Форум на Kuban.ru - Внимание!!! Вирус *.hacked

5-kapysta >
Last week was largely uneventful except yet another ransomware story affecting a Veeam customer (and a partner) which I simply cannot miss sharing, because no matter how similar these stories are to one another, someone can learn something new from each one – thus preventing the same disaster from happening to YOUR environment. Especially with stories like this one, which deal with hackers who are trying to be helpful so to speak (I call them Robin Hoods). These folks tend to explain the victim how they got in once the ransom has been paid – without ever being asked to do so. It is amazing how the human nature pushes most criminals to do these nice things – I am seeing this times and again, including in this particular case.

This attack has started from a Veeam backup server which was directly accessible from the Internet through RDP with a common account name "backup" and an easy to guess "password classic" – a very slight variation of the "P@ssw0rd" password (seeing one made my hair stand on end - and those who know me in person know I don't even have much). This is how the hacker got in initially. Not only did the account in question have Local Administrator privilege on the backup server, but also on the domain itself – so this particular environment was completely lost right out of gate. What is even worse, is that the backup server had saved connections to two more virtual environments belonging to the clients which this partner has been managing – obviously with admin credentials too :(

The consequences are pretty obvious – the hacker sicked a good old encrypted boot ransomware on all three environments, taking them hostage. And the partner had truly no choice but to pay thousands dollars in ransom – but in the end, was provided the decryption keys along with the breach details – just because the hacker was trying to be nice.