We help IT Professionals succeed at work.

Ransomware

268

Solutions

584

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

I used Acronis Clone Disk utility to clone a disk, but the cloned disk is not bootable.
0
I had a friend of mine with a very small company and a Windows SBS 2011 server that got hit with ransomware.     Her backup drive was also taken out by the attack.    I was able to help her get a new server up with Windows 2019; however, it would be helpful if we could get her old files back.   I see utilities from McAfee and others that may unencrypt, but I know knowing about them.   We also have the backup drive and thought about sending that off to be recovered.  Any ideas would be appreciated.  The suffix on all the files is U8E598.
0
Hi experts,

Currently I am running Windows Server 2016 Standard with Hyper-V and two VMs. One VM is for RDS and one is for Windows Essentials for databases and the domain controller. The client computers remote to the remote desktop server.

The two VMs are backed up by Veeam and the Hyper-V server as well as the two VMs have Windows Defender for A/V. I also use O365 with Advanced Threat Protection. But, I think I would be better off with a more robust anti-malware program to protect for 0-day malware, ransomware and other security functions. Trusting users with email and website drive-bys seems like an invitation to ransomware. The only protection I have currently is Windows Defender and backups including the cloud and air-gapped storage. For completeness, I am using pfSense for my router/firewall.

My question relates to choosing the best Anti-Malware program. I have looked at quite a few including ESET, MalwareBytes, Sophos, etc. but the amount of choices and technology and how they are presented on their websites is confusing at best. I have tried to look at reviews of of many of the programs, but many of the review sites look more at home versions.

I was wondering if a) anyone has ideas as to best set up security for my network, specifically the two VMs and if there are any sites you would recommend to gain information about the anti-malware programs. This network setup -- similar to the old-style thin clients except with full workstations is completely …
1
Can SharePoint files get encrypted by ransomware?  

Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
0
Hi All,

We have a Branch Office VPN established to one of our third party suppliers for support purposes (We use a WatchGuard at our End). They would like a secondary tunnel establishing with different settings,  that will run side by side of the existing one. Am I ok to use the existing external IP (Ours) as the external IP of the new tunnel. Will this work if both tunnels are required to be active at the same time or does each tunnel have to have its own external IP assigned?

Cheers,
Paul
0
We use Azure Cloud backup to backup our in house servers.  If we were hit by ransomware and server files were encrypted, would it affect our backups that are stored in Azure?   I'm thinking the backups are protected and we should be able to restore from them.  Any ideas on this?

Thanks,
cja
0
Dear Experts,

I would like to speed-up the process of upgrading my Workstations from Win 7 to Win 10.
For this reason I have purchased Acronis True Image 2020 in order to clone a pre-configured SSD drive (GPT, Basic).

All Workstations are hardware identical (motherboard, ram, cpu, ssd model and size, even the case is the same).

The cloning result seems successful but I am facing the below issue:

I use Computer A in order to clone the Win 10 and turned-off Computer A.
On Computer B, I installed the first cloned SSD and powered-on the Computer.
Computer B was successfully booted to Win 10 but I noticed that after powering on Computer B, Computer A was also powered-on automatically.
(this has happened more than once, so it is not a random case)

Of course Computer A and Computer B are under the same Network and imagine what will happen if the rest cloned computers have such behavior.
Finally, if I remove the Network cable from Computer A, it will not boot-up once Computer B is powered-on.

Awaiting your comments,

Best Regards,
Mamelas
0
Hi all.  Just wanted to reach out and see what people are doing out there to prevent ransomware from encrypting data.  More of a proactive role.   Anyone?

Thanks!
0
Hi all!  I figured I would just throw this out there.  For small environments where they are not ready to invest in a server,  or even a RAID controller with mirrored drives for a dedicated Win10 computer "Acting" as a server.  What do you guys like for the best backup software.  It has to be super intuitive for people.  Acronis is great, but it totally throws people off I think, and although you can do an image backup, and restore individual files.  Has anyone seen anything that is a bit more intuitive that can do both file level and image backups.  So if you have a catastrophic drive failure you can boot from a flash drive replace the drive and put the image back, schedule image backups say monthly, but do a daily file level?
Thanks guys!
0
Just got a second residential computer who has MS Bitlocker locked drive due to scammer and ransom.  This person was searching the internet and got the usual call this Microsoft phone # for support.  The person was from India, and started to tell him the usual and once he had bitlocker setup, he switched to demanding $2,800 to save his computer.  This computer has no valuable information on it, and will be just wiped and clean OS installed.  But I have been given time to see if I can unlock the system for future knowledge against this type of scammer.  Any information is greatly appreciated.
0
I want to back up my machine using Acronis.  But it says it can't back it up until I turn off Bitlocker.
When I go to Control Panel --> System and Security --> Bitlocker Drive Encryption, it says "BitLocker waiting for activation".  There is an icon to "Turn on BitLocker".  

