My OpenCanarys run Samba shares in the Internet. Firstly, this was mainly with Canary Tokens left there for attackers to open and trigger (this never worked) but then I found that malware was being dropped into the shares.
While preparing a presentation on The OpenCanary Experience, I stumbled across another unintended consequence….
I’m being ransomed!
It seems that some criminal (or teenager) stumbled upon this share in the Internet, took the files (oh! my!) and I will have to pay to get it back.
All your data has been backup and remove. If you want receive back your data pay 0.01 BTC to this address: 17KddJw3y8FycFk6eGsQjLPGFf1BRYgsHa After payment send message to email addr: firstname.lastname@example.org
I cannot believe someone wants me to pay 0.01 BTC for the malware they stole! It’s also likely that the files were deleted when they were copied because……they are malware. Surprise! It also seems that they did not earn anything before or since July 10th – the wallet contains nothing!
I have to add this to the “things I never expected when running a honeypot”!