Ransomware

262

Solutions

185

Content

i
The collection of articles, videos, and posts on this topic.

574

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Hi All,

We have a Branch Office VPN established to one of our third party suppliers for support purposes (We use a WatchGuard at our End). They would like a secondary tunnel establishing with different settings,  that will run side by side of the existing one. Am I ok to use the existing external IP (Ours) as the external IP of the new tunnel. Will this work if both tunnels are required to be active at the same time or does each tunnel have to have its own external IP assigned?

Cheers,
Paul
0
4 Comments
We use Azure Cloud backup to backup our in house servers.  If we were hit by ransomware and server files were encrypted, would it affect our backups that are stored in Azure?   I'm thinking the backups are protected and we should be able to restore from them.  Any ideas on this?

Thanks,
cja
0
10 Comments
Dear Experts,

I would like to speed-up the process of upgrading my Workstations from Win 7 to Win 10.
For this reason I have purchased Acronis True Image 2020 in order to clone a pre-configured SSD drive (GPT, Basic).

All Workstations are hardware identical (motherboard, ram, cpu, ssd model and size, even the case is the same).

The cloning result seems successful but I am facing the below issue:

I use Computer A in order to clone the Win 10 and turned-off Computer A.
On Computer B, I installed the first cloned SSD and powered-on the Computer.
Computer B was successfully booted to Win 10 but I noticed that after powering on Computer B, Computer A was also powered-on automatically.
(this has happened more than once, so it is not a random case)

Of course Computer A and Computer B are under the same Network and imagine what will happen if the rest cloned computers have such behavior.
Finally, if I remove the Network cable from Computer A, it will not boot-up once Computer B is powered-on.

Awaiting your comments,

Best Regards,
Mamelas
0
8 Comments
Just got a second residential computer who has MS Bitlocker locked drive due to scammer and ransom.  This person was searching the internet and got the usual call this Microsoft phone # for support.  The person was from India, and started to tell him the usual and once he had bitlocker setup, he switched to demanding $2,800 to save his computer.  This computer has no valuable information on it, and will be just wiped and clean OS installed.  But I have been given time to see if I can unlock the system for future knowledge against this type of scammer.  Any information is greatly appreciated.
0
17 Comments
I want to back up my machine using Acronis.  But it says it can't back it up until I turn off Bitlocker.
When I go to Control Panel --> System and Security --> Bitlocker Drive Encryption, it says "BitLocker waiting for activation".  There is an icon to "Turn on BitLocker".  

Do I have to turn it on before I turn it off?
0
8 Comments
I have a large windows 10 workgroup with one of the machines sharing files.  The user accounts on the local workstations are replicated on the "server", but with different passwords.  There are shares set up on the Win 10 "server" and Everyone is given Full Control. The user accounts local to the server are given permissions to the shared folders' acl using NTFS. Shares on the "server" are mapped to the local machines using different credentials.  
All has been well for a very long time.
Recently, an individual has started getting logon failures that seemed to have begun when her password was changed both on her workstation, and on the server,  (this has been successfully done to a couple of others so far) then the mapped drives were disconnected and re-created using the new different credentials.
The first time the errors started occurring, I verified settings on the server, went to the workstation, and repeated the process carefully, drives mapped correctly, restarted the machine, logged on to see drive mappings still there, opened a few folders on each drive, and then checked the security logs on the "server" again, SUCCESS all around. TGIF!
Then comes Monday, and the Security log is inundated again.
I've gone through this scenario twice.  The user involved is able to access files on the share, but at very slow speeds.
The Event ID is 4625 and the logon is incrementing the source port by one in each successive attempt.
I have Webroot monitoring the machines, so I …
0
1 Comment
I've been using the Windows 7 "system imaging' in both Windows 7 and Windows 10. I've been successful restoring images but I don't feel it's 100% reliable. I recall that I've used it about 25 times and it failed miserably two or three times.

The other day I had to do a replace a failed drive with a new SSD and then restore a system image that I created about three months old. The restore failed. The restore process saw the image and started the preparation to image the replacement drive and it failed with a number of errors that I did not document. I tried this three different ways. First, I booted from a system repair disk, the second time with the actual Windows 7 media and the third time, I actually installed a base Windows 7 operating system and attempted to restore the image to no avail. I ended up having to totally rebuild the PC and restore the data from backup.

- I believe that the Windows 7 system image is a "byte by byte" image and not a "sector by sector" image which means, if I'm installing a new SSD to replace the hard drive, the SSD needs to be equal or larger in size

I'm not a big fan ACRONIS, mainly because of the so many different versions to purchase and the install is quite large. Maybe down the road, I'll practice more with it to become more familiar with it

So my question is
- is the Macrium Reflect 7 free version more reliable than the Windows 7 system imaging version?
Read good things about this product. I know that it performs sector by …
0
10 Comments
Hi Experts!

