Ransomware

246

Solutions

554

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

I work as a programmer for a Systems Integrator for municipal water and wastewater organizations in the midwest.  Lately, we have been faced with multiple instances of ransomware infecting our client computers that are exposed to the internet.  The majority of our client computers operate within closed networks that are not accessible to the outside internet, but some of our smaller customers rely on us for day to day support.  We have been using TeamViewer for this for the last two years.  My question is, since these computers are exposed to the internet, what security measures can we take to allow us to connect to the client remotely while securing them against malware, ransomware, etc.  Note:  We do not have a dedicated security engineer.
0
My PC recently got infected with a ransomware.  All of my files were encrypted.  Fortunately, I had been planning on wiping the computer and starting over, so I there is nothing on the PC that I can't easily replicate.  My plan is to run a scan with malwarebytes, quarantine and delete any infected files, and then reset the computer to factory settings and clean the drives.  Is this sufficient, or are there other steps that I need to take to make sure that everything is wiped clean on the PC?
2
Windows 10 Pro, infected with Phobos ransomware.  Files encrypted and probably lost.

BUT, I have the potential of restoring "ibd" files without, currently, any frm or ibdata1 files.  I currently ONLY have individual ibd files that are 1 GB each.  I have/know the table structure of the original database.

Is there a way I can extract data (customer names, address, information, anything) from these ibd files in any manner that might allow me to recover something?

And, on the off chance, anyone know of any decryption workaround for Phobos - so far it seems too new for anyone to have found a workaround.

Thanks.
0
I'm trying to switch my T480 laptop from a Samsung 2TB 2.5" SSD to a Samsung 2TB PCIe, NVMe drive.  It supports either and there's a cassette adapter that I've bought that goes in the 2.5 slot and a separate cable.  In theory the laptop support 2 channels of data, which would be a nice little bump.

I'm stuck on step one though of cloning my drive.  I've got several external NVMe adapters and they're recognized fine, but I've been trying to clone with both Acronis and Paragon without luck.  I know they're 2 entirely different types of drives, but I thought it might work.  I really don't want to start from raw Windows and work my way up.

Is there anyone that's done something like this?  Is there a different product that will clone cross drives like this?  Are these products fine, but I have to use some entirely different technique?
0
Hi, i have installed Skype on our network for a select few users to communicate with a partner company.

Users can login and communicate but are unable to share their screens.

We do run WatchGuard web blocking system and i wonder if Skype is being blocked for just sharing of the screen.

Has anyone got expereince of this issue and could possibly offer some advice.

thanks
0
Anyone have experience with Phobos ransomware?  According to the time stamps Phobos took control of a client PC last night around 8:15PM and finished encrypting the entire system and backups by 8:46PM.  The backups are 58GB each x7 copies (The drives alternate daily)  Restored from the other drive without issue, but wondering if I could decrypt the files that are lost from yesterday?  I have tried the Dharma decryption tool so far.
0
Hello

I have been tasked with trying to recover data from a legacy service win2003/mysql5.4. the server file system has been damaged by ransomware, specifically Dragon4444, possibly MBR and/or individual file damage.

So I am guessing its more of a data recovery job, so if it proves possible to recover files from the mysql directory, does anyone know of a way to attempt to restore even the text contents? structure if possible. Or try to reconstruct on a spare machine ?

All passwords available.

thanks in advance

thanks in advance
0
My network was recently attacked my a Ransomware virus and it attacked my SQL server. I have backups of the data from last weekend but I do not have a backup of the OS. I am trying to run a backup on the server to backup the data that has changed since the last backup last week and I am getting the error below. How can I fix this error so I can backup my databases and migrate them to a new SQL server. I probably should have started this migration on Monday and built a new SQL server then restored the data that was backed up over the weekend but the server was still running and the data was accessible so it was a business decision to continue to use the system while I attended to all the systems that were affected.

Here is the error I am getting.

Executed as user: SHAMROCK\sqlagent. Microsoft (R) SQL Server Execute Package Utility  Version 11.0.7462.6 for 64-bit  Copyright (C) Microsoft Corporation. All rights reserved.  
 Started:  11:00:00 PM  Error: 2019-04-25 23:00:00.76     Code: 0xC0024104     Source: {ED043815-3F10-491D-89BF-67B7B519040F}      Description: The Execute method on the task returned error code 0x80131621 (Mixed mode assembly is built against version 'v2.0.50727' of the runtime and cannot be loaded in the 4.0 runtime without additional configuration information.). The Execute method must succeed, and indicate the result using an "out" parameter.  End Error  Warning: 2019-04-25 23:00:00.76     Code: 0x80019002     Source: OnPreExecute      …
0
Well my worst nightmare has come true and my network was hit with ransomware. I don't know where it started or what variant it is. I have Trend Mirco on my network which I thought would protect me but alas it did not. I have reached out to Trend to help me with this issue but they were no help at all. Looks like I am going to another AV solution, Suggestions?

