RansomwareSponsored by Webroot

70

Solutions

192

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Topic Sponsored by Webroot
This question may not make sense at all but would like to still give it a go:

what are the risks our EMC VMAX SAN to ransomwares & how are the attacks/
infections likely to occur?

Our MS Exchange's huge partitions are on SAN as well as our servers' database
& applications partitions.  Our PCs/laptops don't use SAN.

I can see the largest malwares & ransomwares being blocked is via our emails
(in thousands or tens of thousands monthly) compared to only a hundred or
less being blocked by endpoint AV & proxy : so how is this translated to our SAN?

A very unique question from our management.

So how do we mitigate ransomwares risks to SAN?  Just by endpoint AV & our
email filtering (which we use Proofpoint which reported tons of ransomwares
& ransomware downloaders being blocked monthly)
0
Get 15 Days FREE Full-Featured Trial
LVL 1
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

hi guys

I am setting up a Excel password sheet that is protected with information regarding  our domain passwords and switches etc. With the issue of ransomware etc becoming a grander problem by the day, I am now being asked to not only create these protected password sheets on the network, but also in the cloud with providers like 'LastPass'.

Would you or have you done this and feel safe to put your passwords in a vault in the cloud?

Thanks for helping
Yashy
1
Hello all
I have many workstations that are similar. And all are on domain.
They are all infected with a virus. Except one.
I would like to clone the good one and over write the infected ones. And then run sysprep on that machine. Any ideas what is the best software to do that. Or best advices you can give. ?
We can worry about he activation later. How long will the work before the activation pops up and block users from work.  ?
We are expecting SCCM to get back up and reimage the machines properly in two weeks. So this is just a quick way to get workstations back up and running.
0
I am looking at disabling SMB on all our Servers and workstations through a GPO.
Servers being Windows 2012r2, Workstations being Windows 10.

Few questions.
- If you remove this, by design in Windows features, does it cause issues authentication issues?
- Referring to technet document, attached - when the registry changes take effect through GPO, what actually happens?


The idea is to eliminate risk of Ransomware attacks on our domain.
0
I am trying to decide whether to disable SMB1 in a few of the domains I manage to protect against WannaCry / Petya copycats.

I have a windows Server 2012 domain with Windows 7 Clients and I also have a SBS2011 domain with windows 10 clients.

I have patched all the clients and servers so I know my machines are protected against the current outbreaks. Yet most of the advice I am reading still encourages us to disable SMB1 even with the patches installed. Perhaps for copy cat viruses that may find a way to expose the exploit.

I don't have legacy systems accessing shares so I dont believe I will have problems there.

What is the view of other people??? should I disable SMB1??

Below is the link I was following to disable... Is it sufficient to setup the GPO's to disable SMB client and server on all domain clients and servers??
https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
0
I've been researching these recent ransomware attacks, but have not found what I'm looking for, maybe because there's so much out there I just haven't gotten to it all. Cutting to the chase ...

I've found that petya encrypts files with certain file types (of course). Does it retain or change the modification time of the encrypted file?

Does either petya or wannacry create ransom message files like cryptowall's HELP_DECRYPT?

Are there any additional indicator files these malware will create on e.g. a shared NAS storage device (versus simply on the infected computer itself).

According to what I've read this variant uses the Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB (Server Message Block) and using the EternalBlue (MS17-010) exploit. Questions:

Is it possible for a pure Linux system which does use CIFS?

Is it possible for Windows workstations peers to infect each other in a system that does use Samba for file sharing on Linux hosted Samba mounts?

Is it possible for this malware to infect Linux workstations?

Can anyone provide some references on more details on Wannacry and Petya?

--more information ...

I found this at https://blog.barracuda.com/2017/06/29/notpetya-both-more-and-less-than-it-seems

A typical NotPetya attack we observed starts its life as an RTF file with a .doc extension attached to an email ... In the RTF attack vector, using a .doc file extension helps ensure that Microsoft …
1
hi experts,

 I've been asked to design it, present it as to why it needs to be done and implemented. Can someone with experience in this subject on how to proceed , what information I need to gather and what steps actions need to be taken to secure and protect uers/network/workstations from ramsomware.
0
Q1:
Is MS Windows AV defender bundled free with Win 10?  Any specific
version of Win10 that it comes free?

Q2:
Win AV defender was touted as blocking the execution of Java, VB
scripts etc: does McAfee or Trendmicro do this as well?  How does
Win AV defender compares in terms of ransomware protection
against other major AV vendors' ?

Q3:
Can Win AV defender coexist say with McAfee AV & McAfee HIPS agent?

Q4:
Do we need a separate EPO (just like McAfee) to update Win AV defender
signatures on users' PCs/laptops or WSUS will do?   A few hundred PCs/
laptops in our corporate don't have Internet access
0
I have a new project which involves demonstrating exactly how ransomware works. I need to set up a virtual machine with some sample data and some variant of ransomware. I need to run a live demonstration which shows what happens on a PC from the initial point of infection all the way to the point where the ransom notice is displayed. Obviously I know this is dangerous and the correct precautions will be in place to ensure that the VM is completely network isolated. Does anyone know how I can do something like this?
0
Just wondering what is the best way to check windows servers to make sure the WannaCry updates are installed?
2
2017 Webroot Threat Report
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Here's a list of patches I need to install. they're listed as important patches.
What would be the ideal sequence to install them?
patches
0
hi! i wanna ask. where can i get crypto ransomware sample for my final year project? and how to used it? my project about to analyze the ransomware attack using digital forensic tools. can you help me?
1
Hi guys

We've been patching our servers for the Wanna Cry ransomware issue that occurred. However, I wanted to ask whether SMB also needs to be disabled across VPN links?

