Ransomware

246

Solutions

554

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hello,

I have been infected by some ransonware i don`t know.

In the attached file is the readme file with the instructions to decrypt the files. Anyone knows the ransomware and how to decrypt it?

It seems a xorist one, but the tool by kaspersky doesn`t work.

Any information will be welcomed.
README_9670338_05489.txt
0
This is in regards to an environment that contains multiple Microsoft Windows severs. The particular vulnerability is the shared folders on the servers. This is a general question about a large topic. I'd like to know opinions of what are specific, important, useful steps to take, as well as reliable sources of information and guidance.
0
Lately, when I try to install new programs run web based programs, I get this popup "This app has been blocked by your system administrator." It is a blue window and the only options are "Copy to Clipboard" or "Close".

This workstation (Win 10 Pro) was running on a Win Server 2012 R2 domain and may have had one or two tweaks done to the domain to prevent ransomware and I suspect this is the culprit. I first check AppLocker settings in Group Policy on the server. Nothing stood out, so I then removed AppLocker from the GPO. That did not help either, so I removed the workstation from the domain and made it part of a workgroup. It still has this problem.

Any suggestions as to where this setting is located on this workstation and how I can change it either by lowering the threshold or by whitelisting apps that I trust?
0
Hello. I am the unfortunate victim of a very clever APT that has led to me having to close down my charity law firm for the poor, and as no one would help me, I then spent all my equity and savings and even debt and borrowed so much it is impossible to recover, in my alone effort to learn about networks and use toolbox Kali and Tails and lots of microsoft and any secureity tools I could find, and always with compromised devices, instantly, and so it has been a horrible education where I fight and discover with broken tools, and I have discovered and learned a lot these 13 months, but also have gone from wealthy to closing 3 of my 4 businesses, including all charity projects, and the last of my businesses is dying, and I cannot produce economically in this compromised state, and am victim of much financial fraud and it is too much to even try to catch up and audit and notice, and I have been hospitalized multiple times this year and probably because I have been sleeping only every other day and in constant stress over this and the fact I cannot get even one device to be exclusively mine and secure and I have root control. None. Even if I go and buy one. And I did that many times, many ways, every tactic I could think of, and exhausted my cleverness, and my ideas, and have copies and lots of digital evidence, and even probably most of the malicious code---none was easy to obtain or find, but I have, and I have I am sure plenty of logs, code, and so on, that someone who knew …
0
Hi All,

My company Scenario:

I have connected the branch office to main office using VPN.

Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.

VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)

VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.  

Problem:

I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
0
My mother in law is having an issue with her laptop. When she is browsing the internet, various sites, google, kohls, target, amazon, whatever it happens to be, she will see a popup message (enclosed attachment), along with the popup there is audio telling her to call a number, and it's saying that her computer is infected with malware. I have run several A/V scans and malware scans and I have found NOTHING! What is causing this?
possible_malware.jpg
0
A customer of mine with a Windows 2016 Server got a ransomware infection this Monday.  Turned out to be the Xorist.  I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.  

With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller,  superantispyware  and malwarebytes.  a trojan was found in a zip file that was in a profile that was created by an external source.

I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
snapshot of the process monitor
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.

I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.

Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?

Thank you.
0
Server is Windows 2012 R2. Clients are Windows 10.

VPN is a Watchguard SSL VPN. Users are connected on fast VDSL connections.

When Offline Files is enabled, users connecting via the VPN can no longer see any folders other than those already synchronised. File explorer shows the computer working in offline mode.

I have checked the network location, and this shows 'domain' as expected.

It appears that when connected to the VPN, Windows is perfectly happy to authenticate against the network, browse network shares it's never seen before, there are no speed issues, etc, but the minute offline files is enabled, Windows (file explorer only) thinks the computer is offline.

There is no GPO set to describe the slow speed threshold, so the default of 500kbps should be true. The connection is operating nearer 80Mbps.

I've set a GPO "Computer Configuration > Policies > Administrative Templates > Network > Offline Files > Configure slow-link mode" to disabled, which seems to have resolved the issue.

However, I'm more concerned that Windows believes the computer to be offline when it isn't, and I wonder if there's a firewall issue I should be aware of?

Any pointers?
0
I am trying to create a policy to enable/block specific traffic that my T30-W is handling. I haven't been able to find a good answer as to what each column in the Traffic Monitor means.
0
Hey

All external mails shows as "X-MS-Exchange-Organization-AuthAs: internal"

How to change to anonymous?

(We have a WatchGuard XCS as spam)

Mike
0
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network

Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.  

Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation

Compromising of credentials stored in memory via LSASS seems pretty easy

As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)

What are your thoughts on this?
0
In WatchGuard XTM SMTP Proxy definitions, it implies you can set up a rule for "masquerading".  However, how do you set up the replacement string?   For instance, if I want person@contoso.com to be redirected to person@contoso.org, it is easy enough to match the string and replace it.  But, if I want everyone @contoso.com to be redirected to their same name @contoso.org, how do you set up the replacement string?  You can use a wildcard on the string match but what syntax do they use for the replacement string to attach the portion before @contoso.com.   Seems that this should be a simple process for creating masquerading.
0
Hi guys,

I see the PCMatic commercials, along with ALL of my clients.. I am a computer consultant that goes into homes & small businesses...

I do NOT deal with servers, just home computers.

How can these guys say they are 100% solution to protect against all threats?  100% against ransomeware too...

Is this a good solution?  
If yes, why?         If not, why not?

Should I recommend to clients?

I know I have read they blacklist everything, so nothing gets through...

If they are sooo good as they say, why wouldn’t everyone be using??  

