As reported, an unknown person planted the Rapid (VI) Trojan program in the IT systems of four German companies, and encrypted all important documents and data with it. Having contacted employees of these companies by e-mail, he offered to restore the data.
He asked to pay for the restoration in bitcoins, in the equivalent of 2 thousand US dollars (if the money is transferred within 2 days). If there are delays in the transfer of money, the cost of decryption will automatically rise to 5 thousand dollars.
To confirm that he is able to keep his promise, the hacker sent in several decrypted files.
Most of the law-abiding Germans did not negotiate with the extortionist and turned to the competent authorities. And only an employee of a private design bureau tried to fulfill the requirements of the extortionist and sent him 0.25 BTC ($ 2002.00). Despite this, the hacker never fulfilled his promise.
After analyzing all the facts and data, the German police came to the conclusion that although the email addresses from which they wrote to the companies were different, all these cases have a similar handwriting - the same message text and the same version of the Trojan program, despite the fact that that at the time of the incident there were already more recent versions. Consequently, the Germans came to the conclusion that in all episodes the same person or a group of people appears.
Using telecommunication tracking methods, law enforcement officers found out the IP addresses from which the attacker accessed the mail server and correspondence. Most of them were traced back to typical TOR and VPN anonymization servers, where the traces were cut off and the investigation was not able to move in this direction.
However, some of the connections were made from Ukrainian IP addresses. At first, these cases were isolated, but later they became more frequent. Investigators concluded that these addresses were not encrypted as a result of the anonymizer failure, and are the attacker's real IP addresses.
As a result, on the basis of Art. 29 of the Convention on Cybercrime, the German Federal Criminal Police Department requested the so-called "pre-storage" of all the credentials of a number of Ukrainian Internet providers.
Based on this request, the Svyatoshinsky Court of Kiev ruled to provide access to the data of these Internet providers, since they are essential in determining who was the user of the suspected IP addresses during the required period of time.
If, before September 5, 2020, the providers do not voluntarily provide the data of interest to the investigation, the court gave the police the right to temporarily seize the companies' servers and documents.
__________________
He asked to pay for the restoration in bitcoins, in the equivalent of 2 thousand US dollars (if the money is transferred within 2 days). If there are delays in the transfer of money, the cost of decryption will automatically rise to 5 thousand dollars.
To confirm that he is able to keep his promise, the hacker sent in several decrypted files.
Most of the law-abiding Germans did not negotiate with the extortionist and turned to the competent authorities. And only an employee of a private design bureau tried to fulfill the requirements of the extortionist and sent him 0.25 BTC ($ 2002.00). Despite this, the hacker never fulfilled his promise.
After analyzing all the facts and data, the German police came to the conclusion that although the email addresses from which they wrote to the companies were different, all these cases have a similar handwriting - the same message text and the same version of the Trojan program, despite the fact that that at the time of the incident there were already more recent versions. Consequently, the Germans came to the conclusion that in all episodes the same person or a group of people appears.
Using telecommunication tracking methods, law enforcement officers found out the IP addresses from which the attacker accessed the mail server and correspondence. Most of them were traced back to typical TOR and VPN anonymization servers, where the traces were cut off and the investigation was not able to move in this direction.
However, some of the connections were made from Ukrainian IP addresses. At first, these cases were isolated, but later they became more frequent. Investigators concluded that these addresses were not encrypted as a result of the anonymizer failure, and are the attacker's real IP addresses.
As a result, on the basis of Art. 29 of the Convention on Cybercrime, the German Federal Criminal Police Department requested the so-called "pre-storage" of all the credentials of a number of Ukrainian Internet providers.
Based on this request, the Svyatoshinsky Court of Kiev ruled to provide access to the data of these Internet providers, since they are essential in determining who was the user of the suspected IP addresses during the required period of time.
If, before September 5, 2020, the providers do not voluntarily provide the data of interest to the investigation, the court gave the police the right to temporarily seize the companies' servers and documents.
__________________