The following article from Microsoft mentioned disabling SMB v 1. Is this if you have not installed the patch?

And if you have installed the patch on all servers, let's say you need to access file shares from one site to another. Does disabling SMB, prevent you from being able to access network shares?

Thanks
Yashy
0
experts,

In regards to the wannacrypt lateral movement, how does it jump from subnet "x" that the victim is on to subnet "y" and subnet "z"?
I read that it enumerates smb connections from the victims local subnet but no mention about how it jumps to other subnets.
Assuming victims on subnet X, Y, Z do not have ANY mapped drives, can it be assumed that there is no way for this malware to propagate out of the subnet that the initial victim is on?
0
I don't want to load enhancements or improvements.  Just security patches to avoid any malware, etc.
I was told that https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
is the one that's most currently important.
How can I selectively install these and not the other stuff?
0
Does anyone know where I can obtain samples of the wannacry ransomware? I want to test in my lab.
2
What are the best practices to protect a Veeam Cloud Backup Repository from Ransomware?
Ransomware infects not only the server, but also the local Veeam Backup repository AS WELL AS the offsite replicated backup repository.

The whole point of an offsite backup is that the data is recoverable in the event the local backups have been compromised.
Please advise.
0
Hi experts
I am planning to purchase malwarebytes on my company I purchase license for all pcs and servers
My question is
Some servers running windows server 2003
1- can i use malwarebytes on these servers
2- any advice to protect these old server from ransomeware
0
Hi to All of you,
during the last days, while we were all concentrated on the Wannacry ransomware, Wikileaks released more information/files on the VAult7 arsenal.
 
I've been asked to check and find samples and/or MD5 hashes on the following CIA's tools and frameworks in order to see if our network and clients have been compromised or not.
The tools are :
Archimedes
Assassin
AfterMidnight


to be homest I'm not sure these tools are already available but asking doesn't cost.
Thank you
Carlettus
0
Database Solutions Engineer FAQs
LVL 2
Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

Hello Experts is there any software,
or procedure to prevent or reduce the attack by ransomware?
1
So with this new ransomware, i want see if the appropriate hotfixes are installed so i have this script to check that I found for PA server monitor...takes too long to setup for just one use.
# KB4012598 KB4018466- Windows Server 2008
# KB4012217 KB4015551 KB4019216 - Windows Server 2012
# KB4012216 KB4015550 KB4019215 - Windows Server 2012 R2
# KB4013429 KB4019472 KB4015217 KB4015438 KB4016635 - Windows Server 2016

# List of all HotFixes containing the patch
$hotfixes = "KB4012598", "KB4018466", "KB4012217", "KB4015551", "KB4019216", "KB4012216", "KB4015550", "KB4019215", "KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB4016635"

# Search for the HotFixes
$hotfix = Get-HotFix -ComputerName $mon.ComputerName | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

# See if the HotFix was found
if ($hotfix) {
    $mon.FireActions = $false
    $mon.Details = "Found HotFix: " + $hotfix.HotFixID
    # a blank value removes the property 
    $mon.SetComputerCustomPropByID(0, "NEEDS-MS17-010-FIX", "")
} else {
    $mon.FireActions = $true
    $mon.Details = "Didn't Find HotFix"
    $mon.SetComputerCustomPropByID(0, "NEEDS-MS17-010-FIX", "YES")

Open in new window



I was wondering how i can run it on every machine recursive from root OU and report back the ones that don't have it.  Can someone help me tidy this up so that it works as such?

Thanks in advance
0
Does anyone know where i can find the MS Patch for SBS2011 to patch against WananCry Ransomware?

I know SBS2011 is based on Server 2008R2, tried those but it tells me its not for this system

Many Thanks
1
Yesterday I ran Windows updates on a Server 2008 R2 SP2 64-bit system. I then wanted to verify that the necessary KB was installed to protect against Wannacry. Here's where I need help! My steps are as follows:

1. Install Updates & Reboot
2. From here I checked which KB had the fix for ms17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx  and looks like it's KB4012598 (for Server 2008 SP2 64-bit)
3. Next I checked the Microsoft update catalog against KB4012598 for Server 2008 64-bit, and under packages it shows that  this update was replaced by KB4018466 - https://www.catalog.update.microsoft.com/Search.aspx?q=4012598
4. Back on the server broswed through the updates but couldn't see either KB.  I even ran "systeminfo" from CMD and saved to a text file then I searched for both KB4018466 and KB4012598 but it's not finding any results.

Where am I going wrong here?  Is the update in another KB?
0
Dear Experts,

According to your personal experience would you suggest Malwarebytes Endpoint Protection or Panda Adaptive Defense 360 in order to add an extra layer of protection for such attacks?
0
What is the impact for business if failed to update the latest patch?
0

RansomwareSponsored by Webroot

70

Solutions

192

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.