Tictac Ransomware Consultants was called to help a big national corporation recover their files from THT Ransomware that infected more than 50 Physical Servers and more than 100 virtual servers that were infected by THT Ransomware.
Here is the THT Ransomware Incident Details:
- On Tuesday 13/10/2018 the client called us and reported that had an infection from THT Ransomware (TimisoaraHackerTeam Ransomware – Timisoara) that infected lots of Windows Servers of the corporation
- It had encrypted all secondary volumes in every single server, including all Backup Servers
- There was no solution for this kind of ransomware publicly available and its operation had affected all systems of the corporation, rendering the business unable to operate
- The IT department of the company had been paralyzed by the infection and no recent backups were able to be extracted
- The Hackers have requested a ransom of 16 bitcoins to unlock the servers that have been infected.
The Authorities have advised the corporation not to pay the ransom and to restore their systems from Backups.
Such a decision was not easy to take from the CEO of the company, since there would be a huge effort and would take them a lot of time to restore their systems to full functionality, but even then, a huge data loss would have taken place.
A security company that supported the corporation was unable to help them decrypt the files but they found out the root cause and detected that an old domain server was the point where the hacker managed to install the malicious code.
Still they were unable to help them recover the files, so the client has asked the help of TicTac Data Recovery through our Partners Network.
The ransom note from the Hackers of TimisoaraHackerTeam (THT Ransomware)
The Hackers left a note that the payment to get their files back was 16 bitcoins (about 105.000euro).
This was the message on the ransomware note:
Hello. Sorry, your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256).Only we can decrypt.
Please contact us: email@example.com (Please check spam,Avoid missing mail)
Identification code:XXXXXXXXXXXX (Please tell us the identification code)
Ransom: Please pay 16 bitcoins.After the payment is successful, we will tell the Password.
(If the contact is fast, we will give you a discount.)
In order for you to believe in us, we have prepared the test server.Please contact us and we will tell the test server and decrypt the password.
How to buy and pay for Bitcoin:
Or you can google search “How to buy Bitcoin”
If you know other trading websites better.
We are a professional hacker team, not a virus.We only take directional attacks.We know everything about your company.If you refuse to pay, we will disclose important documents that we have(file,email,contracts and many more).
We are a reputable organization and definitely not a liar.Our business covers more than 20 countries around the world. There are hundreds of companies that have successfully unlocked.
After failing to resolve the issue with their IT Administrators and the external Cyber Security Company the corporate asked help from TicTac Data Recovery Ransomware Experts so that they can see what options they have.
Mention that the IT Admins and the directors of the company didn’t have any experience with Ransomware and even paying the ransom wasn’t an option since they would be risking a very high amount of money due to the fact that they didn’t know the technology behind cryptocurrency.
TicTac Data Recovery Ransomware Consultants saved the day with THT Ransomware Negotiation
Since TicTac Data Recovery Ransomware Consultants have dealt with various incidents in the past, they followed a specific protocol that is being used in such Ransomware Incidents.
First we have contacted the Hacker Team to check their intentions and to know how much time they will maintain the key.
At the same time we have investigated if there are available options for decrypting this Ransomware Type.
According to our database with Ransomware Negotiations and Ransomware Type Analysis we found out that THT Ransomware version was a very recent one and is a very sophisticated ransomware, where the Hackers know exactly the infrastructure of the client.
From our past events we saw that THT Ransomware hits only big corporations with more than 30 terminals and they actually use manual methods to penetrate the system and install the malware.
When they manage to infect a lot of servers, then they start the encryption at the same time.
We sent to the client the data from our database and we have concluded based on our past history that this ransomware type needs special Negotiation Skills that our team has in order to convince the hacker team to cooperate.
We managed to decrease the ransom amount to 10 bitcoin (which was about 30% less than the original ransom requested) using our negotiation statistics database and we established a good trustworthy relationship with the hacker.
Our team has also managed to convince the Hacker team for proof of concept and we helped the client decrypt one Virtual Server from his infrastructure to prove that the Hacker can do what he said he can do, because this is not the case always.
We checked also our database and have dealt with this team before in previous negotiations.
They used the following email in this case:
Of course the Decryption key wasn’t publicly available, and also it uses a very complicated algorithm to encrypt the files because it generates multiple keys from files.
Mr. Panagiotis Pierros who is the Managing Director of TicTac Data Recovery worked along with the CEO and the Head of the IT department to support the whole process and advice them on the actions that need to be done prior the Decryption, if the Hacker sends the THT Ransomware Decryption key.
TicTac Data Recovery Ransomware Consultants also helped the client find the appropriate amount of Bitcoin and transfer it to a new bitcoin wallet that was created for them.
One of our Cryptocurrency Experts has helped the client understand the basic usage of cryptocurrency and set the expectations.
The client attempted to find the amount of Bitcoin the Hacker asked, but it would take them about 10 days to gather the appropriate amount of Ransom requested by the hacker.
Within about 80 hours from the beginning of the Handling of the case the Hacker released the decryptor and the client has decrypted all his files.
Throughout the process 3 dedicated team members of our team were working day and night remotely along with the IT department of the client to help them proceed as fast as possible and get their files back.
The client has paid the ransom, but the most important thing is that he has his Servers back and running.
We would like to thank everybody who participated in this effort that we consider a success since we acted fast and with no delays.
At the end of the incident we consulted the client how he can claim the expenses from the insurance company.
I want to use your Ransomware Negotiation Services so can maximize my success results. How shall i contact you?
If you have an urgent case with THT Ransomware and you want our Ransomware Consultants to help you get your files back, please contact TicTac Data Recovery or contact the Emergency Number +30693271171 to tell you the options you have.
Also you may contact mr. Mike Mingos who is the head of our Ransomware Consultants team in his skype: mike.mingos to consult you in the first actions you need to take.
Don’t panic but be ready to pay the ransom if you want your files back.
But don’t take any actions before you contact us!
Some of our clients that have started the negotiation themselves do not know what actions they need to take before and after the decryption and they either didn’t manage to cooperate with the hacker or they double encrypted their files.
We have worked with THT Ransomware Incidents all around the world and we have a very good percentage to achieve good results if we handle the case from scratch.
Its important not to engage with the Hacker Team before you contact us, to have the good results we have.
Learn more about how to deal with another cyber threat > dharma (.cezar family) decryptor tool – how to decrypt dharma