Monday, July 23, 2012

AxCrypt used for ransom attacks

In October 2011 I got an e-mail from a Turkish corporation, claiming that someone had hacked their server to the extent of getting full administrator access. Thereafter the hacker had installed AxCrypt and encrypted all or most of the files on the server, and subsequently demanded a ransom from the company owning it.

At first I was very sceptical - how could someone get that kind of access to a server, and then hit on the idea to use AxCrypt to encrypt the files (for which it is workable, but not really well suited since it for example requires full administrative permissions to install etc, not just write permission to the files). On top of that - no backups, the only copy of the files were apparently the files on the server.

It seemed just to bad to be true. A file server wide open to remote login with administrator permissions and a guessable password with no backup routines? My first guess was that this was some kind of scheme to see if I would respond that, "Sure, there's a backdoor into AxCrypt - just pay me a small amount and promise not to tell anyone and I'll help you out.". Sorry, no such (bad) luck. AxCrypt does not have any backdoors, and I can't be of help.

Now, in July 2012, I've had an additional few similar e-mails and even a few phone calls, in total about 10. All of them from Turkey. Strangely enough the contacts have escalated, at start it was only e-mails which were not responded to when answered, then the e-mails started getting answered, then english speaking persons were calling from Turkey - now most recently Swedish-speaking persons are calling from Sweden, still referring to problems orginating in Turkey.

I'm still at a loss to really explain the phenomen, but I'm now tending towards actually believing that the basic facts are true. Servers and perhaps also personal computers are being hacked (it's not entirely clear just what kind of computers have been hacked). That so far every single incident has been in Turkey, is I believe due to the simple fact that the hacker is likely to be Turkish. A significant number of these hacks seems to occur during the weekend, so it's also likely that the hacker has a day job too which is somewhat comforting since it implies that the 'business' is not very profitable.

If you happen to be the victim of a ransom attack, in Turkey or elsewhere, I am very sorry for your sake but please understand that I cannot be of any help whatsoever. You must contact your local police authorities and get them to investigate. They should be motivated to do so, since apparently this is not that infrequent - once again assuming that the stories I hear are actually true as told.

I've tried to come up with some way to make AxCrypt even less suitable for the purpose of ransoming, but I really can't think of anything. It's just a tool, and if you let the hacker into your system with full administrator permissions, I don't think there's anything anyone can do - except you and that is to have backups!

This is not an AxCrypt issue. This is a security policy issue at the vicitims site.

The hackers are even not that smart to use AxCrypt. To perform the attack they don't really have to install anything - all they have to do is to encrypt the file system with EFS, Encrypting File System which is an integral part of all modern Windows editions, export a recovery certificate and then reset the administrator password. Done. No need for extra tools such as AxCrypt. On top of that, there are literally hundreds of alternative encryption tools out there, all of them potentially 'useful' in this context. I guess in a twisted kind of way I should regard it as a compliment that AxCrypt is so easy to use and secure that even hackers want to use it!

Remember that backups are your final protection against data loss, regardless of the cause. Go check your backup routines now - and validate that you actually can read the backups regularily as well!


  1. hi,
    happen to us came to the same event. and asked us $ 1000.money4ptr.pan asked for the money to reach us at @ we pay money do you give the password? Can you help?

    my mail adress


  2. I am not doing this! I have nothing to do with this. Please read the post again, carefully. Then call your local police. This is a police matter. I cannot help.

  3. Backtrack suite + AxCrypt + no sense to backup = pwnt

  4. İm just posting to inform, that over 100 company hacled same way in northern cyprus within this week. İm iİT security guy who recieving constant phonecalls about issues from peoples and police also as help requests...

    1. That is very bad news. Please be sure to coordinate with local police, and local media to inform about the dangers of having direkt access to servers via Remote Desktop with simple passwords, as well as the absolute need for offsite backups.

  5. bu sorunu çözebilen varmı merak ediyorum.

    1. You write "I wonder if you can solve this problem.". No, we cannot. Please read the post again, sorry.