Yesterday AusCERT was notified of a server being held hostage by ransomware. All data and backup storage attached to the server had been encrypted, accompanied by a message titled "Anti-Child Porn Spam Protection". The message advised that illegal sites had been accessed and in order to retrieve the data the victim had to pay $3,000. Non-compliance would result in a report being sent to law enforcement with a sample of images allegedly from the illegal site. While similar malware has been circulating overseas, it is only recently that Australian organisations have been targetted.

An excellent explanation of the malware is available on the Emsisoft website, an Austrian anti-malware vendor, including some possible ways to recover the data. However the ransomware currently circulating in Australia may be a new variant. For those wanting to try the suggestions in the article, make sure this is only attempted on a copy of the data as it is not known what an incorrect code will do.

The previously mentioned organisation wanted to know how they could get their data back. However without recent backups, and relatively little known about this specific variant, the unfortunate reality is that the data is not recoverable. Some may be tempted to pay the ransom, however be warned that there are no guarantees the data will be returned and it is highly likely that your organisation will be targeted again. Next time, it might not be as easy as restoring a server or paying a ransom.

In order to protect against such attacks, the following best practices are worth repeating: