Ransomware Help

Question by

snoopaloop

4d ago

IT Maintenance Agreement Legal Disclaimers

I am looking to engage clients in a maintenance agreement (managed IT) starting Jan 2019. I'm curious if it's common to include ransomware attacks/resolution in the flat monthly maintenance agreement with the client. Where are the boundaries with flat monthly maintenance agreement vs charging for add/removes/changes (projects) to the environment? A recent 12 user ransomware attack encrypted 2 out of 5 server and 7 out of approximately 20 workstations. This was easily 30 hours worth of recovery time. I obviously would like to exclude these catastrophic events out of the maintenance agreement and provide best effort security as we continue to make improvements to secure these environments against future attacks. Time, money, staff constraints on both sides limit these things from being expedited. Anyway, any advice on the legalese disclaimer? Any other liability that I should be concerned that is or isn't cover with a related legal statement here? Does a business associate agreement protect the IT individual from these disasters?

6 Comments

Question by

tike55

5d agoPrivate

Acronis True image created 3 files

I just created a backup to acronis true image.

The program created three TIB files.

_v1 - (2g)
_v2- (4g)
_v3- (4g)

Any ideas why the program created 3 files?

16 Comments

Suddenly, 1,000s of files have been encrypted on our network drive. DO WE PAY THE RANSOME?

Thousands of files in our ShareFile directory were encrypted between 12:01 PM and 12:59 PM yesterday. Of course in a matter of hours the encrypted files updated the good files on every laptop and employee's home machines that were running ShareFile.

The following string has been added to the name of every encrypted file:

.crypted_hoboblin@torquechat_com

Removing this string from the end of the filename does not help. Regardless of the type of file, .doc, .xls, .pdf, etc. the file will not open. Depending on the opening program says the file is damaged.

One file in the root drive of the ShareFile directory, named how_to_back_files.html, does open and reads like this when opened (the wording is exact):

YOUR FILES ARE DECRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.
Without a secret key stored with us, the restoration of your files is impossible

----------------------------------------------------------
To start the recovery process:
Send an email to: hoboblin@torquechat.com with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
---------------------------------------------------------
Your personal ID:
93 C7 AC 4B ... (This goes on for several lines!)

Do we contact them? Obviously, they are going to want money. Do we pay? Go to …

20 Comments

I have sysprepped my Win 10 install (generalize, audit, shutdown)

Now the computer is shutdown. Are my next steps the following:

1) boot to Acronis Win 10 PE bootable recovery media (CD)
2) clone image to USB drive?

4 Comments

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

0 Comments

Microtech scam/ransomware was on a computer at a remote location. Said they needed to call a 1800 number to get virus removed. This user did that and paid $300 dollars to have fake company remove virus. Got a text from him and said they are in there right now controlling computer and "trying" to remove virus. Should he power off right away or should he let them do their thing so he can use his pc again since he paid the money? I told him to immediatley power off computer and wait for them to call again.

12 Comments

Question by

Tony Hudziak

2018-11-23

Ransomware on System

Hi
Has anyone come across this ransomware "CCF25092017.pdf.id-006C0843.[sqlbackup40@cock.li].adobe". This was a small system I put together for a friend of mine, 3 PC's and a small server running Zentyal 4. All data on PC's and server were encrypted. PC's were Windows 10 running Eset AV, using a 1 year old Sonicwall Soho Firewall.
Email runs through the Zentyal, but it's first filtered through Elive (Like Messagelabs).
PC's were so bad they would not boot, no usual message for ransom, only infected TXT files. This happened last Saturday around 3pm when nobody was on the system. There is one person who works remotely, but she say she was not on the system at that time.
No biggie here as I had it all backed up with the Proxmox hypervisor, had it all restored in an hour, then just rebuilt the PC's.
I'm just trying to figure out what happened here?

5 Comments

LVL 1

Question by

Yashy

2018-11-23Solved

Could our Wifi issues be down to our Draytek PoE?

hi guys

We have a load of Watchguard Access Points and they are connected to a Draytek 1100 PoE switch. This switch is then connected to our backbone switch which is a Cisco 3750.

We have set DHCP on the WiFi network that the access points are on in a way to be from 10.0.5.20 on wards and the management IP of this Draytek PoE being 10.0.5.6. Every single day, people complain about not being able to access the internet properly and then it fixes itself again. Then it happens again.

When they do complain, I end up not being able to access the management IP page of the Draytek on 10.0.5.6. This makes me believe that it is in fact this particular PoE causing the issues we are having.

Could that be the underlying problem?

Thanks for helping
Yash

8 Comments

LVL 1

Question by

netcomp

2018-11-19

Ransomware who to find the user ?

Got Infected by ransomware . The network drives are are encrypted . The issue is I can’t find the user that this started from . When I right Click the file , I get the owner is Administrators . What can I do to find the source computer . My fine server is 2016 server .