Thanks again, :-)
0
Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
0
One of our clients has a ransomware vires, in every folder there is a text document with the following info:

All your files have been encrypted. If you want to restore them, write us to the e-mail writefordecrypt@openmailbox.org
013CCCAC1509577167

I am guessing all is lost when there is no backup?
0
Greetings,

For all the programming and brainpower that goes into protecting systems today, anti-virus programs are always going to be desperately playing catch-up when it comes to zero-day attacks,   I would like to create an access policy through Windows that looks something like this:

Name:  Block access to *.doc except for winword and other allowed programs
Processes to include:  *  (all)
Exceptions:   winword.exe, chrome.exe, adobe.exe, explorer.exe (there are more to include, this is just an example)
File/folder name to bloc:  *.DOC
Actions to block"  Write access to files, New files being created

With the above policy in place, an illegitimate ransomware virus executable, e.g. deathstar.exe, would be unable to write to the data files because the access policy would block their efforts to write to and encrypt the protected data files.

I would want to do this for all main file types, e.g. *.doc/docx, *.xls/xlsx, *.pdf etc.

With what tools can I put these rules into place on a given Windows XP / 8 / 10  PC and/or on a Windows 2008 / 2012 / 2016 server?

Thanks.

jkirman
0
I was recently tasked with setting up a VPN for a client of ours for accessing files from home. We are able to successfully login however when we try to map drives or access resources we are unable to. Mapping drives errors as is we are not in that domain. Trying to access the drives through Explorer returns the same. Can anyone assist with this please?
0
Hi,

I am continuously getting event id: 4005 on RDS server.  

Server OS: Microsoft Windows Server 2012 R2 Standard.

The Winlogon process terminates unexpectedly and prevents new logins from processing.  However, the only way to get login process work after the power cycle the server.

Webroot antivirus agent is installed on the server.

==================================================================
Event Logs:
==================================================================
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          10/9/2017 4:30:19 PM
Event ID:      4005
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
The Windows logon process has unexpectedly terminated.

Below mentioned steps which I have performed on the server:

-- Ran SFC /Scannnow command and successfully repaired the Windows Resource Protection corruption.
-- Ran DISM ScanHealth command on the server and no component store corruption detected.
-- Installed latest Microsoft released updates on the server.

==================================================================
SFC /Scannnow command Result:
==================================================================
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 sfc /scannow

Beginning system scan.  This process will take some time.

Beginning …
0
Hello all,
I will be migrating a Watchguard XTM505 to a Watchguard M370.  I understand the step by step portion of the policy manager.
My question is that before I import the configuration file from the policy manager to the new M370 do I need to activate the new M370 or do anything else to it?
Thanks,
Kelly W.
0
My client was got by this ransomware. How can I decrypt the files ?
0
Restored some data from NAS after ransomware on a server data drive.

Some folders are fine but others have restored but wont allow me now to edit files / write or delete in the folders.

Despite taking ownership etc still get above message with
"You need permission to perform this action - You require permission from domainname\administrator to make changes to this file"   - I am logged in as administrator - have tried different accounts - adding everyone to security aswell.

I appreciate its best to reinstall after ransomware but this is just short term.
0
My user cannot connect with Watchguard client or Shrewsoft client.  Switching users to myself I find that I cannot connect with Watchguard client but I can with Shrewsoft.  This is a Windows 7 Pro PC.  My windows 7 PC can use either client.  Why cant this user use the VPN?
0
I am trying to configure my Watchguard firewall [XTM 515 - Fireware 11.9.4] to allow certain machines access to the update site of a software provider. Unfortunately this software vendor does not hold the updates on systems that can be referenced via  fixed ip addresses but rely on referencing their infrastructure via a DNS name.  I don't seem to be able to setup a route using packet filters or proxies. Does anybody know of a way of doing this?
0
I'm trying to identify a ransomware virus that hit a network. I believe it is “FakeGlobe” virus. Aside from not knowing how it got on the network, there are other things I cannot figure out.  The more I know, the better I can protect this network. We did have backup replicated offsite so we are good. It just took a lot of work rebuilding servers and restoring data.

This virus uninstalled TrendMicro on servers and workstations. It then ran on those devices.  This created a unique encryption. If they were to have paid to get it unencrypted, they would have had to pay for each computer separately.  It appears it did not rely on shared drives to spread it.  

It also infected a server that was off the domain. The administrator account password was not the same as administrator password on the network. I have no idea how they could have gotten to that.

There are only three people with domain admin rights and there are service accounts with domain admin rights. None of the three users were on the network when it hit on a Saturday evening.  Passwords for the accounts with administrator rights were not changed. This means they had to find a way to read the passwords.

I did see information about  Pony Botnet that may have been used https://thehackernews.com/2014/02/pony-botnet-steals-220000-from-multiple.html 

I’m just looking for thoughts and ideas on how this could have happened so I can prevent it from happening again.  I’d like to know if it was done manually by …
0
There are a few questions I have about a connection I want to make to a shared folder that's on an NTFS volume.  What I wanted to achieve was to have a single, non-admin user account on that target machine to which I only know the password.  The shared folder would give that user account full control while denying full control to all other accounts including administrators.  In other words, if you forget the password, you cannot access the data unless you remove the hard drive itself from the machine.  I would think that this would make it difficult for the likes of Ransomware to encrypt the contents and my backups would be relatively safe.

Next would be to program a backup software to perform nightly backups to this folder.  In this example, I'm using Veeam Endpoint Protection.  The software is programmed with said user account and performs backups nightly.  I'm assuming that while Veeam uses the username and password to open a connection, other programs and users on that originating computer cannot.  In other words, Veeam has a private connection using said credentials.

Is this correct?  Please let me know what you think.
0

Ransomware

246

Solutions

554

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.