Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

I work at a small private school.  We use Windows Defender as our only protection inside our hardware firewall.  We are starting to see some breaches although not enough to justify a big expenditure for a enterprise anti-malware/ransomware budget item.  I understand the adage that "you get what you pay for" but I am wondering if there are recommendations for a free or low-cost solution for an institution such as ours that might filter out the malware and ransomware threats.

Thanks in advance for your recommendations!
Just had a VPC hit with Ransomware, need to recover one or two files. Can't find much on the web about this one.

Original        Parish Contacts Susan Only.rtf
Encrypted    Parish Contacts Susan Only.rtf.crypted_ishibashi@nuke_africa

Have found decrypter's in the pas that worked.
Any help much appreciated.
We are looking to set up a point to point vpn with sonicwall on our end and watchguard on the clients end. We'll be using that to set up crashplan backup on virtual machines. Two questions.
1. Is it pretty straightforward to set up the point-to-point between sonicwall and watchguard?
2. Once that is established, would we need a backup device for each VM (say we have 3) or would backing them up to one device with designated partitions work ok?
We have a Watchguard XTM 2 firewall device.

We have set it up successfully with a static IP address through our modem.  The modem works and plugged it directly into the computer with IPv4 manually set.

We have the WAN in X0 and the LAN is X2.

When we setup the device with the Trusted Interface of with DHCP range of it works but does not get Internet.   The DNS server is set and the computer has no problem getting a DHCP address.

The only thing that looks wrong is this picture with the gateway is showing up as but don't see a place to change it nor do I see any settings wrong.  Help!
Have a basic question for you MS SQL gurus. We recently have had a ransomware scare at our small business. We currently run a few applications that use MS SQL express and MS SQL full version. We are wondering if the directory(s) where the SQL data is stored is required to have a share on it. We are thinking that if we get nailed by ransomware that locks all of our files, would not making the SQL data itself unavailable to the network keep us from losing the data to the thief? Or would a SAN benefit us that is not connected to any internet connection? We do however back up our data to a Server across town through our Comcast business fiber which is stored at our sister company and vice versa.
I am having an issue accessing a secure ftp web site from a network.  The network uses a watchguard xtm 25 appliance and then runs Server 2008 R2 as the network server.  The workstations are all Windows 7 Pro.

The URL is https://oebsftp.ontarioenergyboard.ca.  This should bring me to a log in page, but instead the following message

The message from IE 11 is as follows:

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://oebsftp.ontarioenergyboard.ca  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Fire fox give the following:
Secure Connection Failed

The connection to oebsftp.ontarioenergyboard.ca was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
Often the Ontario energy board upload sites are designed for IE only.

I do not see anything in the Watchguard appliance but may be overlooking something.

The server uses SEP 14.0 for both anti-virus and Firewall

As a separate issue, email using Outlook 2013 cannot use ssl either
I am trying to see if there is any way to detect and stop encryption process on a windows server.

Basically one of the workstation opened a ransomware (SIGMA) and it has encrypted everything on her computer which is to be expected. However, it also encrypted everything on the mapped driver from the file server. The file-server has antivirus and even anti-ransom but it still encrypted the stuff on the mapped drives. All drives or folders that were not mapped to this particular workstation are fine.
So the question would be if there is anything to prohibit any type of encryption that is initiated from a workstation. If not, maybe someone knows a good solution to prevent this in another way.

By the way, I do have backups, however since I only have backups every 24 hours, I lots one days work. I do not really care about the files on the workstation because I simply restore a clean image but if it messes with my files on the domain server, it becomes a huge issue and I need to find some solution.

Any tip is very much appreciated. Thanks to all that are willing to assist me.
The server is Windows Server 2016
Our ISP has given us a block IP addresses, and a gateway on a different subnet. We must use PPPoE to connect. We want to use these addresses on a Watchguard XTM box using Fireware 12.1.1

We have set the PPPoE connection to use the gateway IP address, and added the 5 main IP addresses as secondary ones on the external interface. These can be thought of as follows (not the actual IP addresses):

Gateway :
Assigned IP Range

When trying to configure a BOVPN, we would like our IP address to show as but it always appears as

We've modified the other firewall policies such as HTTPS client to use one of the IP addresses in the block and this works fine, just not the BOVPN one. Can someone direct me to where I should specify the IP address for the BOVPN?

