Just got a ransom notice

[Crawford Sausage Company]

Just got a ransom email. My first one! I feel so special.
It is posted at the end.
Anything in <> I added to obscure in case someone is monitoring
this text and links it back.

It says to check my logs and I did. They're trying to post
to a Wordpress xmlrpc.php script. Over the years I have had
so many problems with this the simplest solution was to put
an exit statement at the beginning so it returns 200 and
a few bytes and that's all. They're pounding my
site but it's not even making a blip right now.

If they get a little aggressive and try something different
I'll have to take my sites
offline for awhile but it's not that big of a deal.

Here are a couple different pingbacks with links. I can't
visit those links from here because they'll get my ip
and know I looked.

pingback.ping http://csgobounde.com/howitworks 07-31_12:22:45
pingback.ping https://paytochina.com 07-31_12:22:14
pingback.ping http://vipochka.com 07-31_12:29:07
pingback.ping http://csgobounde.com/deposit 07-31_12:23:46



---------------------cut here-----------------------
Subject: ATTENTION: Ransom request!!!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Anonymous.

All your servers will be DDoS-ed starting Tuesday (Aug 2 2016) if you don't pay 5 Bitcoins @
<some random ascii string>

When we say all, we mean all - users will not be able to access sites host with you at all.

Right now we will start 15 minutes attack on your site's IP <my.ip.address}. It will not be hard, we will not crash it
at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that
this is not a hoax. Check your logs!

If you don't pay by Tuesday, attack will start, price to stop will increase by 1 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will
start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.

Prevent it all with just 5 BTC @ <some random ascii string>


Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

[Ts of Og]

Time to cut all fiber links to Ruskies, let them use Faxes !

[Bruce Esquibel]

Crawford Sausage Company <m...@brandylion.com> wrote:

> It says to check my logs and I did. They're trying to post
> to a Wordpress xmlrpc.php script. Over the years I have had
> so many problems with this the simplest solution was to put
> an exit statement at the beginning so it returns 200 and
> a few bytes and that's all. They're pounding my
> site but it's not even making a blip right now.

If the email was legit, which it doesn't look like it to me, I doubt if it
has anything to do with the xmlrpc.php file.

Generally it's some kind of denial-of-service attack, usually from 1000's of
compromised window machines that have some kind of trojan which can get
instructions from a central mothership of sorts.

Either via ping or just making a connection to the server on port 80, dozens
per second, no big deal, tens of thousands, different story.

The thing is, usually those types of attacks aren't for ransom. They usually
are reserved for "teach you a lesson" kind of thing. The sony playstation
stuff, the mpaa website, the fbi.

The main problem, or concern to them is, they pretty much played all their
cards on the first hand dealt. They have to launch the crippling blow on the
first shot because it'll get weaker with later attacks. They can't really
sustain the attack over long periods of time.

Generally the ransom demands are with networks that got taken over, where
all the data is encrypted and they pay or never see their data again.

> Prevent it all with just 5 BTC @ <some random ascii string>

That's the other thing, 5BTC is over $3200 and not likely to be paid by
anyone. Usually the ask is "only" half or 3/4th of a btc, $300-$500 which
some will pay just for the insurance. Sort of the way store owners paid the
mafia for protection.

Sounds like some script kiddies playing around.

The other thing with BTC is although it's anonymous, it's trivial to follow
where it's being transfered to and from. They have these things called block
explorers where that address they gave you to send the BTC to can be viewed
to see what is in it now. Even if someone deposits some BTC into it, if the
coins are xfered out to other wallet addresses, you can see where those went
as well.

Not that it'll lead to concrete proof to who did it but can be traced around
and monitored.

-bruce
b...@ripco.com

[Geoff Gass]

Bruce Esquibel <b...@ripco.com> wrote:
> That's the other thing, 5BTC is over $3200 and not likely to be paid by
> anyone. Usually the ask is "only" half or 3/4th of a btc, $300-$500 which
> some will pay just for the insurance. Sort of the way store owners paid the
> mafia for protection.

maybe they're dopes and think Anderson's wordpress install is a hosting
company.