Do I have to turn it on before I turn it off?
0
I have a large windows 10 workgroup with one of the machines sharing files.  The user accounts on the local workstations are replicated on the "server", but with different passwords.  There are shares set up on the Win 10 "server" and Everyone is given Full Control. The user accounts local to the server are given permissions to the shared folders' acl using NTFS. Shares on the "server" are mapped to the local machines using different credentials.  
All has been well for a very long time.
Recently, an individual has started getting logon failures that seemed to have begun when her password was changed both on her workstation, and on the server,  (this has been successfully done to a couple of others so far) then the mapped drives were disconnected and re-created using the new different credentials.
The first time the errors started occurring, I verified settings on the server, went to the workstation, and repeated the process carefully, drives mapped correctly, restarted the machine, logged on to see drive mappings still there, opened a few folders on each drive, and then checked the security logs on the "server" again, SUCCESS all around. TGIF!
Then comes Monday, and the Security log is inundated again.
I've gone through this scenario twice.  The user involved is able to access files on the share, but at very slow speeds.
The Event ID is 4625 and the logon is incrementing the source port by one in each successive attempt.
I have Webroot monitoring the machines, so I …
0
I've been using the Windows 7 "system imaging' in both Windows 7 and Windows 10. I've been successful restoring images but I don't feel it's 100% reliable. I recall that I've used it about 25 times and it failed miserably two or three times.

The other day I had to do a replace a failed drive with a new SSD and then restore a system image that I created about three months old. The restore failed. The restore process saw the image and started the preparation to image the replacement drive and it failed with a number of errors that I did not document. I tried this three different ways. First, I booted from a system repair disk, the second time with the actual Windows 7 media and the third time, I actually installed a base Windows 7 operating system and attempted to restore the image to no avail. I ended up having to totally rebuild the PC and restore the data from backup.

- I believe that the Windows 7 system image is a "byte by byte" image and not a "sector by sector" image which means, if I'm installing a new SSD to replace the hard drive, the SSD needs to be equal or larger in size

I'm not a big fan ACRONIS, mainly because of the so many different versions to purchase and the install is quite large. Maybe down the road, I'll practice more with it to become more familiar with it

So my question is
- is the Macrium Reflect 7 free version more reliable than the Windows 7 system imaging version?
Read good things about this product. I know that it performs sector by …
0
Hi Experts!

Being overly cautious here and wanted your opinion.  I received the following (ransom) email below and thought it was suspicious. From what I can find on the web this looks like a phishing attempt (somehow gotten a hold of my email and old password from somewhere). On my desktops and laptops we have the paid versions of Avast Premium Security and MalwareBytes. Both are scheduled to run daily, and Windows Update is always on. We primarily use Google and that self-update. My email account has MFA enabled for awhile; so I know this person cannot access my email?

 After getting the email I manually scanned the desktops and laptops with Avast and MalwareBytes. Nothing found. Downloaded and ran Spybot seach and destroy and nothing bad found.

My thought that this is a phishing attempt is because if you have control over my computer when don't you lock it and demand payment instead of this email?

Here's the email:

Recorded You <recordedyouXXXX@XXXXX.com>
To:
myEmail@yahoo.com

Nov 18 at 1:30 AM

Hey, I know your password is: HeknowsMyPassword

Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".

My malware gave me
0
Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

Cheers,
Paul
0
I want to create an image from a laptop hard drive that contains windows 10.
I encountered a  situation that when I start Win PE and want to use Acronis backup - for some reason I cant see any HDD...
Tried to change BIOS legacy/UEFI and Secure boot - nothing helped.

Any ideas?
0
Greetings,

We have a software called IQware that is installed in classroom of our school. It uses a local database configured in Sql management studio 2008.

All the machines of that classroom uses an image created by Acronis and machines are also by default in frozen state using deepfreeze.

That being said, the issue we have is in one of the computer, IQware was not launching at all so I restarted the machine hoping deepfreeze would fix the problem but no luck.