Anyway, I am here asking if anyone has encountered this issue before and what steps they took to recover files and rebuild their network. Right now my SQL server and Exchange server are running but for how long? I have connected to those servers and the desktop files look all encrypted so my fear is if I restart these servers they will get fully encrypted but I can't let them sit in the state they are in now. I really don't know what to do or where to start. I have been going one by one to machines and correcting/reinstalling the applications but to what end? If the ransomware is still on the network which it still is because a user came in stating his desktop icons are turning into encrypted files. This seems to be only affecting Windows 7 and below as well as servers but my system a windows 10 machine is not having issues.  

What to do and where to start.?
0
Ok so odd situation.  Have right now 2 exchange servers. One went down last week and wasn't able to rebuild the CAS part..worked with Microsoft support to get new exchange server up and migrated mailboxes.  Last night the new exchange server and a couple other servers got hit with ransomware. Encrypted everything with  ETH extension.  Backup server repository is corrupted..basically worst scenario ever. However, the old exchange server is intact from the ransomware and still has the original DB's on it. I opened them with Kernel and  can see everything.  Is it possible to create a new exchange server and copy those databases over.. As in connect in vmware the drives with the databases on them and mount them in the new exchange server?  Or would i be able to copy/paste all the files in the install directory of old into new overwriting the corrupted?
0
I tried to use Acronis Universal Restore to restore a backup to  a different computer.   I keep getting the request to provide the following file:

PCI\VEN_8086&DEV_1C26&SUBSYS_04EE1028&REV_05 for Windows 7

I have the original Dell device drivers and utilities resource media, but it does not appear to be there.    Restore does not proceed without this file.   Where do I find it?
0
Hi
I do have a HP stream11 pro G4EE and I have installed our volume license copy of windows 10 on the laptop.
I would like to take and image of the laptop and push the same image to other HP stream11 pro G4EE laptops. I have taken the image of the laptop and now I want to create a bootable recovery media builder using a USB stick.
I installed “Paragon backup and recovery 16 free” on the laptop. When I click Home - Recovery Media Builder- Welcome to recovery media builder wizard-  and it gives 2 options
1)      advanced mode
2)      Use ADK/ WAIK
I choose the second option and – click next and recovery media format I choose USB flash drive
It took the default location of the WAIK.
C:\Program Files(x86)Windows Kits\10\   and  click next it says WAIK/ADK path does not seem to be valid. Please specify a valid WAIK/ADK path.
WAIK for this particular windows 10 build has been already installed on the laptop and not sure why it saying “WAIK/ADK path does not seem to be valid”
Please help what could be the problem and suggest if these is any other way of taking and image and install to other similar laptops.

Thanks in advance
IMG_20190401_043752.jpg
0
I was planning to create windows pe boot media and add windows os, ubuntu, android and acronis iso for installation from usb.

Which is the best usb multiboot  to that. ?   And also I want to load pc technician utilities on the win pe usb boot disk.  

Also what about microsoft windows pe boot builder , is it easy to create pe boot disk using their aik kit.
0
Hi All,

We are looking at a way to control and monitor our internet usage. What we require is a way to block certain sites, such as porn, but also to notify when other site categories are accessed. We use a WatchGuard firewall with web blocker which is applied to a http proxy. We can setup a https proxy and apply the web blocker, however this will require a certificate to be installed at the client to work. No real biggie for our domain users. However we have a number of third party users that bring their own devices at a different physical location, that it will be very difficult to install the certificate / manage these devices as there is a high turnover of people / devices.

What is the best way to manage this? If via the firewall, how best to manage the third party devices/ certificate install. Internet proxy? if so any recommendations? For the third party devices, the access point is Meraki, can the above be achieved via the AP?

Thanks for your help
Paul
0
I am in the process of changing out a file server.  It is the only server on the network.
Access to the internet is through a WatchGuard XM25 appliance
The Domain name is the same, but the DNS has changed.  The WatchGuard provided internet connection for a few minutes, and now there is no internet connection.  I can remote into the network with the WatchGuard SSL-VPN utility, and access the computers.  

Any thoughts on why I cannot access the internet from behind the WatchGuard Appliance?

The old server was 2008R2 and the new server is 2016Standard
0
Does anyone know of a tool that can successfully remove EMOTET?
0
In Win 7 & Win 2008 R2, I used to see/use the  Bare Metal backup which I
can restore everything in the event the entire OS or filesystem got corrupted.

