[dm-crypt] Fwd: Encryption info

[dm-crypt] Fwd: Encryption info

[Gary Evetts]

[-- Attachment #1.1: Type: text/plain, Size: 1161 bytes --]

Good Day,

Please see attached the following pics of the screen I came to see when
looking at our 2003 server after the holiday season interval. I am
presuming the invidual/s who have done this have used your software to
encrypt the data files on the server. Only through google search of the
email address they are using to correspond their demands with, did I find a
link to your website. I believe I have traced the infiltration source app
with the server logs - that being Terminal services. They then used the
built in Administrator account ton the 24 December to log onto the server
which was not logged in at the time but only on the log-on screen. What
that password is - is unknown to me as it is the default build account.

Are you able to help me with the un-encrypting of the data files that have
been encrypted or are the offenders the only source of a resolution?

Many thanks,

Regards,

Gary


---------- Forwarded message ----------
From: Gary Evetts <gary@it-inc.co.za>
Date: 5 January 2015 at 10:08
Subject: Encryption info
To: "gcevetts@gmail.com" <gcevetts@gmail.com>












Regards,

Gary Evetts

IT-Inc
072 211 1613
www.it-inc.co.za

[-- Attachment #1.2: Type: text/html, Size: 1729 bytes --]

[-- Attachment #2: photo 1.JPG --]
[-- Type: image/jpeg, Size: 138327 bytes --]

[-- Attachment #3: photo 2.JPG --]
[-- Type: image/jpeg, Size: 109490 bytes --]

Re: [dm-crypt] Fwd: Encryption info

[Arno Wagner]

Yes, you got owned by some criminals. 

But cryptsetup is exceedingly unlikely to have anything to do 
with this, as it runs only on Linux and you seem to be on 
Windows.

Sorry, we cannot help you.

The common wisdom with these types of people are though that most
seem to be taking the money but will not provide any decryption
key.

Side note to others here: This seems genuine if rather clueless. 
At least virustotal did not find anything in the jpegs. 

Arno


On Mon, Jan 05, 2015 at 10:51:28 CET, Gary Evetts wrote:
> Good Day,
> 
> Please see attached the following pics of the screen I came to see when
> looking at our 2003 server after the holiday season interval. I am
> presuming the invidual/s who have done this have used your software to
> encrypt the data files on the server. Only through google search of the
> email address they are using to correspond their demands with, did I find a
> link to your website. I believe I have traced the infiltration source app
> with the server logs - that being Terminal services. They then used the
> built in Administrator account ton the 24 December to log onto the server
> which was not logged in at the time but only on the log-on screen. What
> that password is - is unknown to me as it is the default build account.
> 
> Are you able to help me with the un-encrypting of the data files that have
> been encrypted or are the offenders the only source of a resolution?
> 
> Many thanks,
> 
> Regards,
> 
> Gary
> 
> 
> ---------- Forwarded message ----------
> From: Gary Evetts <gary@it-inc.co.za>
> Date: 5 January 2015 at 10:08
> Subject: Encryption info
> To: "gcevetts@gmail.com" <gcevetts@gmail.com>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Regards,
> 
> Gary Evetts
> 
> IT-Inc
> 072 211 1613
> www.it-inc.co.za



> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Fwd: Encryption info

[Heinz Diehl]

On 05.01.2015, Gary Evetts wrote: 

> Are you able to help me with the un-encrypting of the data files that have
> been encrypted or are the offenders the only source of a resolution?

LUKS/cryptsetup is not used here, since you are on Windows.
However, you should check if your files are actually encrypted or
not. For me, there's a possibility that they only want you to click on
the .EXE, with all the nasty consequences this could have.

Btw: You have a backup of your data?

Re: [dm-crypt] Fwd: Encryption info

[Arno Wagner]

On Tue, Jan 06, 2015 at 07:47:37 CET, Heinz Diehl wrote:
> On 05.01.2015, Gary Evetts wrote: 
> 
> > Are you able to help me with the un-encrypting of the data files that have
> > been encrypted or are the offenders the only source of a resolution?
> 
> LUKS/cryptsetup is not used here, since you are on Windows.
> However, you should check if your files are actually encrypted or
> not. For me, there's a possibility that they only want you to click on
> the .EXE, with all the nasty consequences this could have.

Good idea. I think this is a definite possibility. Privilege
escalation with user action is far easier than without, especially
if the click then asks for escalation.
 
> Btw: You have a backup of your data?

If the data is encrypted, your best bet is likely reconstruction
from backup and then patching it before connecting it to
the net again.

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier