Ransomware

210

Solutions

506

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Good day-
I'm attemtping to forward port inbound requests on port 80 to internal port 16000 for viewing of a DVR camera system.  Can someone guide me over policy manager? I'm not understanding the kb from watchguard.

Best,
Craig
0
I was wondering where can I find a zoo/repository to download large number of ransomware samples, in order to statically analyse them?
0
I have files infected with .rapid extension... need a solution.
0
We have several locations. Each location has several DNS servers, all replicating to each other. In DNS we have several Conditional Forwarders. At all locations except one I can ping and RDP into any of the servers in the Conditional Forwarders list. However in one of the locations I am unable to ping to any of the Conditional Forwarder IPs. All locations are connected using a Watchguard firewall using a VPN. When I do a tracert from the location that is unable to get to any of the Conditional Forwarder locations, it goes to the local DNS server, then out to local ISP DNS server. I have been reading and searching for articles that might help however I am unable to find a solution.
0
https://belkasoft.com/baas/en/steps   :
"...until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice,.."

Q1:
Link/line above seems to indicate don't plug out a compromised PC or don't power off a compromised PC?

Q2:
if we want to see using sysinternals Tcpview the Network IOCs, I guess we should not even disconnect the network at all??

Q3:
Or still disconnect the compromised PC from network (to stop further re-infections or data being maliciously copied out
or stop call-backs) but don't power it off but just disconnect from network?

Q4:
In our environment, USB ports are all (except a few rare exceptions for business purpose on isolated PCs) disabled using
DLP products (not using registry) : so if we disconnect a compromised PC from LAN, the consoles of the DLP can't be
used to enable back the USB anymore for us to copy forensic tools to the compromised PC.  However, speed is of essence
to disconnect an infected (we have a few ransomware cases) PC from network thus there's no time to use the DLP
consoles to enable the USB.  So how do we still copy the forensic tools into the PCs?  I assume if we use DLP consoles
to access the infected PCs, the DLP console may be at risk or I'm being paranoid?

Q5:
Someone suggested that the forensic tools should always be readily deployed into all PCs & servers to overcome the
issue in Q4 above, ie place a copy in …
0
Dear All,

Friend of mines company server got hijacked by embassy@scryptmail.com using  Disk-crypt after much negotiation we got the codes (reduced prices £4000 to £300) so the laptops have all been decrypted; The sever dell using raid 1 mirror Perc S300 controller hasn’t been straight forward; eventually worked out how I had to boot from a alternate SSD with driver an SMB server 2011 etc, I’ve now decrypted the drives even though the server boot BSODS (sort later) but does anyone know how to remove the demand at boot from the MBR please for the password.

Regards
D
0
What are some basic steps I could take to ensure our network is secure from outside intrusion?  We have a SonicWall and Sophos Anti virus, but what other things can I do to make our network less apt to be attacked?  What holes can I test and plug?
0
Popped up on the PC & Server of a new client this morning looks like both encrypted I checked with a live linux USB stick but hdd reports unformatted.

Any clues other than pay these crooks.  

embassy@scryptmail.com

Regards,
Fixtec
0
We have Trend Micro in our network. After looking at  sever audit failure logs on windows domain server, we ran scan and couldnt find anything.

After running scan by malwarebytes we found several issues and cleaned up. This appears to have helped with malwarebytes.

Can we do away with Trendmicro and just have malwarebytes or do we need both malwarebytes and trendmicro?
1
I am currently experiencing an annoying VPN issue

I have a WatchGuard M300 cluster based in datacentre 2 which has an existing site to site VPN to datacentre 1

The same customer has a satellite office with a Watchguard xtm33 that has a site to site VPN to datacentre 1.  The satellite office is double NAT'ing, with an external IP in a 1 to 1 NAT direct through to a private IP range that is the external interface on this Watchguard.

datacentre 1 will be turned off soon so I need to connect the satellite office to datacentre 2, however when I set it up I get a timeout error on the Datacentre 2 side (it's like it cannot even see the external interface nevermind start negotiating) and the satellite side doesn't even attempt to start the VPN.  I have checked all of the settings, all traffic is definitely being passed through the satellite offices provider interface and other services are working.  As there is a VPN in place and working on both sides I cannot understand why the issues exists, but seems buggy.  The firmware on the satellite WatchGuard is old, its the only thing I can think to change.  Or its the 1 to 1 NAT, never had an issue before but its a question mark.
0
I need a decryptor for ransomware *.rapid.  This ransomware has manifested itself on administrative files for a school.  I don't know if anyone has been able to find a solution for this at this time.
0
We had a user whose laptop was infected with ransomware, and that led me to look into the solution to it, and our backup system.
Fortunately, he was not connected to the company network, so the files were only locked in his laptop.
Free ransomware removal tool from TrendMicro, and someone else did not work.

1. What is the best removal tool?

I am looking into Sophos. They have Enterprise Malware Removal Tool that can take care of Ransomware. We use their anti-virus software, so theirs caught my eye.

2. What is the best backup strategy?

I had a IT admin friend, and his system got infected. He spent $30K to get his files back from the servers, and what was interesting was that the ransomware did not manifest itself right away. It was like 2 or 3 days later.
Right now, my servers are backed up fully every night to a USB drive. I have only 3 servers. No incremental or differential. I'd like to know how people backup a couple of terabyte data these days. Tape systems were used in the past, and each day manually or automatically different tapes were used. Do people do this even in 2018? I only used it 10 years ago.

https://www.amazon.com/EX4100-Expert-Network-Attached-Storage/dp/B00TB8XN2E
These can have multiple full backups, and each time are they totally offline from each other? I hear that Ransomware can go into other resources in the same LAN. Then I need a backup system that can backup multiple generations (like daily), and they need to be completely …
0
We have Watchguard m400. The firewall is blocking EXE download. I want to allow only help desk to be able to download EXE, drive etc. How can i do this ?

thanks
0
We have DAG with 3 Exchange servers. Today morning one server has been affected by Ransomware and we have shutdown the server immeditialy and we are not going to on the server again.

