfsense to the newest version at the time and didnt quite set vpn up yet. It was supposed to be temporary, but... I forgot. I mean, i could have specified a source IP of my work in the NAT rule so that it wasnt open to the entire world. Just pure laziness on my part.
Screwup #2 is actually pretty interesting I think. The attacker found the open RDP connection and brute forced the local Administrator password, which wasnt the most complex in the world, but it contained all the normal stuff most people would consider in a "secure" password. Nonetheless I was oblivious to this happening anyway so at some point even with a more secure password they would have eventually got it. But the interesting part to me is that I never knew the local admin account doesnt lock out. It just never occurred to me. I NEVER use the local admin account... ever. Part of my normal installation of operating systems is to create a different admin account and disable or delete the default one. I've done this on every single OS I've ever installed from darn near the beginning of time. At work there is a GPO which does this automatically. So my "ignorance" of the local admin comes from a lack of experience using it. But when I actually thought about it for a moment it makes sense. Lock out the local admin account and you could be royally screwed. I dont know what it as, but for whatever reason, despite doing this EVERY single time, I left the local admin account there.
Screw up #3 Is more just laziness, but I can really confirm it would have helped, though I'm confident it would have. Just like not getting VPN setup I also failed to do the typical IP filtering at the firewall. In the past I've used IP block lists and pfblocker (now pfblockerNG) to keep baddies away. I used to see brute force attempts on my ftp server back in the day before implementing them. Snort would have probably stopped it too, but honestly I find Snort too tedious and usually dont bother installing it.
So lesson: dont be lazy, secure your crap.
Those were the technical details behind the attack. If you want to read my adventure through recovering all my data read below.
After it finally set in what happened I sought out to recover all my data. Really the only thing that was super critical were the wedding photos. All the VM's could be rebuilt with some time. You see when I bought the R710 and did the pfsense upgrade, those were apart of another build too. My PC. I built a new MiniITX system that replaced my larger tower. In that tower though I had many drives. I think at this point another 3 x 2TB drives. On those drives were copies of my photos from doing random projects with them... some editing, panoramas, etc... but when I downsized my PC i consolidated all the copies, put them on the R710 and deleted everything else. One central, organized location that got backed up to another drive just in case (heh). So I ran around the house looking for these drives, and found two. The other I mailed to a friend when his drive died. First drive was dead, the other wasnt, but of course I deleted them all. Recovery tools were no help. I must have wrote too much data to that drive before taking it out of my PC. The most I could recover was some icons from my website.
But that 3rd drive I sent to a friend.... I know for a fact it did contain EVERYTHING. Because after I sent it to him he told me there were tons of photos and video on it. This was before consolidation so at the time he zip'd them up and uploaded them to mega upload. I went back through our chat history and found the link, but it didnt work. When I asked him what happened to it he said "oh mega made me reset my account THE OTHER DAY" (emphasis mine). You gotta be kidding me! I was a couple days late on downloading the entire photo collection. He said he deleted the zip file too. I highly doubt any recovery tools would be able to recover a zip file of that size. Either way his PC was packed up because hes moving and hes not able to check.
Then I remembered my the photographer used a website to order prints and stuff. I could probably get the photos back from there. I found the email and got directed to a page that told me the domain expired on 2/1/2017. Again, you gotta be kidding me! I was a week late for this.
All is well with the wedding pics though... the photographer still had them and I got a copy dropped off the next day! PHEW!!!!
BUT.... I definitly still wanted my other photos. We're talking about photos of two trips to the grand canyon, an Island off of Florida, Seattle, San Juan Islands, trekking in upstate new york, and the Keys. Plus, while not the worst thing in the world, setting up all those servers as well as the website again would just be a royal pain. So I thought... lets just see how much they want to decrypt these files. In the aforementioned README file was an email with a code.
Here is the conversation that followed:
Jared A <redacted@gmail.com> Thu, Feb 9, 2017 at 10:59 AM
To: 0xc030@protonmail.ch, 0xc030@tuta.io, aes-ni@sigaint.org
Hello I need RSA Key for
S83-CORE#617AFC8BA2AE40E89CFF43DA8CFEAAF8
Michel Nulled <0xc030@protonmail.ch> Thu, Feb 9, 2017 at 3:08 PM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
Hello. I am technical support.
Your files are encrypted; to decrypt them you need to obtain a private key.
Please do not use third-party public tools to decrypt your files; they are not compatible and your files can be corrupted.
The price for the key is 4 BTC (Bitcoin).
The best site for buying BTC is: https://localbitcoins.com/
If you want, you can send me 2-3 not large files and I will decrypt them for free; just to prove my ability to decrypt your files.
Please do not send large backup files.
Sent with ProtonMail Secure Email.
Pffffffffffffffffffff 4 bitcoins???? GTFO. Thats $4000 at current value. I had them, but no way I was giving up 4k. I've read multiple "reviews" of this and found eveyrthing from these guys could just take your money, to actually offering really good "customer service". So I figured I'd BS and play this like I didnt need the data and I could restore. Also playing on the fact that the key to decrypt my files is essentially worthless to him. He should probably take anything rather than nothing...
