Ransomware

199

Solutions

484

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Does anyone know of a tool that can successfully remove EMOTET?
0
CompTIA Cloud+
LVL 13
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

In Win 7 & Win 2008 R2, I used to see/use the  Bare Metal backup which I
can restore everything in the event the entire OS or filesystem got corrupted.

Where can I find it in Win10 (or Win2016) : can't seem to locate it:
any screen shots will be appreciated.

if the feature is deprecated (think I saw somewhere that start Win10 Ver1709,
it'll be deprecated??) appreciated any portable freeware that
could do bare metal backups for Win10.
0
Greetings,

Unfortunately I recently had to deal with a ransomware attack at a client.  It was the W32 CoinMiner Trojan.  The virus infected a new Windows 2016-based Parallels RAS server I was preparing for rollout, and it used that server as a launch point to attack and encrypt files in every non-hidden share across the network.  A couple of servers were heavily infected beyond repair.  Luckily I employ Veeam backup and replication for the client and was able to restore the infected servers to a clean state from the previous night.  Bi-hourly replication jobs using Veeam of the main data file servers allowed me to recover data to within a 2 hour recovery period.  The network is a VMware Esxi 5.5-based environment that uses 2 physical hosts, a primary host which contains the main operating servers, and a 2nd host which operates as the replication target.  Veeam 9.X is used to regularly replicate the main data servers from the primary host to the replication host.

My question is how to best protect against this type of attack going forward.  I had in place at the client an access control policy implemented via Mcafee anti-virus 8.8 VirusScan Enterprise's Access Protection.  I used Mcafee's Access Protection options to create a number of custom access control rules, by which only legitimate applications, e.g. winword.exe, adobe.exe, iexplore.exe, excel.exe, are allowed to write to the most common types of data files on the network.  This is in place on all PC's and …
1
Hello, I am in the process of implementing Acronis Snap Deploy in my environment and am wondering what other experts have done for version control of their master/base images?
0
1) How do I completely uninstall/delete Acronis true image 2019 from macOS High Sierra - then reinstall  Acronis true image 2019 pointing to new drives?

2) My goal is to delete all backups from Acronis True Image and rebuild to backup to new attached/online drives.

I will settle for 1) if 2) is not feasible.
0
Here is a sample of the notifications Webroot sends:

Threat List:
MYINBOXHELPER-11554925[1].EXE, W32.Adware.Gen, %appdata%\microsoft\windows\inetcache\low\ie\r0wen413\, https://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx?MD5=1A45B3AE41C8DDD1F82FFB1B46ED57B9 1A45B3AE41C8DDD1F82FFB1B46ED57B9,

Doesn't anyone have any idea how to translate that to a name and a payload with a little more information about it? I gotta tell ya... Webroot support really sucks....
0
Hi All,

I am using XTM 25/26 Watchguard firewall in the company and many of the remote users are connected through Mobile SSL VPN. Everything was working fine with no issues and last after internet connectivity break down and restoration no one can able to login using Mobile SSL VPN.

I have checked everything but couldn't understand the issue. Can anyone help me with this?

Few points :

1.  Firewall OS is not upgraded
2.  No new rules is created
3. Reinstall SSL Client software, Create new user with new password. Can login to Webpage of SSL  (https://Firewall IP/sslvpn.html) and able to download fresh software. De-activate and Re-activate Mobile SSL VPN.
4. Internal Network 192.168.1.0/24, Virtual address pool 192.168.111.0/24

Here is the diagnosis report.

2019-01-23 10:43:32 sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=192.168.1.88, dropin_mode=0
2019-01-23 10:43:32 sslvpn Mobile VPN with SSL user Mitul logged in. Virtual IP address is 0.0.0.0. Real IP address is 192.168.1.88.
2019-01-23 10:43:35 sslvpn Entered in sslvpn_takeaddr
2019-01-23 10:43:35 sslvpn Arguments which needs to be sent:openvpn_add 0 1548200615 0
2019-01-23 10:43:35 sslvpn Going to open wgipc:
2019-01-23 10:43:35 sslvpn assign ip address, rip=c0a86f02, lip=0, common_name=0
2019-01-23 10:43:35 sslvpn Sending Data by wgipc to sslvpn_takeaddr is Success,Buffer:192.168.111.2:0.0.0.0:0
2019-01-23 10:43:35 sslvpn Success,Sending Data to …
0
I inherited a client that had a loose security environment and that turned into a ransomware attack.  Things have been weird ever since.  One of the weird situations is us finding ports 443 and 80 open and forwarded to our jump box.  We deleted those ports or so we thought because they popped up again.  We chalked it up to maybe not applying the setting.  So maybe it didnt get saved.  However, the client reported internet issues that felt like someone did a loopback in the network.  Then i looked at the router and found these ports open again w a loop back comment.  We changed the password of the router last time.  We are really at a loss as to why we are being haunted by this issue.  Any thoughts?   Two factor authentication does not come out for sonicwall until later in the year.   We are setting up LDAP tomorrow and VLAN segmentation on the 20th for some additional protection but we are still unclear how this individual is lurking.