Being overly cautious here and wanted your opinion.  I received the following (ransom) email below and thought it was suspicious. From what I can find on the web this looks like a phishing attempt (somehow gotten a hold of my email and old password from somewhere). On my desktops and laptops we have the paid versions of Avast Premium Security and MalwareBytes. Both are scheduled to run daily, and Windows Update is always on. We primarily use Google and that self-update. My email account has MFA enabled for awhile; so I know this person cannot access my email?

 After getting the email I manually scanned the desktops and laptops with Avast and MalwareBytes. Nothing found. Downloaded and ran Spybot seach and destroy and nothing bad found.

My thought that this is a phishing attempt is because if you have control over my computer when don't you lock it and demand payment instead of this email?

Here's the email:

Recorded You <recordedyouXXXX@XXXXX.com>
To:
myEmail@yahoo.com

Nov 18 at 1:30 AM

Hey, I know your password is: HeknowsMyPassword

Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".

My malware gave me
0
9 Comments
Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

Cheers,
Paul
0
1 Comment
I want to create an image from a laptop hard drive that contains windows 10.
I encountered a  situation that when I start Win PE and want to use Acronis backup - for some reason I cant see any HDD...
Tried to change BIOS legacy/UEFI and Secure boot - nothing helped.

Any ideas?
0
20 Comments
Greetings,

We have a software called IQware that is installed in classroom of our school. It uses a local database configured in Sql management studio 2008.

All the machines of that classroom uses an image created by Acronis and machines are also by default in frozen state using deepfreeze.

That being said, the issue we have is in one of the computer, IQware was not launching at all so I restarted the machine hoping deepfreeze would fix the problem but no luck.

The support team of IQware couldn't help because they don't support SQL so I decided to reimage the machine and once done IQware worked.

After updating the machine and a couple of reboot, IQware was still working. So I renamed the machine and restarted again to apply the change.

After the reboot, I get a message Your database version number UKnown.UKnown.UKnown.UKnown is older than you application version number appears and IQware doesn't work anymore.

So I renamed the machine with the name it had after reimaging it and IQware works!!

I am not an SQL expert so I am wondering why changing a name of a machine can give this issue?

I am attaching 3 files:

2 showing that the database is accessible and one with the error message.

Cheers,

Richard
0
6 Comments
We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.


Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

[Conclusion]
	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.


[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			ifMark=0x10000
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:

Open in new window
0
2 Comments
Hi, I'm using the Quarantine feature from Watchguard and this creates a Quarantine website users can log onto. But the problem is that it's an intranet server and as such doesn't have an 'official' SSL certificate. I tried to create a self-signed one etc but I keep on failing ... could someone please give me step-by-step instructions on how to create a self-signed certificate and attach it to that website so that the browsers won't throw their security warnings anymore? Thanks!
0
9 Comments
We have an old laptop that has Windows 7 and some very specific software that our finance dept uses. We no longer have access to this software that was created by company that is no longer in business. Users typically remote into this machine to run this software that requires SOAP UI Utilities and Office 2003 to work. We would like to Clone this PC unto another similar PC so more than person can access this software and perform the same function. All that being said, can we close the hard drive of that laptop unto another laptop (Does it have to be the same make and model?) so we can have an exact duplicate of that system? I was thinking about using Clonezilla.
0
13 Comments
I have a question about ransomware.  If my computers C drive is already encrypted, is it still possible for ransomware to hold my computer hostage by encrypting files?  if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?
0
12 Comments
Hi All,

We use WatchGuard as our firewall and have Dimensions setup for reporting. What is the easiest way to find out and possibly monitor all users that have some form of file transfer either ftp, or web/app based such as dropbox etc?

Can this be done / how best to view this info or set this up?

Cheers,
Paul
0
1 Comment
We install Acronis for customers, and we have recently begun to set it up where they have two external hard drives, swapping them out each week so one of the drives cannot possibly be exposed to ransomware.

But last week an IT guy told me that is a bad plan, and that instead I need to switch over to Backup Exec because it creates image files that have no filename and thus cannot be viewed in Windows explorer--and thus can't be corrupted by a ransomware virus either--and that only the Backup Exec software can access them.

Is this correct?  If so, is this a feature exclusive to Backup Exec that I cannot get using Acronis on local hard drives?  I can't make any sense of the volumes of info on the Veritas website, so I'm hoping someone here has experience with all this so you can elaborate on the details and options.  TIA
0
3 Comments
I have (2) Watchguard M270's configured in a firecluster.

Interface 0 is the External interface configured with a /28 block.
Interface 1 is the LAN

We have consumed all of our IP's so I ordered another /28 block from our datacenter today. As soon as I configure Interface 2 for our new IP block, outbound traffic for the most part ceases to work on our network, however some things do work.. so we'll call it intermittent. As an example, I can ping out to 4.2.2.2 but can't ping 8.8.8.8. As soon as I disable Interface 2 that is configured for the new IP block, I am able to ping 8.8.8.8 again.