The support team of IQware couldn't help because they don't support SQL so I decided to reimage the machine and once done IQware worked.

After updating the machine and a couple of reboot, IQware was still working. So I renamed the machine and restarted again to apply the change.

After the reboot, I get a message Your database version number UKnown.UKnown.UKnown.UKnown is older than you application version number appears and IQware doesn't work anymore.

So I renamed the machine with the name it had after reimaging it and IQware works!!

I am not an SQL expert so I am wondering why changing a name of a machine can give this issue?

I am attaching 3 files:

2 showing that the database is accessible and one with the error message.

Cheers,

Richard
0
We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.


Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

[Conclusion]
	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.


[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			ifMark=0x10000
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:
		        

Open in new window

0
Hi, I'm using the Quarantine feature from Watchguard and this creates a Quarantine website users can log onto. But the problem is that it's an intranet server and as such doesn't have an 'official' SSL certificate. I tried to create a self-signed one etc but I keep on failing ... could someone please give me step-by-step instructions on how to create a self-signed certificate and attach it to that website so that the browsers won't throw their security warnings anymore? Thanks!
0
We have an old laptop that has Windows 7 and some very specific software that our finance dept uses. We no longer have access to this software that was created by company that is no longer in business. Users typically remote into this machine to run this software that requires SOAP UI Utilities and Office 2003 to work. We would like to Clone this PC unto another similar PC so more than person can access this software and perform the same function. All that being said, can we close the hard drive of that laptop unto another laptop (Does it have to be the same make and model?) so we can have an exact duplicate of that system? I was thinking about using Clonezilla.
0
I have a question about ransomware.  If my computers C drive is already encrypted, is it still possible for ransomware to hold my computer hostage by encrypting files?  if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?
0
Hi All,

We use WatchGuard as our firewall and have Dimensions setup for reporting. What is the easiest way to find out and possibly monitor all users that have some form of file transfer either ftp, or web/app based such as dropbox etc?

Can this be done / how best to view this info or set this up?

Cheers,
Paul
0
We install Acronis for customers, and we have recently begun to set it up where they have two external hard drives, swapping them out each week so one of the drives cannot possibly be exposed to ransomware.

But last week an IT guy told me that is a bad plan, and that instead I need to switch over to Backup Exec because it creates image files that have no filename and thus cannot be viewed in Windows explorer--and thus can't be corrupted by a ransomware virus either--and that only the Backup Exec software can access them.

Is this correct?  If so, is this a feature exclusive to Backup Exec that I cannot get using Acronis on local hard drives?  I can't make any sense of the volumes of info on the Veritas website, so I'm hoping someone here has experience with all this so you can elaborate on the details and options.  TIA
0
I have (2) Watchguard M270's configured in a firecluster.

Interface 0 is the External interface configured with a /28 block.
Interface 1 is the LAN

We have consumed all of our IP's so I ordered another /28 block from our datacenter today. As soon as I configure Interface 2 for our new IP block, outbound traffic for the most part ceases to work on our network, however some things do work.. so we'll call it intermittent. As an example, I can ping out to 4.2.2.2 but can't ping 8.8.8.8. As soon as I disable Interface 2 that is configured for the new IP block, I am able to ping 8.8.8.8 again.

I'm assuming this is because we now have 2 WAN interfaces configured and outbound traffic doesn't know which interface it should be sending traffic out on but I couldn't be sure. I've made 4 calls to Watchguard support and nobody can identify the problem. I even had our datacenter issue us a different IP block just to rule out any kind of odd conflict but the problem persists with a new IP block.

Am I going about this all wrong trying to have 2 IP block's configured on our Watchguard? Is the better solution to just order a bigger block of IP's and re-IP everything? I was trying to avoid that hassle by just adding an additional block of IP addresses but it seems that what I'm trying to do here isn't working..

I would appreciate any advice or input that someone could give on this. Thank you!!
0
Hello,


I have server infected by Ransomware and sysvol including script was encrypted,with file name :

gpt.ini.id-96EA6CAA.[backdata@qq.com].qwex

I don't have good system state backup at all.

My question, is that possible to create new policy for :

Default Domain Controllers Policy
Default Domain Policy

Is OK for me to setting the policy as long user & security on AD still there, because our AD sync to Azure AD.

Thank You Very Much
0

Ransomware

268

Solutions

584

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.