[Crawford Sausage Company]

On Monday, August 1, 2016 at 5:50:17 AM UTC-5, Bruce Esquibel wrote:
> Crawford Sausage Company <m...@brandylion.com> wrote:
>
> > It says to check my logs and I did. They're trying to post
> > to a Wordpress xmlrpc.php script. Over the years I have had
> > so many problems with this the simplest solution was to put
> > an exit statement at the beginning so it returns 200 and
> > a few bytes and that's all. They're pounding my
> > site but it's not even making a blip right now.
>
> If the email was legit, which it doesn't look like it to me, I doubt if it
> has anything to do with the xmlrpc.php file.

What kind of ransom notice is legit? It came from a gmail account
so it got through my spam filters. When I checked the logs which
the email says to do the only thing unusual was the constant
xmlrpc.php POSTs over and over and over. I assumed that was a
shot across the bow. The links in the pingbacks indicate it's
part of the scam but I don't have access to a proxy to check
them out.

> Generally it's some kind of denial-of-service attack, usually from 1000's of
> compromised window machines that have some kind of trojan which can get
> instructions from a central mothership of sorts.

The DDOS hasn't started. Here's the whois info from the IP accessing
my xmlrpc.php file.

role: Super Professional Servers Network Operation Centre
address: ************************************************************
address: 1st Magistralny blind alley, 30,
address: BC "The Yard",
admin-c: KL2587-RIPE
tech-c: KL2587-RIPE
address: Moskow
address: Russian Federation
remarks: 24/7 NOC&SUPPORT: sup...@spservers.org
remarks: Abuse issues: ab...@spservers.org will be handled ASAP
remarks: Network&peering Issues: sup...@spservers.org
phone: +74957082672
address: ************************************************************
abuse-mailbox: ab...@spservers.org
nic-hdl: SPSN1-RIPE
mnt-by: SPSERVERS-MNT
created: 2014-06-18T11:56:07Z
last-modified: 2014-06-18T11:56:47Z
source: RIPE # Filtered


This is the kind of "evidence" the FBI uses to
say case cloooooosed ... it's the Ruskies!!!!

[Bruce Esquibel]

Crawford Sausage Company <m...@brandylion.com> wrote:

> The DDOS hasn't started. Here's the whois info from the IP accessing
> my xmlrpc.php file.

Yeah, that these guys, 146.185.251.0 - 146.185.251.255.

Thats all those machines do, is scan for the versions of that xmlrpc.php
that can be exploited, but it's still not related to the email threat.

I still think the email is just a ruse to see who is dumb enough to send in
some $$$. They don't have and wouldn't waste the resources if they did
trying to knock down small and unimportant websites.

I think it was that group called Lizard Squad that offered dos attacks for
sale against anything, but was something like $25 just for 15 minutes. A
full scale, knocked out for a day was in excess of $1000 (or 2btc depending
on the current value).

I'm just saying, what you received was another version of the "Dear
Beneficiary" 419 scams.

-bruce
b...@ripco.com

[Crawford Sausage Company]

On Tuesday, August 2, 2016 at 4:59:57 AM UTC-5, Bruce Esquibel wrote:
> Crawford Sausage Company <m...@brandylion.com> wrote:
>
> > The DDOS hasn't started. Here's the whois info from the IP accessing
> > my xmlrpc.php file.
>
> Yeah, that these guys, 146.185.251.0 - 146.185.251.255.
>
> Thats all those machines do, is scan for the versions of that xmlrpc.php
> that can be exploited, but it's still not related to the email threat.
>
> I still think the email is just a ruse to see who is dumb enough to send in
> some $$$. They don't have and wouldn't waste the resources if they did
> trying to knock down small and unimportant websites.

Although I get a lot of Nigerian prince variations
coming from gmail accounts I never received a ransom. I wouldn't even
know how to buy Bitcoins. You're correct about the IP range of the
xmlrpc.php guys. I'm surprised Wordpress hasn't deprecated that script
since so many people spam it. Back in the old days pingbacks might
have been useful.

Ironically traffic this week for the site being ransomed is down 75%.

[Matt Ferrari]

"Crawford Sausage Company" <m...@brandylion.com> wrote in message
news:052ae25d-d6af-468f...@googlegroups.com...


and what are your websites or website?

the urls that is

.