Where can I find it in Win10 (or Win2016) : can't seem to locate it:
any screen shots will be appreciated.

if the feature is deprecated (think I saw somewhere that start Win10 Ver1709,
it'll be deprecated??) appreciated any portable freeware that
could do bare metal backups for Win10.
0
Greetings,

Unfortunately I recently had to deal with a ransomware attack at a client.  It was the W32 CoinMiner Trojan.  The virus infected a new Windows 2016-based Parallels RAS server I was preparing for rollout, and it used that server as a launch point to attack and encrypt files in every non-hidden share across the network.  A couple of servers were heavily infected beyond repair.  Luckily I employ Veeam backup and replication for the client and was able to restore the infected servers to a clean state from the previous night.  Bi-hourly replication jobs using Veeam of the main data file servers allowed me to recover data to within a 2 hour recovery period.  The network is a VMware Esxi 5.5-based environment that uses 2 physical hosts, a primary host which contains the main operating servers, and a 2nd host which operates as the replication target.  Veeam 9.X is used to regularly replicate the main data servers from the primary host to the replication host.

My question is how to best protect against this type of attack going forward.  I had in place at the client an access control policy implemented via Mcafee anti-virus 8.8 VirusScan Enterprise's Access Protection.  I used Mcafee's Access Protection options to create a number of custom access control rules, by which only legitimate applications, e.g. winword.exe, adobe.exe, iexplore.exe, excel.exe, are allowed to write to the most common types of data files on the network.  This is in place on all PC's and …
1
My old PC which i have crucial apps and configuration i want to image that drive and add to a new desktop model. I used Acronis Disk copy and it boots but once it reachers the windows 7 flag it reboots and says startup repair. Any suggestions please?
2
Hello, I am in the process of implementing Acronis Snap Deploy in my environment and am wondering what other experts have done for version control of their master/base images?
0
hello,
is there any open source or free anti ransomware for windows server and windows 10,8,7 ?
thanks.
0
1) How do I completely uninstall/delete Acronis true image 2019 from macOS High Sierra - then reinstall  Acronis true image 2019 pointing to new drives?

2) My goal is to delete all backups from Acronis True Image and rebuild to backup to new attached/online drives.

I will settle for 1) if 2) is not feasible.
0
Here is a sample of the notifications Webroot sends:

Threat List:
MYINBOXHELPER-11554925[1].EXE, W32.Adware.Gen, %appdata%\microsoft\windows\inetcache\low\ie\r0wen413\, https://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx?MD5=1A45B3AE41C8DDD1F82FFB1B46ED57B9 1A45B3AE41C8DDD1F82FFB1B46ED57B9,

Doesn't anyone have any idea how to translate that to a name and a payload with a little more information about it? I gotta tell ya... Webroot support really sucks....
0
Hi All,

I am using XTM 25/26 Watchguard firewall in the company and many of the remote users are connected through Mobile SSL VPN. Everything was working fine with no issues and last after internet connectivity break down and restoration no one can able to login using Mobile SSL VPN.

I have checked everything but couldn't understand the issue. Can anyone help me with this?

Few points :

1.  Firewall OS is not upgraded
2.  No new rules is created
3. Reinstall SSL Client software, Create new user with new password. Can login to Webpage of SSL  (https://Firewall IP/sslvpn.html) and able to download fresh software. De-activate and Re-activate Mobile SSL VPN.
4. Internal Network 192.168.1.0/24, Virtual address pool 192.168.111.0/24

Here is the diagnosis report.

2019-01-23 10:43:32 sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=192.168.1.88, dropin_mode=0
2019-01-23 10:43:32 sslvpn Mobile VPN with SSL user Mitul logged in. Virtual IP address is 0.0.0.0. Real IP address is 192.168.1.88.
2019-01-23 10:43:35 sslvpn Entered in sslvpn_takeaddr
2019-01-23 10:43:35 sslvpn Arguments which needs to be sent:openvpn_add 0 1548200615 0
2019-01-23 10:43:35 sslvpn Going to open wgipc:
2019-01-23 10:43:35 sslvpn assign ip address, rip=c0a86f02, lip=0, common_name=0
2019-01-23 10:43:35 sslvpn Sending Data by wgipc to sslvpn_takeaddr is Success,Buffer:192.168.111.2:0.0.0.0:0
2019-01-23 10:43:35 sslvpn Success,Sending Data to …
0
I inherited a client that had a loose security environment and that turned into a ransomware attack.  Things have been weird ever since.  One of the weird situations is us finding ports 443 and 80 open and forwarded to our jump box.  We deleted those ports or so we thought because they popped up again.  We chalked it up to maybe not applying the setting.  So maybe it didnt get saved.  However, the client reported internet issues that felt like someone did a loopback in the network.  Then i looked at the router and found these ports open again w a loop back comment.  We changed the password of the router last time.  We are really at a loss as to why we are being haunted by this issue.  Any thoughts?   Two factor authentication does not come out for sonicwall until later in the year.   We are setting up LDAP tomorrow and VLAN segmentation on the 20th for some additional protection but we are still unclear how this individual is lurking.

 2019-01-17_23-24-03.png

zz.png
0

Ransomware

246

Solutions

554

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.