Randsomware Help

Discussion in 'Network questions and troubleshooting' started by allesclar, Nov 6, 2018.

  1. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    Morning all.

    A friend of mine has been hacked.

    They got an email from someone claiming to have hacked their router. They produced the correct username and password in the email.

    They say they have had access to the computer, contact details and internet browser history.

    Demanded payment by BitCoin.

    Obviously going to contact the police but i have been thinking how on earth they got in.

    Surely they didn't come through the router via pinging and breaching, but more so from planting a trojan or something via the said user visiting an internet site?

    Thoughts?
     
    Last edited: Nov 6, 2018
  2. Extraordinary

    Extraordinary Guest

    Messages:
    19,558
    Likes Received:
    1,636
    GPU:
    ROG Strix 1080 OC
    Delete the email and laugh, everyone gets them they're just phishing for someone dumb enough to believe them
     
    allesclar likes this.
  3. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    15,696
    Likes Received:
    9,574
    GPU:
    4090@H2O
    Change router password, forget the rest.
     
    allesclar likes this.
  4. burebista

    burebista Ancient Guru

    Messages:
    1,740
    Likes Received:
    36
    GPU:
    MSI GTX1060GAMING X
    The message looks like this?

    I greet you!

    I have bad news for you.
    11/08/2018 - on this day I hacked your operating system and got full access to your account

    It is useless to change the password, my malware intercepts it every time.

    How it was:
    In the software of the router to which you were connected that day, there was a vulnerability.
    I first hacked this router and placed my malicious code on it.
    When you entered in the Internet, my trojan was installed on the operating system of your device.

    After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

    A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
    But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
    I'm talking about sites for adults.

    I want to say - you are a big pervert. You have unbridled fantasy!

    After that, an idea came to my mind.
    I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
    After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

    I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
    I think $858 is a very small amount for my silence.
    Besides, I spent a lot of time on you!


    I accept money only in Bitcoins.
    My BTC wallet: crap stuff

    You do not know how to replenish a Bitcoin wallet?
    In any search engine write "how to send money to btc wallet".
    It's easier than send money to a credit card!

    For payment you have a little more than two days (exactly 50 hours).
    Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

    After payment, my virus and dirty photos with you self-destruct automatically.
    Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".


    I want you to be prudent.
    - Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
    - Do not try to contact me (this is not feasible, I sent you an email from your account)
    - Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

    P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
    This is a hacker code of honor.

    >From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

    Don't be mad at me, everyone has their own work.
    Farewell.


    If yes then I receive at least 10/day. :)
    Relax, it's a hoax.
     
    allesclar likes this.

  5. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    Well the hoax part got me first.

    But the email contained the routers correct user name and password, and yes it has been changed from the default one.
     
    fantaskarsef likes this.
  6. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    That is generally the case, but in the email they produced the username and password details for the router, which were correct.
     
  7. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    I have told him already to unplug the router etc and just leave it until he gets home.
     
    fantaskarsef likes this.
  8. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    15,696
    Likes Received:
    9,574
    GPU:
    4090@H2O
    Your friend might as well consider downloading the latest firmware for his device, and reflash it offline, just in case the router's firmware was compromised. But that's about as much as I can imagine doing, for safety.
     
    allesclar likes this.
  9. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    This is exactly the same type.

    They received a few of these emails and just deleted them.

    BUT, then received one of these but with more information, that information being the router login details (which are correct)
     
  10. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    I have instructed them to do that, i do not think their home network / PC has been compromised, just the router ATM.

    Just trying to get more information on the message they received.
     
    fantaskarsef likes this.

  11. burebista

    burebista Ancient Guru

    Messages:
    1,740
    Likes Received:
    36
    GPU:
    MSI GTX1060GAMING X
    What router does he have?
    Recently there was some attacks against home routers (one of them for example).
    He should update his firmware ASAP I guess.
     
    allesclar likes this.
  12. Extraordinary

    Extraordinary Guest

    Messages:
    19,558
    Likes Received:
    1,636
    GPU:
    ROG Strix 1080 OC
    Generic username/pass ?

    Even still I wouldn't waste any time on them, good chance it's just a mass emailing to see who bites

    Change the router login, but tbh they would have had to hack your network to access the router first anyway, in which case that's the least of his problems lol
     
    allesclar likes this.
  13. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    Not a generic username or password.

    For now they have turned off the router and disconnected it from the network and internet.

    I do know that it was custom flashed with WORT to allow VPN configurations etc.

    I am just getting the model of the router now.
     
  14. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    The router model is a Linksys wrt1900acs v2
     
  15. burebista

    burebista Ancient Guru

    Messages:
    1,740
    Likes Received:
    36
    GPU:
    MSI GTX1060GAMING X
    By chance do you know his actual firmware version?
     
    allesclar likes this.

  16. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    I can ask but i doubt it for the time being.
     
  17. burebista

    burebista Ancient Guru

    Messages:
    1,740
    Likes Received:
    36
    GPU:
    MSI GTX1060GAMING X
    OK, I was curious because I saw on their firmware page some patches for some vulnerabilities so I wanted to know if he was up to date with firmware when he was attacked.
     
  18. allesclar

    allesclar Ancient Guru

    Messages:
    5,769
    Likes Received:
    176
    GPU:
    GeForce GTX 1070
    Ok got an update.

    Long story short they were not hacked.

    But, due to company database security breaches, some more than identified here "haveibeenpwned.com" their email address and password were found one the web.

    Just a chance that the password and email address that were leaked, was the same password as the router (not anymore).

    Thanks for the help everyone.

    Router has been flashed with latest firmware and passwords changed.
     
    burebista likes this.
  19. -Tj-

    -Tj- Ancient Guru

    Messages:
    18,097
    Likes Received:
    2,603
    GPU:
    3080TI iChill Black
    I got one too today.. but the pass is not quite it.. he got close though.. email pass, not router.

    One time in the past I think around August he got it right, that time I got scared too, never had such hack.. I changed all my passwords back then.
     
    allesclar likes this.
  20. Extraordinary

    Extraordinary Guest

    Messages:
    19,558
    Likes Received:
    1,636
    GPU:
    ROG Strix 1080 OC
    I don't pay any attention to any emails like that, even if they had my details right I'd ignore it, you don't email people telling them you have their logins, you use the logins to hack whatever account it is

    Mass emailing as I said, and now known to be from the security breach database, they probably don't even know who they've emailed, just sending the same crap to everyone on that list hoping someone will bite
     
    allesclar likes this.

Share This Page