Hi, I have a really odd problem with a Watchguard XTM25-W Firewall.  It has the latest Fireware on it and I've reset it and run the setup wizard from scratch on it. I have a Draytek VDSL model plugged into Port0 and have set up PPPOE authentication on the watchguard and the watchguard connects to the internet.  I have successfully downloaded the Live Security feature key and it's valid for 2 more months.  

The problem I have is that if I plug a laptop directly into Port 1 on the Watchguard and set up a static IP the laptop can see the internet. However if I plug Port 1 into an established 48 port switch nobody on the switch can see the Watchguard, and in fact the Port1 light on the Watchguard doesn't even light up (it lights up if you plug the Laptop into it)

As far as I am aware when you reset a Watchguard and run the setup Wozard it sets up enough default settings to get you a basic internet connection but I'm wondering if there is now some additional configuration needed to allow the internet connection to be shared.

Bit of further background, the Watchguard is replacing an existing Draytek VDSL Router which was the original Default Gateway so I have set up the Watchguard with the same IP address as the Draytek Router (and of course unplugged the Draytek)

Would really appreciate some suggestions on this.

Many thanks
Good day-
I'm attemtping to forward port inbound requests on port 80 to internal port 16000 for viewing of a DVR camera system.  Can someone guide me over policy manager? I'm not understanding the kb from watchguard.

I was wondering where can I find a zoo/repository to download large number of ransomware samples, in order to statically analyse them?
I have files infected with .rapid extension... need a solution.
We have several locations. Each location has several DNS servers, all replicating to each other. In DNS we have several Conditional Forwarders. At all locations except one I can ping and RDP into any of the servers in the Conditional Forwarders list. However in one of the locations I am unable to ping to any of the Conditional Forwarder IPs. All locations are connected using a Watchguard firewall using a VPN. When I do a tracert from the location that is unable to get to any of the Conditional Forwarder locations, it goes to the local DNS server, then out to local ISP DNS server. I have been reading and searching for articles that might help however I am unable to find a solution.
https://belkasoft.com/baas/en/steps   :
"...until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice,.."

Link/line above seems to indicate don't plug out a compromised PC or don't power off a compromised PC?

if we want to see using sysinternals Tcpview the Network IOCs, I guess we should not even disconnect the network at all??

Or still disconnect the compromised PC from network (to stop further re-infections or data being maliciously copied out
or stop call-backs) but don't power it off but just disconnect from network?

In our environment, USB ports are all (except a few rare exceptions for business purpose on isolated PCs) disabled using
DLP products (not using registry) : so if we disconnect a compromised PC from LAN, the consoles of the DLP can't be
used to enable back the USB anymore for us to copy forensic tools to the compromised PC.  However, speed is of essence
to disconnect an infected (we have a few ransomware cases) PC from network thus there's no time to use the DLP
consoles to enable the USB.  So how do we still copy the forensic tools into the PCs?  I assume if we use DLP consoles
to access the infected PCs, the DLP console may be at risk or I'm being paranoid?

Someone suggested that the forensic tools should always be readily deployed into all PCs & servers to overcome the
issue in Q4 above, ie place a copy in …
Dear All,

Friend of mines company server got hijacked by embassy@scryptmail.com using  Disk-crypt after much negotiation we got the codes (reduced prices £4000 to £300) so the laptops have all been decrypted; The sever dell using raid 1 mirror Perc S300 controller hasn’t been straight forward; eventually worked out how I had to boot from a alternate SSD with driver an SMB server 2011 etc, I’ve now decrypted the drives even though the server boot BSODS (sort later) but does anyone know how to remove the demand at boot from the MBR please for the password.

