Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Dear All,

please advise the best solution to decrypt .nm4 extension   ...we have to decrypt Excel files...which are in a VM on Hyper-v.

Good day,

Is there a device or any technology that prevents users from opening emails with ransomware and infecting the network shares?

I believe tiers of protection to help minimize but nothing concrete to stop.

I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify

and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?

much appreciated!


Can anyone please tell me step by step how to stop a Watchguard XTM25 from blocking downloads of EXE files from a server hosted website (so need to add an exception as an IP address) .

Many thanks

I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard …
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?

Hello Everybody:

I saw with a company which was affected with some files with a ransomware Gryphon on their Synology NAS, but we need to know the files or user where affected the NAS, in order to avoid more infection on the NAS.

Is there any kind of command in synology using with ssh conection on the Synology or by web in order to investigate where was infection?

Note: We disconect the NAS from the network, to avoid more infection, but we need to find where or which user started the infection.
I had this question after viewing SYSVOL corrupted.

I have a server that was fully corrupted by ransomware without a good restore option available.

I now know I need to rebuild the NETLOGON and SYSVOL shares from scratch and plan to do that per this article:

I also know I need manually seize the roles and remove the old DC:

The question I have is:

Which to do first?   I imagine I need to fix the shares first as they are required for proper AD operation, though I fear that will fail due to the lingering DC.  

Perhaps someone here has done this before?

Thanks in Advance,
I had this question after viewing anti virus software protecting against ransom ware.

Is this for a single computer or network of them?  

The best and cheapest protection is a solid regular backup of your system. Windows 10 has built in backup utilities.

I am looking for a product I can put on 4 personal computers windows 10,8,7 so I can defend my new and old computers
Not for business use
What's a good option ?

If we get hit with ransom ware want to have a cloud option in place

Something not too expensive

is there any Tool available to Decrypt  n1n1n1 Ransomware?
What is a good anti virus software

Something that may combat ransomware
on windows 10

I have a small network of 5 PCs and a server that is mainly used for sharing data between the users.

I am thinking of a "way" of backing up the data and "be safe" from malware and ransomware.

If I get 2 NAS (the data I am to backup is around 1TB). and both NAS are configured to backup the data at night.
So in theory I have then 3 copies of the data (the original +2 NAS).
My problem is that in order to be 99.99% safe, I need that once I do a backup (which is at night) I need to disconnect the NAS from the LAN so that if meanwhile I get hit,then my backup is safe.

I need a mechanism where by once my backup is done , my NAS  disconnects from the LAN.

How can I achieve this ?
The NAS I have are QNAP 4 bays).

Can someone recommend a safe Bit Torrent downloader for Mac OS X Sierra?  Previously the user has Utorrent, but MalwareBytes Mac 3  and Trend Micro quarantined them.

I told the user that the 'torrents' are where all the Ransomware for Mac seems to originate from, so they have been warned.  

We have a few small clients where in place we have a Netgear FVS 336v3, which is a simple firewall at best.  Using Worryfree 9.0 and moving to Worryfree 9.5 (which although Trend is not being specific), it "supposed to not allow encryption of 3 files within a 30 second period"  I can't get proof of this. Under behavior monitoring in 9.x there are settings to prevent encrypting files, a site of ours although configured correctly to prevent encryption was just compromised. Lost about 2000 files. .aes extension.  All systems are patched pretty much up to date with generally a two week lag (unless a serious security vulnerability).  We NEED to prevent any future ransomware attacks.
Based on experience what would be the best practices/enhancements that you guys are using?  
Are Trend products not reliable?  Do I really need to beef up the firewall to like a low-end sonicwall for all?
They also require ipsec or other means of VPNing in which is a built-in feature of the fvs336G.
Any/suggestions/ideas - would be appreciated!
Thanks guys so much!
Hi Experts,

I have Domain server (windows server 2012) and Two hyper V virtual machines are running inside domain server,  Last day Ransomware Attacked my server and most of the files encrypted. now i need to reinstall Domain , but there is two virtual machines are running inside domain server. so please advise me how take complete Hyper v Virtual machine backup (VHD) and restore in DC after re installation.
ive been hit with a ransomware attack
I can still use the computer but all word docs have been encrypted
I can open docs but they are blank
is my only option paying or can I get these back?
they are requesting over £800
This question may not make sense at all but would like to still give it a go:

what are the risks our EMC VMAX SAN to ransomwares & how are the attacks/
infections likely to occur?

