BOFH: 'Twas the night before Christmas, and the ransomware struck

If you don't cough the money, you're well out of luck

BOFH logo telephone with devil's hornsEpisode 13 The scene opens in the BOFH's office at 2:43pm on the LAST DAY OF WORK.

“I... cannot impress upon you how important this is.” the Director says firmly yet quietly after sneaking into Mission Control on the last day of work with an urgent problem.

“Will it take long?” I ask as a sack-barrow loaded with booze passes by outside the door to Mission Control.

...

“I don’t know – you tell me,” the Director says, handing over a laptop.

_____

“What's this for?”

“It’s very important,” he repeats. “We need to get the data off it.”

“Sure,” I say, powering it up.

...two minutes later...

“Nope,” I say, handing the laptop back. “It's got encrypting ransomware on it.”

“We need the data!”

“Maybe give one of those forensic retrieval crowds a call. Or pay the... er, five grand they’re asking.”

“Forensics has a two-week turnaround and we don’t have that kind of cash.”

“Hmmm,” I say. “When do you need it?”

“3pm.”

“No chance.”

“3:15?”

“Dreaming.”

“Look we need this by - ABSOLUTE LATEST – 3:30pm.”

“Can’t be done.”

“OK, 3:45, but the data would need to be transmitted immediately.”

“Okay then,” I say. “I’ll need to boot the system with some forensics fingerprinting software...”

>whirrrrrrr<

“And now just a low level scan.”

“Well, what do you see?” the Director asks nervously.

“Coloured boxes - this isn’t CSI-Fantasyland! It can take YEARS to decrypt an index off a disk. Though the software says this ransomware uses a crackable rolling encryption algorithm.”

“What’s that mean?”

“It means that it encrypts bits of the disk with different keys but you can crack them one at a time.”

2:50pm

“The problem is this bit,” I say, pointing at the screen. “There’s a whole bunch of Unknown file types. It means the encryption hasn’t cracked that bit, and if your file – or part of it – is in that location then the file will be corrupt.”

“Can you see any files?” the Director asks.

“Stacks!” I reply. “But we’ll run out time if we try them all. We need a file name.”

“OK,” the Director says nervously. “It’s an encrypted Excel file. Do you know what that looks like?”

“Yes, like an Excel file.”

“No, it’s an encrypted excel file. BNKXFER.”

“Right!” >clickety<

“This wouldn’t be an end of year bonus upload file – which no one's getting this year – would it? If it were it’d just be a file of account numbers and account names with zero in the third column.”

“I don’t know what it is,” the Director lies. “It’s encrypted.”

2:53pm

“Okay, I think I can see some files like that. Do you have a Class 10 USB-3 key on you with hardware encryption?”

“Uhhhh. No.”

“Right,” I say. “Just a minute, I might have one in my drawer.” >shuffle< “There.”

>clicky<

“OK. I’ve copied the file over, see how you go with that.”

“Right,” he says, running off.

“I can’t believe you’re helping him,” the PFY says, looking at me like some class traitor.

“It’s the season of goodwill to all men!”

3:00pm

Our conversation is disturbed by the swift reappearance of our Director.

“It doesn’t work,” he says.

“I thought it was encrypted?” I ask.

“It is.”

“Surely the only people who’d know if it were corrupt would be those people with the keys?”

“I don’t know about that,” the Director blurts guiltily. “I just know it doesn’t work. The... uh... bank said so.”

“OK,” I say. “Maybe a different version will work.” >clickety< “Try that.”

>slam<

“Why are you helping him?” the PFY demands.

“Why am I copying random chunks of garbled filesystem to BNKXFER.XLSM on the USB stick?” I ask. “Because it amuses me.”

3:09pm

“Still nothing,” the Director says, bumbling headlong through the door to Mission Control at speed.

“Okay, I’ll just try another version.” >clicky< I say, watching the clock creep around to the 3:10 mark.

>DASH!<

“How long are you going to keep this up?” the PFY asks.

“Did you know,” I ask, “that our bank actually stops processing electronic transfers at 4pm sharp. After that they’ll hold them all over till the third of January. So in answer to your question: another 39 minutes...”

>SLAM!<

“No,” the Director says, puffing away.

“There’s only five more versions,” I say.

“Put them all on the stick!”

“I can’t,” I say. “They’d overwrite each other.”