Jared A <redacted@gmail.com> Fri, Feb 10, 2017 at 8:01 PM
To: Michel Nulled <0xc030@protonmail.ch>
Hello there. Thank you very much for your quick response. Luckily for me I have offsite backups that I can restore. Admittedly it is a lot of work for me to restore but it is very possible. That being said your offer of 4Btc is way out of my price range for this service. It comes down to the time it would take me to restore from offsite backup. That time to me is worth 0.1Btc which is about $100 on the current market. Please let me know if you're interested in performing the work at this price. If not, thank you for the offer and have a good day!
Michel Nulled <0xc030@protonmail.ch> Fri, Feb 10, 2017 at 8:27 PM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
Hello. My boss tells me that 0.1 BTC is really too small amount.
Let's do the integer amount of BTC
Jared A <redacted@gmail.com> Fri, Feb 10, 2017 at 8:30 PM
To: Michel Nulled <0xc030@protonmail.ch>
What do you mean the integer? The full 4Btc? I'm sorry that is out of my price range. Please feel free to contact me again if you can agree to the 0.1btc price. Otherwise I will have to decline. Thank you again for your assistance
Michel Nulled <0xc030@protonmail.ch> Sat, Feb 11, 2017 at 4:26 AM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
2 BTC?
Jared A <redacted@gmail.com> Sat, Feb 11, 2017 at 5:43 AM
To: Michel Nulled <0xc030@protonmail.ch>
Thank you for your kind offer but 0.1BTC ($100) is firm. I can send 0.1BTC immediately.
Thank you.
Michel Nulled <0xc030@protonmail.ch> Sat, Feb 11, 2017 at 10:20 AM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
Last discount we can made is 1 BTC. Sorry, but we can not take lower amount of money.
Sent with ProtonMail Secure Email.
Jared A <redacted@gmail.com> Sat, Feb 11, 2017 at 10:26 AM
To: Michel Nulled <0xc030@protonmail.ch>
Thank you for the kind offer. I'll make plans to restore my data from backup tomorrow. Thank you.
I got this dude to already give me 75% "discount" but in hindsight got too greedy with the ultimatum and the declining the service overall. I expected him to come back and break down and accept my offer, but he didnt. So I sent the following email to try to save face two days later. Even offered him a tip. To do the work. You gotta keep in mind that while the below amount and the eventual agreed upon price might seem like alot of money, it really wasnt because it was in BTC. Current value of BTC is about 1k/ea, but I bought these things over the course of the last two years. I wasnt really "losing" any money here so I could be more flexible. Plus I was curious on just how this would play out.
Hi Michel,
Due to some bad weather here in Canada, I'm not able to get to my offsite backup for a week. I'd be willing to increase my offer to 0.25BTC just to get back up and running sooner. This is the most I can afford. I can send the BTC immediately... I can send this evening.
Please let me know if you can complete the work. This is $250 at current market rate. I'd also be willing to "tip" YOU another 0.05BTC which is $50 to a 2nd address 
Please let me know by mid week. Maybe by then the snow will be gone!
Michel Nulled <0xc030@protonmail.ch> Mon, Feb 13, 2017 at 5:00 PM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
By the way, we are not one person. So let's do $500, OK? $500 and you have the keys.
I did some pretty tough thinking. I didnt want to lose all my pictures, and I didnt want to possibly scare this guy off again. He already called my bluff once before. $500 was right on the border of what I'd be willing to "risk". Remember... there is every chance this guy takes the BTC and runs.
Jared A <redacted@gmail.com> Mon, Feb 13, 2017 at 5:12 PM
To: Michel Nulled <0xc030@protonmail.ch>
Hi Michel,
I can do that. After I have the key's I'll be sure to leave a good review for you on the website of your choice. Please give me an address to send the BTC.
Michel Nulled <0xc030@protonmail.ch> Mon, Feb 13, 2017 at 5:23 PM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
Send to 14tgwU5hmf6Q8HugXbjbxygf1BEvJXYxos then.
I prepared the keys, the tool and instructions.
Jared A <redacted@gmail.com> Mon, Feb 13, 2017 at 5:25 PM
To: Michel Nulled <0xc030@protonmail.ch>
<screenshot of transaction>
There you go. Thanks for the quick response.
[Quoted text hidden]
Here is a record of the transaction:
https://blockchain.info/address/14tgwU5hmf6Q8HugXbjbxygf1BEvJXYxosMichel Nulled <0xc030@protonmail.ch> Mon, Feb 13, 2017 at 5:27 PM
Reply-To: Michel Nulled <0xc030@protonmail.ch>
To: Jared A <redacted@gmail.com>
Here is your keys: https://www.sendspace.com/file/tbkaxa
Archive password is 123456.
There are keys, the tool and instructions included (howto.txt).
If there will be any questions, feel free to ask.
I downloaded the archive, extracted it, launched the decode.exe app, specified the key, and about 8hrs later I had everything back. Maybe I got lucky and got one of those "good" customer service guys? Not sure. I spent the next couple days going around and changing the password on every single internet account I had. That was also a real pain. You dont realize just how many accounts you have out there on the internet until you try to change them all.
Thats my tale of how I got l33t hax'd. I hope everyone can learn from my negligence, and if you find yourself on this side of the fence some of your options to get your data back.
See everyone next weekend!
Topic: If you have homelab... (Read 2095 times)