Any ideas how could I've been ransomware hacked?

Solution 1:

You've broken a cardinal rule of dealing with a security/system breach: Preserve evidence.

You've likely destroyed or at the least severely hindered your ability to determine what happened and how by reformatting servers and restoring data. Not only that, but if you had planned on submitting a claim to your insurance company for any losses incurred you've likely jeopardized that as well. Additionally, if you had planned to notify law enforcement you've seriously impeded their ability to perform an investigation.

Here's my suggestion to you if this should happen again:

1. Disconnect from the internet.

2. Disconnect all systems from the internal network.

3. Contact your business insurance company, explain the situation, and ask for their guidance. If they're a large insurer they likely have specific protocols and steps that they'll need you to follow, and if you're lucky they'll have a dedicated team to help you deal with this.

4. Do everything the insurance company tells you to do, exactly as they tell you to do it, in the order they tell you to do it in.

5. Do not take any actions beyond what your insurance company or law enforcement instruct you to take.

Solution 2:

What Joe is saying is very sound, but I would also wonder why the need to boot up into a Linux USB stick, last time one of our customers (a health institution) was hit by a ransomware attack we could clone the affected volumes for forensic analysis and restore from a snapshot in less than 30 minutes.

Get a good backup and snapshot plan (they are not the same!) and a good quick recovery plan, ransomware becomes useless when you can restore in 30 minutes and have someone look at how you got infected to prevent it.

As for your question, there are many decompilers, but honestly, this seems to be just a basic startup script trying to scare people off to pay up.

EDIT: I can't add a response below as I don't have 50 reputation on the site (I've mainly been a lurker for years). But I want to answer OP's follow-up question:

We are talking about different ways of deploying servers. Basically the old "pet vs kettle" argument, may sound rough but in my opinion, a deployment where any problem in your server's local drive causes data unavailability/data loss is a flawed deployment.

There are dozens of different technologies to answer this problem but I understand in small companies it's hard to make a push to make the production servers more resilient to attacks or even hardware failures. If anything this could be a blessing in disguise this could be used to push for proper storage with either fc/iscsi and proper backups/syncrep and so on!

Solution 3:

Competent ransomware does not destroy the host operating system immediately. Keeping the host functional enables showing you the ransom screen while continuing to exfiltrate or encrypt valuable data.

Identifying the initial access requires a very broad search, especially as the attacker may have moved laterally between systems. Who logs into these hosts, and did they run software of questionable origin? How are software updates verified to be authentic? What known vulnerabilities exist that have not been patched yet? See MITRE ATT&CK Initial Access to get a general idea.

Scan the malware to get an idea of what it could be. VirusTotal covers many detection engines, and sharing a link to VT results is safer.

Full forensic investigation, reverse engineering the malware, and installing mitigations like allow listing are all involved projects. Hire a security person to study your environment and give specific advice.