17 Comments

LVL 1

Question by

Paul Walsh

2018-11-15

Watchguard internal wifi outlook web access

Hi,
We have setup an internal VLAN on our WatchGuard for Guest wifi access. The vlan works as expected and anyone who joins gets the expected IP address/ can browse the internet no problems. What we cant it to do is to work correctly with outlook web access. For some reason whenever I try the owa address I get redirected to the watchgiard ssl login page. If I try on any other external connection it works fine. I have tried an nslookup on the new guest wifi and our other external connections and they all point to the correct external address. ie if I am connected to one external wifi and try to access the url xxxxxx/exchange it work fine and an ns lookup is pointed to the correct external address. If I try and accesss xxxx I get presented with the iis page. If I try the same when connecting via the guest wifi, the nslookup shows the same external ipaddress, however if I try to goto to xxxx/exchange I get a 404 page not found error and if I browse to xxxx I get the watchguard ssl login page.

What am I missing?

Cheers,
Paul

1 Comment

Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

LVL 107

Post by

John

2018-11-12Edited

Listen Up!

IPv6 is here to stay. Removing it can break networking. Do not remove it.

SMBv1is a security hole and has been removed from Windows 7 & above, Server 2008 & up.
SMBv1 has been removed meaning you cannot connect to old operating system, old NAS devices and old printer/scanners.
SMBv1 is a security hole. Do not enable it.

Window 10 is going to update. Get used to it. The people who turned Windows 7 updates off and then blamed Microsoft when their operating got hacked and hosed caused this.

Home group has gone (Windows 10 V1803 and up). Get used to Password Protected sharing and learn how to use it. I wrote an article about this (look in my Articles for Folder Sharing on modern computers). Do not turn passwords off.

Windows 10 is not Windows 7, does not work like Windows 7 and has dispensed with some old Windows 7 ideas. There is no going back. Get used to it.

You got ransomware from people opening email from strangers. Get a Spam Filter. Train Employees, keep Off-Site backups. It is not a technology problem - it is a management problem.

Amortize expensive software and hardware to create cash for new equipment. "I am stuck on XP because the equipment is too expensive to upgrade" is not an option. Get your accountant to explain this to you.

13 Comments

load previous comments (11)

LVL 24

Expert Comment

by:Andrew Leniart2018-11-16

but ask A before AAAA...

(AAAA...)

Que?

LVL 46

Expert Comment

by:noci2018-11-16

DNS Query A = IPV4 address translation, AAAA = IPv6 address query.

Question by

Server Guy

2018-11-09

Shadow Copy Max Size Resetting

I have shadow copies enabled on the c:\ of a Windows 2012 server, I currently have it set to the below configuration;

Maximum Size: 35MB
Schedule: Twice a day at 06:00 and 13:00

The server also has Acronis Backup installed and running multiple backup jobs to a local NAS and also to Acronis Cloud.

I've noticed that the shadow copy setting maximum constantly resets to no limit but I can't understand why.

Please can someone offer any advise on why this occurs and how best to stop this being reset.

4 Comments

Question by

Mario Martinez

2018-11-04Solved

Ransomware Help!

I have a customer that was hit with the ACCDFISA v2.0 Ransomware they had the backup drive mounted so it seems like it deleted the files not encrypted. is there any solution to this? they are asking for $4000 in Bitcoin.

Thanks.

10 Comments

We have a new 2nd building on property we own. someone got verizon fios at the 2nd building (it was already in the 1st building). They are about 1,200 feet apart with line of sight.

We need the 2nd building to be able to access the network in the first building (and minimize costs). the 2nd building will have 1 -2 users and MAYBE some file transfers between the 2 buildings, but mostly email, web surfing

I'm trying to see the costs for connecting the 2nd building to our existing network / do we need fios at that 2nd building

Some options I thought of?

1) Setup a VPN - we have a watchguard at building 1 already and that has a VPN to another office in another state. So add a Watchguard unit for $500? at building 2 and some config time / costs. and still have the fios ongoing costs. Anyone know the throughput of a vpn using Verizon fios at both ends? it's lower than the speed you are paying for from verizon, right?

2) wireless? Maybe Unifi Nanobeam 5AC gen 2

https://www.amazon.com/Ubiquiti-NanoBeam-High-Performance-airMAX-NBE-5AC-Gen2-US/dp/B0713XMHH9

$113 each and we need 2 of them, plus time / moneh for hardware, mounting poles, etc. That Would get 400Mbit which is fine (mostly email / web surfing etc at the far end). But What if we want gigabit on wireless? Is that doable at a reasonable cost? And can cancel the FIOS

3) Fiber? I called Lanshack.com and they are saying the fiber cable would need to be outdoor rated (regardless of being …

8 Comments

Question by

tike55

2018-10-31SolvedPrivate

Windows 10 image

I am creating a Windows 10 image to deploy. Before I do so, I want to run the Windows 10 decrapifier (available on Spiceworks).

Is the following the correct order of events to image the laptop:

1) login as a local admin, run the decrapifier
2) run Sys Prep
3) create TIB file using Acronis boot CD, and USB stick to store image on.

