Ransomware

110

Solutions

271

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Microsoft released a video about Ransomware.  Surprisingly good.

Take a look at it here...

https://resources.office.com/ww-thankyou-ransomware-what-you-need-to-know-video.html

Curious about your thoughts on the advice being given?
0
Who's Defending Your Organization from Threats?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
0
Watchguard mobile VPN stops receiving data whenever I reboot my laptop. It requires me to uninstall and install again to make it working. Can some please suggest me the cause of the issue.
1
Hello,

I have been infected by some ransonware i don`t know.

In the attached file is the readme file with the instructions to decrypt the files. Anyone knows the ransomware and how to decrypt it?

It seems a xorist one, but the tool by kaspersky doesn`t work.

Any information will be welcomed.
README_9670338_05489.txt
0
The recent Meltdown / Specter issue:   Much the same as the big Ransomware issue and then severe viruses before that.

Don't have a heart attack - Patch your computer systems instead.

It seems the people who do not patch wake up and wonder what is happening. Patch Tuesday was today - Update your systems.

1
 
LVL 36

Expert Comment

by:gr8gonzo
Unless you're running an older AMD PC. Hold off on patching until MS figures out the bricking issue.
0
This is in regards to an environment that contains multiple Microsoft Windows severs. The particular vulnerability is the shared folders on the servers. This is a general question about a large topic. I'd like to know opinions of what are specific, important, useful steps to take, as well as reliable sources of information and guidance.
0
Lately, when I try to install new programs run web based programs, I get this popup "This app has been blocked by your system administrator." It is a blue window and the only options are "Copy to Clipboard" or "Close".

This workstation (Win 10 Pro) was running on a Win Server 2012 R2 domain and may have had one or two tweaks done to the domain to prevent ransomware and I suspect this is the culprit. I first check AppLocker settings in Group Policy on the server. Nothing stood out, so I then removed AppLocker from the GPO. That did not help either, so I removed the workstation from the domain and made it part of a workgroup. It still has this problem.

Any suggestions as to where this setting is located on this workstation and how I can change it either by lowering the threshold or by whitelisting apps that I trust?
0
2017 was a scary year for cyber security. Hear what our security experts say that hackers have in store for us in 2018.
0
Hello. I am the unfortunate victim of a very clever APT that has led to me having to close down my charity law firm for the poor, and as no one would help me, I then spent all my equity and savings and even debt and borrowed so much it is impossible to recover, in my alone effort to learn about networks and use toolbox Kali and Tails and lots of microsoft and any secureity tools I could find, and always with compromised devices, instantly, and so it has been a horrible education where I fight and discover with broken tools, and I have discovered and learned a lot these 13 months, but also have gone from wealthy to closing 3 of my 4 businesses, including all charity projects, and the last of my businesses is dying, and I cannot produce economically in this compromised state, and am victim of much financial fraud and it is too much to even try to catch up and audit and notice, and I have been hospitalized multiple times this year and probably because I have been sleeping only every other day and in constant stress over this and the fact I cannot get even one device to be exclusively mine and secure and I have root control. None. Even if I go and buy one. And I did that many times, many ways, every tactic I could think of, and exhausted my cleverness, and my ideas, and have copies and lots of digital evidence, and even probably most of the malicious code---none was easy to obtain or find, but I have, and I have I am sure plenty of logs, code, and so on, that someone who knew …
0
Hi All,

My company Scenario:

I have connected the branch office to main office using VPN.

Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.

VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)

VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.  

Problem:

I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
0
Evaluating UTMs? Here's what you need to know!
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

My mother in law is having an issue with her laptop. When she is browsing the internet, various sites, google, kohls, target, amazon, whatever it happens to be, she will see a popup message (enclosed attachment), along with the popup there is audio telling her to call a number, and it's saying that her computer is infected with malware. I have run several A/V scans and malware scans and I have found NOTHING! What is causing this?
possible_malware.jpg
0
A customer of mine with a Windows 2016 Server got a ransomware infection this Monday.  Turned out to be the Xorist.  I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.  

