Ransomware

210

Solutions

509

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hey

All external mails shows as "X-MS-Exchange-Organization-AuthAs: internal"

How to change to anonymous?

(We have a WatchGuard XCS as spam)

Mike
0
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network

Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.  

Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation

Compromising of credentials stored in memory via LSASS seems pretty easy

As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)

What are your thoughts on this?
0
In WatchGuard XTM SMTP Proxy definitions, it implies you can set up a rule for "masquerading".  However, how do you set up the replacement string?   For instance, if I want person@contoso.com to be redirected to person@contoso.org, it is easy enough to match the string and replace it.  But, if I want everyone @contoso.com to be redirected to their same name @contoso.org, how do you set up the replacement string?  You can use a wildcard on the string match but what syntax do they use for the replacement string to attach the portion before @contoso.com.   Seems that this should be a simple process for creating masquerading.
0
Hi guys,

I see the PCMatic commercials, along with ALL of my clients.. I am a computer consultant that goes into homes & small businesses...

I do NOT deal with servers, just home computers.

How can these guys say they are 100% solution to protect against all threats?  100% against ransomeware too...

Is this a good solution?  
If yes, why?         If not, why not?

Should I recommend to clients?

I know I have read they blacklist everything, so nothing gets through...

If they are sooo good as they say, why wouldn’t everyone be using??  

Thanks again, :-)
0
Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
0
One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org
013CCCAC1509577167

I am guessing all is lost when there is no backup?
0
Greetings,

For all the programming and brainpower that goes into protecting systems today, anti-virus programs are always going to be desperately playing catch-up when it comes to zero-day attacks,   I would like to create an access policy through Windows that looks something like this:

Name:  Block access to *.doc except for winword and other allowed programs
Processes to include:  *  (all)
Exceptions:   winword.exe, chrome.exe, adobe.exe, explorer.exe (there are more to include, this is just an example)
File/folder name to bloc:  *.DOC
Actions to block"  Write access to files, New files being created

With the above policy in place, an illegitimate ransomware virus executable, e.g. deathstar.exe, would be unable to write to the data files because the access policy would block their efforts to write to and encrypt the protected data files.

I would want to do this for all main file types, e.g. *.doc/docx, *.xls/xlsx, *.pdf etc.

With what tools can I put these rules into place on a given Windows XP / 8 / 10  PC and/or on a Windows 2008 / 2012 / 2016 server?

Thanks.

jkirman
0
I was recently tasked with setting up a VPN for a client of ours for accessing files from home. We are able to successfully login however when we try to map drives or access resources we are unable to. Mapping drives errors as is we are not in that domain. Trying to access the drives through Explorer returns the same. Can anyone assist with this please?
0
Hi,

I am continuously getting event id: 4005 on RDS server.  

Server OS: Microsoft Windows Server 2012 R2 Standard.

The Winlogon process terminates unexpectedly and prevents new logins from processing.  However, the only way to get login process work after the power cycle the server.

Webroot antivirus agent is installed on the server.

==================================================================
Event Logs:
==================================================================
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          10/9/2017 4:30:19 PM
Event ID:      4005
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
The Windows logon process has unexpectedly terminated.

Below mentioned steps which I have performed on the server:

-- Ran SFC /Scannnow command and successfully repaired the Windows Resource Protection corruption.
-- Ran DISM ScanHealth command on the server and no component store corruption detected.
-- Installed latest Microsoft released updates on the server.

==================================================================
SFC /Scannnow command Result:
==================================================================
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 sfc /scannow

Beginning system scan.  This process will take some time.

Beginning …
0
Hello all,
I will be migrating a Watchguard XTM505 to a Watchguard M370.  I understand the step by step portion of the policy manager.
My question is that before I import the configuration file from the policy manager to the new M370 do I need to activate the new M370 or do anything else to it?
Thanks,
Kelly W.
0
My client was got by this ransomware. How can I decrypt the files ?
0
Restored some data from NAS after ransomware on a server data drive.

Some folders are fine but others have restored but wont allow me now to edit files / write or delete in the folders.

Despite taking ownership etc still get above message with
"You need permission to perform this action - You require permission from domainname\administrator to make changes to this file"   - I am logged in as administrator - have tried different accounts - adding everyone to security aswell.

I appreciate its best to reinstall after ransomware but this is just short term.
0
My user cannot connect with Watchguard client or Shrewsoft client.  Switching users to myself I find that I cannot connect with Watchguard client but I can with Shrewsoft.  This is a Windows 7 Pro PC.  My windows 7 PC can use either client.  Why cant this user use the VPN?
0
I am trying to configure my Watchguard firewall [XTM 515 - Fireware 11.9.4] to allow certain machines access to the update site of a software provider. Unfortunately this software vendor does not hold the updates on systems that can be referenced via  fixed ip addresses but rely on referencing their infrastructure via a DNS name.  I don't seem to be able to setup a route using packet filters or proxies. Does anybody know of a way of doing this?
0
I'm trying to identify a ransomware virus that hit a network. I believe it is “FakeGlobe” virus. Aside from not knowing how it got on the network, there are other things I cannot figure out.  The more I know, the better I can protect this network. We did have backup replicated offsite so we are good. It just took a lot of work rebuilding servers and restoring data.