1 Comment

LVL 1

Question by

Paul Walsh

2018-10-31Solved

Mitel 5212 setup on watchguard

Hi,

We use Mitel 5212 IP Phones. we are trying to get them to work on a custom VLAN setup on a watchguard m500 firewall. We have created the custom vlan and the ip scope which works fine. I have mimicked the DHCP options from our windows based dhcp server, however this didn't work. On the DHCP windows based DHCP server the options are:

128 Mitel TFTP xxxx.xxxx.xxxx.xxxx
129 Mitel RTC xxxx.xxxx.xxxx.xxxx
130 Mitel IP Phone Identifier MITEL IP PHONE
132 VLAN for Mitel IP Phone 0x3
133 priority for Mitel IP Phone 0x6

On the firewall dhcp scop options 9All custom)
Code Name Type Value
128 Mitel TFTP IP xxxxxx
129 Mitel RTC IP xxxxxx
130 Mitel IP Phone Identifier Text MITEL IP PHONE
132 VLAN for Mitel IP Phone Hex 3
133 Priority for Mitel IP phone Hex 6

When the phone eventually boots it gets a crazy VLAN id. Any clues as to what I am issing, or a how to guide on getting the IP phones to work?

Cheers,
Paul

3 Comments

Hi. I am trying to map ports to an internal IP from any outside IP on a Watchguard firewall. Version 11.9 Firewire XTM Web UI. No matter what I do, these ports will not open. Unfortunately, not as familiar with Watchguard as I should be.
Any idea why they will not go through from the attached file?
Watchguard-pdf.pdf

6 Comments

Acronis: I have a server and I want to make a copy of it using Acronis Backup AdvancedWS_11.7, now I want to make this server virtual, put it as hyperV, can I do that with Acronis? or is there any other tool that you know of?

Thank you everyone.

9 Comments

I have a domain with an 03 server and 2012 (r2 I think) server. The 2012 box is GC and has all the roles, but the 2k3 server is still a member of the domain etc - the domain function level is obv 2003. Glad the 03 box wasn't decommissioned yet as the 2012 box got hit with ransomware. Unfortunately their usb backup drive was also encrypted and they had no offsite setup. I need to reload the OS as I can't get SQL running again - cant uninstall it, cant install it, cant repair...its all kind of jacked. Whats the best process to get it reloaded and back as the GC of the domain? Do I need to assign the roles to the 03 box first, then dcpromo, then reinstall OS and probably with a different name then before for good measure?
Thanks

4 Comments

OWASP: Threats Fundamentals

LVL 12

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location. In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN. I'd like all of the wireless traffic to travel out to the internet.

Can someone please tell me if this is possible and point me in the right direction for accomplishing this? I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.

4 Comments

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

1 Comment

LVL 24

Expert Comment

by:Andrew Leniart2018-10-16

Comment Utility

Great article that explains the importance of not just relying on definitions based security solutions. Thanks for writing this. Interesting read!

Endorsed.

Question by

hodgem

2018-10-13

nozelesn ransomware

Has anyone had any luck with removing/recovering from nozelesn ransomware?

5 Comments

Q1:
I'm trying to establish if my Officescan has Officescan's Ransomware protection below :

Ransomware Protection Enhancements in OfficeScan 11.0 SP1 Critical Patch 6054
Detection details of the OSCE 11.0 SP1 Critical Patch 6054 Ransomware Prevention Summary widget

Above 2 lines are extracted from link below:
https://success.trendmicro.com/solution/1111377-enabling-the-ransomware-protection-feature-in-officescan-osce

Q2:
Last screen in the attached shows Scheduled Scan is disabled : is it a good idea to enable it
& I thought to have it enabled either during lunch hours (for users who bring home their
laptops) or in the night (for users who leave their PCs/laptops powered on in the office at night):
I've heard many recommendations that on-demand scheduled scan is quite essential too.
Just that it's hard to determine which laptops are being brought home

attachment is what's shown on my laptop
TMofficescanver.docx

12 Comments

a couple of years back, Trendmicro's .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if globeimposter ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2017-globeimposter-notpetya-and-more/
https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/ransomware-recap-crypshed-spoofs-amazon-in-ransomware-campaign

but when I searched for "glob" (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalReAlloc
GlobalSize
GlobalUnWire
GlobalUnfix
GlobalUnlock
GlobalWire
MakeCriticalSectionGlobal
JungUm Global
Corel Global Macro(GMS)
GLOBAL:
GLOBALNE:
GLOBALDOTPROMPT
GLOBAL
GLOBAL.DOT:
GLOBAL:
ExecuteGlobal
Global

7 Comments

Question by

iamaidiot

2018-10-06Solved

ransomware dharma bgtx

Hello
does anyone know if there is a decryptor for ransomware extension ending in bgtx.. it is a variation of dharma encryption.

6 Comments

Ransomware

Related Topics

Ransomware

Related Topics