From: s4b3r6

I had a fun one a few years back.

I was remote help for about four small businesses, all who needed a full time on-site tech, but weren't willing to pay for something that they couldn't see directly affecting their profit.

At this particular business, we had everyone's home directory linked to a server, so they could access their files from any work station.

I also knew that some of the staff resented this, and used folders in places that weren't linked to the network. So I had a background process that backed up the last three hundred modified files into version control. If they had tried to shutdown while it was running, it would cancel the shutdown and tell them to wait.

For most staff members, I put the fear of God into them. You don't cancel the backup.

Moving on to the story.

I got a call from $Boss, "Help! I clicked Windows Update, and now I can't log in! It says to go to $website!"

I blinked twice, and then winced as I opened said website in a sandboxed browser.

It was a payment gateway.

I decided on the spot not to do my usual troubleshooting. "Unplug the blue cable from the back. I'm coming in."

A brief argument later about not fixing it over the phone, and then I grabbed my forensic OS, and found my way in.

First to note: They broke the Ethernet cable trying to remove it. At least they tried.

Second: The screen was displaying what I feared: A ransomware demand.

I called $Boss over, who was trying to tell me he was too busy to deal with this and needed his computer ASAP.

I informed him I needed to take the entire network down, till I could make sure everything was okay.

Boss: "Absolutely not! Its just Windows Update ****ing around again!"

(I should note that this user had encountered corrupted Windows Updates in the past, and really really just wanted to disable them. My refusal to work for them at all if they did had stayed his hand.)

I shook my head, "Nope. This is something like a virus. If this computer was a person, I'd put it out of its misery. Its like herpes and cancer and leprosy combined."

Boss: "Really? Do we need to call the cops?"

I grimaced. "You need to do what I say. Then... Maybe."

I proceeded to shut everything down, start investigating, and then get irritated comments from every single employee in the building every five minutes.

Thankfully this was the early days when ransomware was the new kid on the block. They'd merely screwed up the hard drive header. Some GParted and dd later, computer was fixed. I wiped the problem files... But wasn't 100% confident I could say it was gone. (No MalwareBytes yet at the time this happened).

I found three more that were affected, and cleaned them, whilst their owners cursed me for causing them to break.

The server, yes only a single server here, and no backup, appeared fine, but the file time stamps caused me concern.

$Boss was among those that didn't like his files being backed up to the server. His backup hadn't run in a month.

So I went and interrupted his crisis meeting, where he was telling others not to use Windows Update because it had a leprosy virus.

I told him that the virus was probably gone, but to be safe, I needed to kill his and the other machines, and start clean. But because we had backups it would be fine.

He freaked. Yelled about the backup taking too long, the internet being evil, and me being useless and expensive.

I turned to leave, he calmed down. (I have tried this with some other problem clients. It doesn't always work.)

I explained he was an idiot, and how he had royally screwed his own company. I explained that I had fixed it. I also explained that the backup was more important than he was.

I rescued his filed, reimaged the machines, and collected a healthy paycheck.

Then sent an email to all my clients explaining why websites can be bad.

That was my one and only experience with ransomware.

--s4b3r6