This virus uninstalled TrendMicro on servers and workstations. It then ran on those devices.  This created a unique encryption. If they were to have paid to get it unencrypted, they would have had to pay for each computer separately.  It appears it did not rely on shared drives to spread it.  

It also infected a server that was off the domain. The administrator account password was not the same as administrator password on the network. I have no idea how they could have gotten to that.

There are only three people with domain admin rights and there are service accounts with domain admin rights. None of the three users were on the network when it hit on a Saturday evening.  Passwords for the accounts with administrator rights were not changed. This means they had to find a way to read the passwords.

I did see information about  Pony Botnet that may have been used https://thehackernews.com/2014/02/pony-botnet-steals-220000-from-multiple.html 

I’m just looking for thoughts and ideas on how this could have happened so I can prevent it from happening again.  I’d like to know if it was done manually by …
0
There are a few questions I have about a connection I want to make to a shared folder that's on an NTFS volume.  What I wanted to achieve was to have a single, non-admin user account on that target machine to which I only know the password.  The shared folder would give that user account full control while denying full control to all other accounts including administrators.  In other words, if you forget the password, you cannot access the data unless you remove the hard drive itself from the machine.  I would think that this would make it difficult for the likes of Ransomware to encrypt the contents and my backups would be relatively safe.

Next would be to program a backup software to perform nightly backups to this folder.  In this example, I'm using Veeam Endpoint Protection.  The software is programmed with said user account and performs backups nightly.  I'm assuming that while Veeam uses the username and password to open a connection, other programs and users on that originating computer cannot.  In other words, Veeam has a private connection using said credentials.

Is this correct?  Please let me know what you think.
0
Dear All,

please advise the best solution to decrypt .nm4 extension   ...we have to decrypt Excel files...which are in a VM on Hyper-v.

thanks
0
Good day,

Is there a device or any technology that prevents users from opening emails with ransomware and infecting the network shares?

I believe tiers of protection to help minimize but nothing concrete to stop.

regards,
1
Hi,
I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify
http://www.skype4badmin.com/watchguard-sso-part-1/


and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?
https://www.youtube.com/watch?v=qw8e85hXVcg

much appreciated!

Thanks
0
Hi,

Can anyone please tell me step by step how to stop a Watchguard XTM25 from blocking downloads of EXE files from a server hosted website (so need to add an exception as an IP address) .

Many thanks

Adam
0
I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP (192.168.2.3 to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->192.168.2.3)
HTTPtoMAILSrv (From ANY to 75.127.x.x->192.168.2.3)
POP3toMailsrv (From ANY to 75.127.x.x->192.168.2.3)
IMAPtoMailsrv (From ANY to 75.127.x.x->192.168.2.3)
HTTPStoMailsrv (From ANY to 75.127.x.x->192.168.2.3)
RDPtoMAILsrv (From ANY to 75.127.x.x->192.168.2.3)
Voicecom mail system (From ANY to 75.127.x.x->192.168.2.3)
Watchguard …
0
Hi
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?

Thanks
0
Hello Everybody:

I saw with a company which was affected with some files with a ransomware Gryphon on their Synology NAS, but we need to know the files or user where affected the NAS, in order to avoid more infection on the NAS.

Is there any kind of command in synology using with ssh conection on the Synology or by web in order to investigate where was infection?

Note: We disconect the NAS from the network, to avoid more infection, but we need to find where or which user started the infection.
0
I had this question after viewing SYSVOL corrupted.

I have a server that was fully corrupted by ransomware without a good restore option available.

I now know I need to rebuild the NETLOGON and SYSVOL shares from scratch and plan to do that per this article:
https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

I also know I need manually seize the roles and remove the old DC:
https://community.spiceworks.com/how_to/9942-complete-force-removal-of-a-domain-controller-from-active-directory-guide

The question I have is:

Which to do first?   I imagine I need to fix the shares first as they are required for proper AD operation, though I fear that will fail due to the lingering DC.  

Perhaps someone here has done this before?

Thanks in Advance,
Fred
0
I had this question after viewing anti virus software protecting against ransom ware.

Is this for a single computer or network of them?  

The best and cheapest protection is a solid regular backup of your system. Windows 10 has built in backup utilities.

I am looking for a product I can put on 4 personal computers windows 10,8,7 so I can defend my new and old computers
Not for business use
0

Ransomware

210

Solutions

509

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.