I'm assuming this is because we now have 2 WAN interfaces configured and outbound traffic doesn't know which interface it should be sending traffic out on but I couldn't be sure. I've made 4 calls to Watchguard support and nobody can identify the problem. I even had our datacenter issue us a different IP block just to rule out any kind of odd conflict but the problem persists with a new IP block.

Am I going about this all wrong trying to have 2 IP block's configured on our Watchguard? Is the better solution to just order a bigger block of IP's and re-IP everything? I was trying to avoid that hassle by just adding an additional block of IP addresses but it seems that what I'm trying to do here isn't working..

I would appreciate any advice or input that someone could give on this. Thank you!!
0
1 Comment
Hello,


I have server infected by Ransomware and sysvol including script was encrypted,with file name :

gpt.ini.id-96EA6CAA.[backdata@qq.com].qwex

I don't have good system state backup at all.

My question, is that possible to create new policy for :

Default Domain Controllers Policy
Default Domain Policy

Is OK for me to setting the policy as long user & security on AD still there, because our AD sync to Azure AD.

Thank You Very Much
0
11 Comments
I use Acronis. The basic way it works is that it does a full then incrementals thereafter. It will only keep a certain number of incrementals at which point it merges the oldest incremental in to the full thus creating a new full. The sync program would have do to it by "block" or whatever you want to call it or it will continually be trying to sync the huge full backup every day.

   The perfect way to do it would be to back up nightly to a NAS or big External Hard Drive and then sync that hard drive or NAS to the cloud. Same issue with merging the oldest incremental in to the last full thus creating a new full. So does anyone know of a sync program that is "block" aware of wherever you want to call it?
0
23 Comments
Two separate businesses using the same domain name have now merged into one.
This is the first time I've ran into this and hope someone could shed some light. We've recently acquired a new client who at one point had two domain controllers. Server 2008 and Server 2012. They moved Server 2012 over to a new location as part of a different business, but kept the same domain name. Server 2008 AD sees the 2012 as a DC, However 2012 doesn't see 2008 as a DC. They are now on different networks, but recently was configured to tunnel back to corporate to share resources.

What I'm trying to accomplish: Join a 2016 DC to their corporate to decommission 2008.

Error I'm getting when promoting 2016 to a DC: "Active Directory preparation failed. The schema master did not complete a replication cycle after the last reboot."



What I've gathered so far.

Server 2008 - DC - samedomain.local - Corporate Office

At one point was replicating to 2012.
Server 2012 - DC - samedomain.local - Remote Office

No longer replicating from 2008.
Recently a WatchGuard VPN was put in so the two locations could talk and share resources. Different IP schemes, and they don't know about each other.

My Question: Can I safely remove 2012 DC from 2008 to stop attemping replication and at the same time continue to operate both under the same domain names, but seperate?

Remote Office will still use 2012 to authenticate locally until we can sit down and plan out a migration plan several …
0
9 Comments
Acronis wants almost $900 for 1TB of Cloud Storage for 1 year. Isn't that a little outrageous? Why would I want to do that when my OneDrive account has 1TB for free?

What could Acronis's cloud storage bring to the party that would justify that? (Yes it will be used on a server running their backup software).
0
19 Comments
I'm curious and would like to settle an argument in our office. If we are running desktops with Windows 10 Pro v1903 with all updates, and all drives are Bitlocker encrypted (including the free space), is it possible for our data on these drives to be attacked by Ransomware?
0
7 Comments
I often install Acronis workstation for my small office customers PCs, storing the images on a dedicated separate internal or external drive.  Recently I was made aware that Acronis .tib files can get infected by some ransomware viruses.  I saw a suggestion that I use the Acronis 'post' command option to set the drive as read-only after the backup, and use the 'pre' command to take it out of read only mode before it does the next backup, with the thought being that the .tib image files could not get infected unless the ransomware virus happened to hit just as the backup was being performed.  Does this all sound legit so far?  Is there a better way to prevent the .tib files from getting infected--short of unplugging the external drive?

I started searching for the best way to set the read-only flag on and off, but all I'm coming up with is using diskpart.  Are there any other good options that are more "user friendly",  that I can run from command lines or a batch file?  For example, a way to specify the drive letter rather than the cryptic "Disk number" in diskpart?

If there are no good alternatives, then I need answers to these questions if I have to use diskpart:

1) If I have them set up with an external USB hard drive, sometimes I notice that the drive letter changes, for no obvious reason.  If this happens, would the diskpart device number change as well?

2) If the device numbers DO somehow change without me or the Acronis program knowing that has happened, …
0
8 Comments
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for sts.domain.com ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack


are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …
0
5 Comments

Ransomware

262

Solutions

185

Content

i
The collection of articles, videos, and posts on this topic.

574

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.