“Okay, quickly,” he says, holding out his hand urgently >clicky<

>DASH!<

“Lock the door will you?” I say to the PFY.

____

3:15pm

>CRASH!<

“Okay unlock it now,” I say, as the PFY unlocks the door – which now has a small splatter of blood on it about the Director’s nose height.

“Still nothing,” the Director says, holding the end of his (possibly broken) nose as he limps in.

>clicky<

>DASH<

“Say you were at a meeting with your five fellow senior management peers,” I say to the PFY. “And you're discussing investing in a building development just down the road which is pretty much guaranteed a 300 per cent return once they sign up a tenant – a company like ours for instance – into a 10-year lease...”

3:20pm

>slam!<

“No!” the Director gasps.

>clicky<

>GRAB!<

>DASH!<

“It’s the sort of lease that a group of motivated senior managers could slip by the crusty old farts on the board after four rounds of sherry and a kind word from an attractive saleswoman. All you need to be part of this deal is a non-refundable £50k deposit followed by a second £50k instalment once the development is out of the ground. Only you don’t have £50k on hand just at the moment, let alone £100k. But wait, the topic of this meeting is Christmas Bonuses for the staff and you realise that if no one but you gets a bonus it’d work out to around £50k each!”

3:33pm

>crash<

>wheeze!<

>clicky<

>DASH<

“So you announce the salaries-austerity policy, get your £50k bonuses approved by the crusties and BORROW £50k from your bank. Now the worst case scenario is you’ll lose the interest on the £50k if you had to pay it back with your bonus.”

“Mmmm,” the PFY says. “But say someone overheard this conversation because you’d called them to ask what an HDMI plug was and forgot to hang up.”

3:39pm

>crash!<

>wheezy gasp<

>clickety clack<

>grab< >dash<

“All you need to do to meet the second payment deadline is to get your bonus credited to your account before the close of bank business on the last day of work. But your Head Beancounting co-conspirator doesn’t trust any of his underlings not to sneak a peek at the transfer so he keeps the file on his personal laptop with no real antivirus products on it. And somehow it gets infected with ransomware...”

“You didn’t!”

3:41pm

>clonk<

>stumble<

“The thing is,” I say to the Director. “I’m supposed to be having an end of work drinks. But instead I’m pretty much pulling overtime.”

“Just claim it!” he gasps, handing my key over one more time.

“Yes, but the thing is, you know, all those taxes and everything. Cash would be... you know... better. A lot of cash.”

“Don’t have any cash...” he wheezes.

“If only we had cash in the building,” I say. “Somewhere that you could get to and be back from in... 10 minutes...”

>stumble-dash<

“So now,” I say to the PFY calmly. “You’ve all borrowed £50k for the first installment which you stand to lose if the second £50k isn’t paid to the developer by the end of business today. But the upload file was completely obliterated by the ransomware – though maybe someone took a copy of the file before the virus struck. Only that person didn’t know the password.”

“Mmmm”

“But they DO have a Class-10 USB stick with a key logger on it.”

“Ah!”

“And so they send you backwards and forwards with the key-logging USB stick recording the password that you told them you didn’t have...”

“Yes...”

“And then they send you out for cash while they: decrypt your file >clickety<; delete the six rows of account numbers, names and 50ks, >clack< >clack< >clack< >clack< >clack< >clack<; and insert a single row with the account name and number of the social club with a 300k third column, >paste< >tappity< >tap<; then reencrypt the file >clickety< >tap< just in time for you to...”

3:49pm

>stumble<

“Here!” the Director says, trying to hand over a wadge of cash.

“Oh, how much is it?”

“Dunno” he gasps.

“Could you count it?” I ask.

“NO!” the Director gasps. “I need the file NOW!"

“Okay, but you will bring the money back and count it?”

>stumble-dash<

“And so eventually you get your file – only you don’t get a chance to send it because when you get back to your office Security is waiting for you because they’ve finally found the person who’s been stealing all the petty cash money...”

“I thought that was y...”

“We know who it is because they’re on camera,” I interrupt.

3:57pm, in the Boss’s office

“And all that’s left to do is upload this file to the banking portal >drag< >clicky< and in the blink of an eye our six senior managers have lost £50k, and in two minutes the social club will have purchased a pub!”

Christmas like Clockwork.

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2020