Now what should we need to do?

Case1 :  Do we need to build the new server again and will install the Exchange on it. After it we will try to remove the server? If this is best approach then can you please let us know any best method to remove the server from the DAG and then from Exchange environment?

Case 2: Can we restore the server from snapshot or from backup software? Is it fine to restore the server from backup in DAG environment?  As I have heared or read somewhere that resote of server from snapshot can be catastrophic. Please comment.
0
I inherited a Class B network years ago and am just now wanting to do a major overhaul.  Currently the LAN network is 10.1.0.0/16.  It is currently just a flat network with servers and clients dispersed throughout.  I want to segment the network into the following categories: Servers (25ea now), Workstations (100ea now), Printers (30ea now), Utility devices (20ea now).  All of our wireless clients are connected on the outside of the firewall and are outside the scope of this question.  Our firewall is a WatchGuard device.

Should I rework the ip address scheme?  If so, can someone layout an example of what I should do?

thanks!
Lance
0
I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
0
Hello,

I have been infected by some ransonware i don`t know.

In the attached file is the readme file with the instructions to decrypt the files. Anyone knows the ransomware and how to decrypt it?

It seems a xorist one, but the tool by kaspersky doesn`t work.

Any information will be welcomed.
README_9670338_05489.txt
0
This is in regards to an environment that contains multiple Microsoft Windows severs. The particular vulnerability is the shared folders on the servers. This is a general question about a large topic. I'd like to know opinions of what are specific, important, useful steps to take, as well as reliable sources of information and guidance.
0
Lately, when I try to install new programs run web based programs, I get this popup "This app has been blocked by your system administrator." It is a blue window and the only options are "Copy to Clipboard" or "Close".

This workstation (Win 10 Pro) was running on a Win Server 2012 R2 domain and may have had one or two tweaks done to the domain to prevent ransomware and I suspect this is the culprit. I first check AppLocker settings in Group Policy on the server. Nothing stood out, so I then removed AppLocker from the GPO. That did not help either, so I removed the workstation from the domain and made it part of a workgroup. It still has this problem.

Any suggestions as to where this setting is located on this workstation and how I can change it either by lowering the threshold or by whitelisting apps that I trust?
0
Hello. I am the unfortunate victim of a very clever APT that has led to me having to close down my charity law firm for the poor, and as no one would help me, I then spent all my equity and savings and even debt and borrowed so much it is impossible to recover, in my alone effort to learn about networks and use toolbox Kali and Tails and lots of microsoft and any secureity tools I could find, and always with compromised devices, instantly, and so it has been a horrible education where I fight and discover with broken tools, and I have discovered and learned a lot these 13 months, but also have gone from wealthy to closing 3 of my 4 businesses, including all charity projects, and the last of my businesses is dying, and I cannot produce economically in this compromised state, and am victim of much financial fraud and it is too much to even try to catch up and audit and notice, and I have been hospitalized multiple times this year and probably because I have been sleeping only every other day and in constant stress over this and the fact I cannot get even one device to be exclusively mine and secure and I have root control. None. Even if I go and buy one. And I did that many times, many ways, every tactic I could think of, and exhausted my cleverness, and my ideas, and have copies and lots of digital evidence, and even probably most of the malicious code---none was easy to obtain or find, but I have, and I have I am sure plenty of logs, code, and so on, that someone who knew …
0
Hi All,

My company Scenario:

I have connected the branch office to main office using VPN.

Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.

VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)

VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.  

Problem:

I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
0
My mother in law is having an issue with her laptop. When she is browsing the internet, various sites, google, kohls, target, amazon, whatever it happens to be, she will see a popup message (enclosed attachment), along with the popup there is audio telling her to call a number, and it's saying that her computer is infected with malware. I have run several A/V scans and malware scans and I have found NOTHING! What is causing this?
possible_malware.jpg
0
A customer of mine with a Windows 2016 Server got a ransomware infection this Monday.  Turned out to be the Xorist.  I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.  

With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller,  superantispyware  and malwarebytes.  a trojan was found in a zip file that was in a profile that was created by an external source.

I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
snapshot of the process monitor
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.

I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.

Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?

Thank you.
0
Server is Windows 2012 R2. Clients are Windows 10.

VPN is a Watchguard SSL VPN. Users are connected on fast VDSL connections.

When Offline Files is enabled, users connecting via the VPN can no longer see any folders other than those already synchronised. File explorer shows the computer working in offline mode.

I have checked the network location, and this shows 'domain' as expected.

It appears that when connected to the VPN, Windows is perfectly happy to authenticate against the network, browse network shares it's never seen before, there are no speed issues, etc, but the minute offline files is enabled, Windows (file explorer only) thinks the computer is offline.

There is no GPO set to describe the slow speed threshold, so the default of 500kbps should be true. The connection is operating nearer 80Mbps.

I've set a GPO "Computer Configuration > Policies > Administrative Templates > Network > Offline Files > Configure slow-link mode" to disabled, which seems to have resolved the issue.

However, I'm more concerned that Windows believes the computer to be offline when it isn't, and I wonder if there's a firewall issue I should be aware of?

Any pointers?
0
I am trying to create a policy to enable/block specific traffic that my T30-W is handling. I haven't been able to find a good answer as to what each column in the Traffic Monitor means.
0

Ransomware

210

Solutions

506

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.