New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No, in the original Nodeseek thread, there was also a 2nd picture from this where the communication was cut after sending the money. Basically this person was scammed out of $100 with nothing in return.
zh:
不,在最初的Nodeseek讨论帖中,还有一张来自该事件的第二张截图,显示付款后对方就断绝了联系。简而言之,这人被骗走了100美元,却一无所获。
No wonder they only got one payment
If the hacker is clever enough, he should have released it instead of asking for more ransom. Because once a single person recovered the encrypted data other people would cave in.
Exactly. That's how ransomware groups work. Maximizing profits.
So now we know for sure mr. hecker is pretty dumb
@Cloudcone When will service be restored? Currently still offline.
They should have apologized by slashing the encryption code price by 50%.
The hacker wouldn't be in a position to restore any VMs because they no longer have access to the environment. They could have handed over the decryption key, but they'd still need the Provider to restore access
Best I can offer is $3
bro is so paranoid he censored his youtube recommended section 💀
Forget your data. Restore backup elsewhere and enjoy life.
I'm logged into the control panel. Where is the button to activate the disaster recovery plan?
censored everything but the fact his youtube is in switzerland
if he's in switzerland for real I can't imagine those 100 bucks going too far...
...breakfast?
double bandwith hacker
https://lowendtalk.com/discussion/comment/3172078#Comment_3172078
Oh my...
Now barred
we wait for new acc
$7
eye opener honestly that all this chaos resulted in 100 bucks in profits
must really suck to be cloudcone is this situation, especially when the damages for sure exceeded those 100 bucks by i don't know how many times over
anyway, best you can do is just to just be transparent about findings and keep at it i guess
If this guy was just after money, there's so much more he could have done with the systems he compromised than trying to extort everyone and failing.
Also, since this guy is clearly a script kiddie, is there any chance that only the MBR was overwritten to add a fake ransomware message, and that the data within the VMs is untouched? If he's too lazy to actually restore people's data, he might be too lazy to actually encrypt anything.
CloudCone just replied to the ticket:
Not the MBR then.
This saga might be continuing here: https://lowendtalk.com/discussion/214080/ransomware-via-virtualizor-exploit#latest especially in the light of @HOSTCAY 's comment: https://lowendtalk.com/discussion/comment/4724649/#Comment_4724649
As @NotFoundException already laid out the actual reality, no need to do so for you (and some others).
Besides, what you ask for highly likely boils down to provider belly-up or seriously damaged plus clients losing their data. So obviously a bad choice!
AFAIC there's exactly one path of action that would work and all but wipe out that kind of crime: have some special and capable investigation unit always track, investigate, and hunt down those thugs - and then either lock them away for min. a decade or simply kill them. Aka making it an almost guaranteed failure plus extremely painful.
Unfortunately though pretty much nothing like that happens, usually, unless the attacked happens to be a sensitive or mighty state agency or a big corp.
TL;DR do pay! (if feasible) - and then hunt them down. Simply turn the game around just with information as currency instead of money. After being badly harmed themselves for a day or two I bet that all involved "supportive" parties (like providers) WILL provide info leading to the criminals. Aka "my business is more important to me than those few evil-doers".
Don't hold your breath though! The police is way too busy taking care of complaints from blue-haired wokes and feminists feeling "hurt" by words ...
A propos: AMELIA!
I have an update.
Despite what CloudCone claims: disk was damaged with the attack. This makes little sense from a disk partition sense because people could see the VNC image that showed the contact info for the telegram contact. Meaning it was bootable, so disk functioned for all customers.
Contacting the attackers they confirmed they would return all the keys for all the data (believe that at your own peril) for 8k usd. And were not contacted by CloudCone, ever.
To recover it however one would need the raw disks to descryp them. Contacting them about this gave no results and just didn't reply.
The attackers provided screenshots as proof.
Thats allready known. The vps needs a reboot to launch the hack written on disk.
Disks can fail, whether the node gets ransomed or not, so just take the L and make sure you take backups, (which you've tested restoring), for the next time disaster strikes.
You can't know that unless you have the encryption script.
Disk can fail, sure. But virtual disk because of a software attack? On all nodes? That's like winning the lottery 10 times in a row!