 2019-01-17_23-24-03.png

zz.png
0
Local server security.

I just got a ransomware attack. Hence I am asking for help to be able to achieve a great level of security for my server especially. and devices.

WHich devices should I get and why?
0
I’m trying to compare the two solutions, between Webroot anywhere secure with DNS protection or Sophos interecptX advanced with EDR.
I do have a Sophos Firewall, but I’ve been using Webroot for now and just tested InterceptX and I have to decide which route to take.


Does anyone have any recommendations?
0
Become a Microsoft Certified Solutions Expert
LVL 13
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

I am looking to engage clients in a maintenance agreement (managed IT) starting Jan 2019.  I'm curious if it's common to include ransomware attacks/resolution in the flat monthly maintenance agreement with the client.  Where are the boundaries with flat monthly maintenance agreement vs charging for add/removes/changes (projects) to the environment?  A recent 12 user ransomware attack encrypted 2 out of 5 server and 7 out of approximately 20 workstations.  This was easily 30 hours worth of recovery time.  I obviously would like to exclude these catastrophic events out of the maintenance agreement and provide best effort security as we continue to make improvements to secure these environments against future attacks.  Time, money, staff constraints on both sides limit these things from being expedited.  Anyway, any advice on the legalese disclaimer?  Any other liability that I should be concerned that is or isn't cover with a related legal statement here?  Does a business associate agreement protect the IT individual from these disasters?
0
I just created a backup to acronis true image.  

The program created three TIB files.  

_v1 - (2g)
_v2- (4g)
_v3- (4g)

Any ideas why the program created 3 files?
1
I have sysprepped my Win 10 install (generalize, audit, shutdown)

Now the computer is shutdown.  Are my next steps the following:

1) boot to Acronis Win 10 PE bootable recovery media (CD)
2) clone image to USB drive?
0
Microtech scam/ransomware was on a computer at a remote location.  Said they needed to call a 1800 number to get virus removed.  This user did that and paid $300 dollars to have fake company remove virus.  Got a text from him and said they are in there right now controlling computer and "trying" to remove  virus.  Should he power off right away or should he let them do their thing so he can use his pc again since he paid the money?  I told him to immediatley power off computer and wait for them to call again.
0
hi guys

We have a load of Watchguard Access Points and they are connected to a Draytek 1100 PoE switch. This switch is then connected to our backbone switch which is a Cisco 3750.

We have set DHCP on the WiFi network that the access points are on in a way to be from 10.0.5.20 on wards and the management IP of this Draytek PoE being 10.0.5.6. Every single day, people complain about not being able to access the internet properly and then it fixes itself again. Then it happens again.

When they do complain, I end up not being able to access the management IP page of the Draytek on 10.0.5.6. This makes me believe that it is in fact this particular PoE causing the issues we are having.

Could that be the underlying problem?

Thanks for helping
Yash
0
Hi,
We have setup an internal VLAN on our WatchGuard for Guest wifi access. The vlan works as expected and anyone who joins gets the expected IP address/ can browse the internet no problems. What we cant it to do is to work correctly with outlook web access. For some reason whenever I try the owa address I get redirected to the watchgiard ssl login page. If I try on any other external connection it works fine. I have tried an nslookup on the new guest wifi and our other external connections and they all point to the correct external address. ie if I am connected to one external wifi and try to access the url xxxxxx/exchange it work fine and an ns lookup is pointed to the correct external address. If I try and accesss xxxx I get presented with the iis page. If I try the same when connecting via the guest wifi, the nslookup shows the same external ipaddress, however if I try to goto to xxxx/exchange I get a 404 page not found error and if I browse to xxxx I get the watchguard ssl login page.

What am I missing?