What are some basic steps I could take to ensure our network is secure from outside intrusion?  We have a SonicWall and Sophos Anti virus, but what other things can I do to make our network less apt to be attacked?  What holes can I test and plug?
Popped up on the PC & Server of a new client this morning looks like both encrypted I checked with a live linux USB stick but hdd reports unformatted.

Any clues other than pay these crooks.  


We have Trend Micro in our network. After looking at  sever audit failure logs on windows domain server, we ran scan and couldnt find anything.

After running scan by malwarebytes we found several issues and cleaned up. This appears to have helped with malwarebytes.

Can we do away with Trendmicro and just have malwarebytes or do we need both malwarebytes and trendmicro?
I am currently experiencing an annoying VPN issue

I have a WatchGuard M300 cluster based in datacentre 2 which has an existing site to site VPN to datacentre 1

The same customer has a satellite office with a Watchguard xtm33 that has a site to site VPN to datacentre 1.  The satellite office is double NAT'ing, with an external IP in a 1 to 1 NAT direct through to a private IP range that is the external interface on this Watchguard.

datacentre 1 will be turned off soon so I need to connect the satellite office to datacentre 2, however when I set it up I get a timeout error on the Datacentre 2 side (it's like it cannot even see the external interface nevermind start negotiating) and the satellite side doesn't even attempt to start the VPN.  I have checked all of the settings, all traffic is definitely being passed through the satellite offices provider interface and other services are working.  As there is a VPN in place and working on both sides I cannot understand why the issues exists, but seems buggy.  The firmware on the satellite WatchGuard is old, its the only thing I can think to change.  Or its the 1 to 1 NAT, never had an issue before but its a question mark.
I need a decryptor for ransomware *.rapid.  This ransomware has manifested itself on administrative files for a school.  I don't know if anyone has been able to find a solution for this at this time.
We had a user whose laptop was infected with ransomware, and that led me to look into the solution to it, and our backup system.
Fortunately, he was not connected to the company network, so the files were only locked in his laptop.
Free ransomware removal tool from TrendMicro, and someone else did not work.

1. What is the best removal tool?

I am looking into Sophos. They have Enterprise Malware Removal Tool that can take care of Ransomware. We use their anti-virus software, so theirs caught my eye.

2. What is the best backup strategy?

I had a IT admin friend, and his system got infected. He spent $30K to get his files back from the servers, and what was interesting was that the ransomware did not manifest itself right away. It was like 2 or 3 days later.
Right now, my servers are backed up fully every night to a USB drive. I have only 3 servers. No incremental or differential. I'd like to know how people backup a couple of terabyte data these days. Tape systems were used in the past, and each day manually or automatically different tapes were used. Do people do this even in 2018? I only used it 10 years ago.

These can have multiple full backups, and each time are they totally offline from each other? I hear that Ransomware can go into other resources in the same LAN. Then I need a backup system that can backup multiple generations (like daily), and they need to be completely …
We have Watchguard m400. The firewall is blocking EXE download. I want to allow only help desk to be able to download EXE, drive etc. How can i do this ?

We have DAG with 3 Exchange servers. Today morning one server has been affected by Ransomware and we have shutdown the server immeditialy and we are not going to on the server again.

Now what should we need to do?

Case1 :  Do we need to build the new server again and will install the Exchange on it. After it we will try to remove the server? If this is best approach then can you please let us know any best method to remove the server from the DAG and then from Exchange environment?

Case 2: Can we restore the server from snapshot or from backup software? Is it fine to restore the server from backup in DAG environment?  As I have heared or read somewhere that resote of server from snapshot can be catastrophic. Please comment.
I inherited a Class B network years ago and am just now wanting to do a major overhaul.  Currently the LAN network is  It is currently just a flat network with servers and clients dispersed throughout.  I want to segment the network into the following categories: Servers (25ea now), Workstations (100ea now), Printers (30ea now), Utility devices (20ea now).  All of our wireless clients are connected on the outside of the firewall and are outside the scope of this question.  Our firewall is a WatchGuard device.

Should I rework the ip address scheme?  If so, can someone layout an example of what I should do?

I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …






Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.