ORCA Bricking Incident – Public Announcement
Hey guys, here’s another update on the situation. Hold tight and get your popcorn, cause you’re not going to believe how crazy this sh*t is.
Within 5 or 6 hours into this crisis, Saturday early afternoon, we found that this mysterious issue was a result of a ransomware time-bomb, which was secretly planted a few years ago in our bootloader by a greedy former contractor, with an intention to extract exorbitant ransom from the Company.
The perpetrator was particularly perfidious, because he kept occasional business relations with us over these last few years, as he was waiting for the code-bomb to ‘detonate’, presumably so as not to raise suspicion and hoping that he will be able to extract more ransom as our business and our market share grew.
Ransomware was programmed to ‘explode’ in a way to cause maximum crisis: it was timed so it activates on a spring Saturday, during a long weekend, when most of you should be flying, and most of our engineering team should be enjoying their well-deserved days off. Supposedly, this would put the Company in the panic mode, and give the perpetrator sufficient leverage to extort his ransom.
If, by now, you’re thinking something along the lines of “man, this has to be one of the most stupid cyber crimes ever committed in a history of cybercrime” you are probably right.
Reason for this is, we believe, the perpetrator was operating with a very simplistic worldview where, if you plan a ransomware attack, but instead of calling your ransom “ransom” you (very cunningly) call it a “license”, your ransomware time-bomb attack, all of a sudden, stops being crime.
Sadly (for the perpetrator), a crime is a crime how every you decide to label it, and it seems this started dawning on him.
We guess the perpetrator had his ‘oh shit’ moment, because we were informed that he has started panic-posting, presumably in a poorly executed damage control attempt. He posted a link with an unauthorised binary file which allegedly fixes the issues that his malware caused.
PLEASE NOTE: we strongly discourage installing any firmware not published by Orqa. Further to this: if you think of installing a “fix” consisting of a binary file posted by a person who is known to have already secretly planted a time-bomb malware in a firmware – please think again (just kidding, you don’t need to think: just DO NOT install it).
Please understand that when we received the ransom demand, we had to keep everything confidential, because in parallel with the effort of the engineering team to get you guys back flying again, our legal team was working to prepare the evidence that needs to be submitted to the authorities for criminal prosecution proceedings.
We did not want to go public with the criminal aspect of this incident so as not to jeopardise the pending legal and criminal proceedings.
However, since the perpetrator has gone public with what he did and posted what we fear is another compromised piece of firmware, we decided it is in our users’ interest to be made aware of the situation and warned about the risks of installing a likely compromised firmware on their devices.
We are working to get you guys a trusted and authorised fix ASAP.
In addition to that, our security review has found that only a fraction of the code was affected by this malware, and fixes are being done as we speak.