With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller,  superantispyware  and malwarebytes.  a trojan was found in a zip file that was in a profile that was created by an external source.

I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
snapshot of the process monitor
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.

I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.

Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?

Thank you.
0
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense Magazine.
1
Server is Windows 2012 R2. Clients are Windows 10.

VPN is a Watchguard SSL VPN. Users are connected on fast VDSL connections.

When Offline Files is enabled, users connecting via the VPN can no longer see any folders other than those already synchronised. File explorer shows the computer working in offline mode.

I have checked the network location, and this shows 'domain' as expected.

It appears that when connected to the VPN, Windows is perfectly happy to authenticate against the network, browse network shares it's never seen before, there are no speed issues, etc, but the minute offline files is enabled, Windows (file explorer only) thinks the computer is offline.

There is no GPO set to describe the slow speed threshold, so the default of 500kbps should be true. The connection is operating nearer 80Mbps.

I've set a GPO "Computer Configuration > Policies > Administrative Templates > Network > Offline Files > Configure slow-link mode" to disabled, which seems to have resolved the issue.

However, I'm more concerned that Windows believes the computer to be offline when it isn't, and I wonder if there's a firewall issue I should be aware of?

Any pointers?
0
According to tech support site BleepingComputer, victims can "trick" the program into shutting down: once they reach the PayPal purchase screen, they can hit Ctrl+O to open a dialogue box, and then enter http://hitechnovation.com/thankyou.txt. This makes the program think they've paid the $25, and it shuts down.

https://www.cnet.com/news/this-scam-tricks-you-into-buying-fake-tech-support-software/
1
 
LVL 13

Expert Comment

by:Andrew Leniart
Great Post and Heads Up Kyle.
0
I am trying to create a policy to enable/block specific traffic that my T30-W is handling. I haven't been able to find a good answer as to what each column in the Traffic Monitor means.
0
Hey

All external mails shows as "X-MS-Exchange-Organization-AuthAs: internal"

How to change to anonymous?

(We have a WatchGuard XCS as spam)

Mike
0
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network

Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.  

Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation

Compromising of credentials stored in memory via LSASS seems pretty easy

As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)

What are your thoughts on this?
0
In WatchGuard XTM SMTP Proxy definitions, it implies you can set up a rule for "masquerading".  However, how do you set up the replacement string?   For instance, if I want person@contoso.com to be redirected to person@contoso.org, it is easy enough to match the string and replace it.  But, if I want everyone @contoso.com to be redirected to their same name @contoso.org, how do you set up the replacement string?  You can use a wildcard on the string match but what syntax do they use for the replacement string to attach the portion before @contoso.com.   Seems that this should be a simple process for creating masquerading.
0
SMB Security Just Got a Layer Stronger
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Hi guys,

I see the PCMatic commercials, along with ALL of my clients.. I am a computer consultant that goes into homes & small businesses...

I do NOT deal with servers, just home computers.

How can these guys say they are 100% solution to protect against all threats?  100% against ransomeware too...

Is this a good solution?  
If yes, why?         If not, why not?

Should I recommend to clients?

I know I have read they blacklist everything, so nothing gets through...

If they are sooo good as they say, why wouldn’t everyone be using??  

Thanks again, :-)
0
The Tech or Treat contest winner has been chosen! Congratulations to expert Thomas Zucker-Scharff, our champion, who submitted an article on a suspected hack into his work device that, to this day, has never been solved.
3
 
LVL 3

Expert Comment

by:Juana Villa
giphy.gif
1
Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
0
One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org
013CCCAC1509577167

I am guessing all is lost when there is no backup?
0
Phishing emails are a popular malware delivery vehicle for attack. While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to come from a trusted source. Ready to learn more?
1
Top 10 Nastiest Ransomware Attacks of 2017

Nastiest-Ransomware.png
We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.

Check out the entire list here.

0

Ransomware

110

Solutions

271

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.