A Byron Bay primary school had its records encrypted by scammers who demanded a $5000 ransom.
The Eastern European-based ransomware attack first occurred in October. The damage from the incident lasted about two months.
Byron Community Primary School financial manager Frank Binkley told SC it recovered most of the records by running a forensic probe on the affected hard disks.
"We were bloody lucky, we came out a lot better than we could have," Binkley said.
The past month's financial data and some historical photos of the school were unrecoverable and remained bound in the AES 256 encrypted RAR file.
Staff at the 100-student school initially agreed to pay the ransom. Binkley then pleaded with the scammers, who used the alias Jack Williams, to lower the ransom price which they subsequently dropped to $1235.
"The strategy was to negotiate. I told him that we're a tiny school and to go play Robin Hood somewhere else."
The ploy was a ruse designed to give local technology contractor Liam Dufty time to salvage the school's data and track the scammers.
The attack bore striking similarity to an attack last month against a small business some 500 kilometres away in Foster.
Deanes Buslines operator Brenton Deans had his company's records encrypted by the same scammers. The records contained data on school kids the company ferried around the area, and were critical to the daily operations of the business. As a result, he paid the $3000 ransom.
Not so smart
Ransomware scammers do not need to be tech-savvy. In most cases known to SC the scammers break in via an open port and brute force any user accounts that stand in the way.
"You don't have to be a genius to do this," Dufty said. "They found an open port, tracked the user accounts and ran brute force on the password."
"These guys are script kiddies."
Duffy had processed-mapped the attack in minutes and discovered that the scammers were using British-based proxy Hide My Ass, a service which maintains logs of when users log in and off its service.
The information was passed on to the FBI.
In another attack reported this month, scammers used the remote desktop protocol to break into a Gold Coast medical centre, encrypt 65000 files including medical records within a SQL database, and demand a $4000 ransom, SC sister site CRN reported.
And in September, a Northern Territory business was forced to pay a $3000 ransom to hackers who had encrypted its financial records.
Sophos director of technology strategy James Lyne predicted that ransomware infections will increase in 2013 with a massive increase in the quality of implementation.