Cheers,
Paul
0
I have a customer that was hit with the ACCDFISA v2.0 Ransomware they had the backup drive mounted so it seems like it deleted the files not encrypted.  is there any solution to this? they are asking for $4000 in Bitcoin.  

Thanks.
0
We have a new 2nd building on property we own.  someone got verizon fios at the 2nd building (it was already in the 1st building).  They are about 1,200 feet apart with line of sight.

We need the 2nd building to be able to access the network in the first building (and minimize costs).   the 2nd building will have 1 -2  users and MAYBE some file transfers between the 2 buildings, but mostly email, web surfing

I'm trying to see the costs for connecting the 2nd building to our existing network / do we need fios at that 2nd building

Some options I thought of?

1) Setup a VPN - we have a watchguard at building 1 already and that has a VPN to another office in another state.  So add a Watchguard unit for $500? at building 2 and some config time / costs.  and still have the fios ongoing costs.  Anyone know the throughput of a vpn using Verizon fios at both ends?  it's lower than the speed you are paying for from verizon, right?

2) wireless? Maybe Unifi Nanobeam 5AC gen 2  

https://www.amazon.com/Ubiquiti-NanoBeam-High-Performance-airMAX-NBE-5AC-Gen2-US/dp/B0713XMHH9 

$113 each and we need 2 of them, plus time / moneh for hardware, mounting poles, etc. That  Would get 400Mbit which is fine (mostly email / web surfing etc at the far end).  But What if we want gigabit on wireless?  Is that doable at a reasonable cost? And can cancel the FIOS

3)  Fiber? I called Lanshack.com and they are saying the fiber cable would need to be outdoor rated (regardless of being …
0
I am creating a Windows 10 image to deploy.   Before I do so, I want to run the Windows 10 decrapifier (available on Spiceworks).

Is the following the correct order of events to image the laptop:

1) login as a local admin, run the decrapifier
2) run Sys Prep
3) create TIB file using Acronis boot CD, and USB stick to store image on.
1
Exploring SharePoint 2016
LVL 13
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Hi,

We use Mitel 5212 IP Phones. we are trying to get them to work on a custom VLAN setup on a watchguard m500 firewall. We have created the custom vlan and the ip scope which works fine. I have mimicked the DHCP options from our windows based dhcp server, however this didn't work. On the DHCP windows based DHCP server the options are:

128 Mitel TFTP xxxx.xxxx.xxxx.xxxx
129 Mitel RTC xxxx.xxxx.xxxx.xxxx
130 Mitel IP Phone Identifier MITEL IP PHONE
132 VLAN for Mitel IP Phone 0x3
133 priority for Mitel IP Phone 0x6

On the firewall dhcp scop options 9All custom)
Code       Name                                 Type            Value
128         Mitel TFTP                           IP                  xxxxxx
129         Mitel RTC                            IP                    xxxxxx
130        Mitel IP Phone Identifier  Text              MITEL IP PHONE
132        VLAN for Mitel IP Phone   Hex              3
133        Priority for Mitel IP phone Hex             6

When the phone eventually boots it gets a crazy VLAN id. Any clues as to what I am issing, or a how to guide on getting the IP phones to work?

Cheers,
Paul
0
Hi.  I am trying to map ports to an internal IP from any outside IP on a Watchguard firewall.  Version 11.9 Firewire XTM Web UI.  No matter what I do, these ports will not open.  Unfortunately, not as familiar with Watchguard as I should be.
Any idea why they will not go through from the attached file?
Watchguard-pdf.pdf
0
Acronis:  I have a server and I want to make a copy of it using Acronis Backup AdvancedWS_11.7, now I want to make this server virtual, put it as hyperV, can I do that with Acronis? or is there any other tool that you know of?

Thank you everyone.
1
I have a domain with an 03 server and 2012 (r2 I think) server.  The 2012 box is GC and has all the roles, but the 2k3 server is still a member of the domain etc - the domain function level is obv 2003.  Glad the 03 box wasn't decommissioned yet as the 2012 box got hit with ransomware.  Unfortunately their usb backup drive was also encrypted and they had no offsite setup.  I need to reload the OS as I can't get SQL running again - cant uninstall it, cant install it, cant repair...its all kind of jacked.  Whats the best process to get it reloaded and back as the GC of the domain? Do I need to assign the roles to the 03 box first, then dcpromo, then reinstall OS and probably with a different name then before for good measure?
Thanks
1
I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.
0
Has anyone had any luck with removing/recovering from nozelesn ransomware?
0

Ransomware

199

Solutions

484

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.