Our MS Exchange's huge partitions are on SAN as well as our servers' database
& applications partitions.  Our PCs/laptops don't use SAN.

I can see the largest malwares & ransomwares being blocked is via our emails
(in thousands or tens of thousands monthly) compared to only a hundred or
less being blocked by endpoint AV & proxy : so how is this translated to our SAN?

A very unique question from our management.

So how do we mitigate ransomwares risks to SAN?  Just by endpoint AV & our
email filtering (which we use Proofpoint which reported tons of ransomwares
& ransomware downloaders being blocked monthly)
hi guys

I am setting up a Excel password sheet that is protected with information regarding  our domain passwords and switches etc. With the issue of ransomware etc becoming a grander problem by the day, I am now being asked to not only create these protected password sheets on the network, but also in the cloud with providers like 'LastPass'.

Would you or have you done this and feel safe to put your passwords in a vault in the cloud?

Thanks for helping
Hello all
I have many workstations that are similar. And all are on domain.
They are all infected with a virus. Except one.
I would like to clone the good one and over write the infected ones. And then run sysprep on that machine. Any ideas what is the best software to do that. Or best advices you can give. ?
We can worry about he activation later. How long will the work before the activation pops up and block users from work.  ?
We are expecting SCCM to get back up and reimage the machines properly in two weeks. So this is just a quick way to get workstations back up and running.
I am looking at disabling SMB on all our Servers and workstations through a GPO.
Servers being Windows 2012r2, Workstations being Windows 10.

Few questions.
- If you remove this, by design in Windows features, does it cause issues authentication issues?
- Referring to technet document, attached - when the registry changes take effect through GPO, what actually happens?

The idea is to eliminate risk of Ransomware attacks on our domain.
I am trying to decide whether to disable SMB1 in a few of the domains I manage to protect against WannaCry / Petya copycats.

I have a windows Server 2012 domain with Windows 7 Clients and I also have a SBS2011 domain with windows 10 clients.

I have patched all the clients and servers so I know my machines are protected against the current outbreaks. Yet most of the advice I am reading still encourages us to disable SMB1 even with the patches installed. Perhaps for copy cat viruses that may find a way to expose the exploit.

I don't have legacy systems accessing shares so I dont believe I will have problems there.

What is the view of other people??? should I disable SMB1??

Below is the link I was following to disable... Is it sufficient to setup the GPO's to disable SMB client and server on all domain clients and servers??
I've been researching these recent ransomware attacks, but have not found what I'm looking for, maybe because there's so much out there I just haven't gotten to it all. Cutting to the chase ...

I've found that petya encrypts files with certain file types (of course). Does it retain or change the modification time of the encrypted file?

Does either petya or wannacry create ransom message files like cryptowall's HELP_DECRYPT?

Are there any additional indicator files these malware will create on e.g. a shared NAS storage device (versus simply on the infected computer itself).

According to what I've read this variant uses the Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB (Server Message Block) and using the EternalBlue (MS17-010) exploit. Questions:

Is it possible for a pure Linux system which does use CIFS?

Is it possible for Windows workstations peers to infect each other in a system that does use Samba for file sharing on Linux hosted Samba mounts?

Is it possible for this malware to infect Linux workstations?

Can anyone provide some references on more details on Wannacry and Petya?

--more information ...

I found this at https://blog.barracuda.com/2017/06/29/notpetya-both-more-and-less-than-it-seems

A typical NotPetya attack we observed starts its life as an RTF file with a .doc extension attached to an email ... In the RTF attack vector, using a .doc file extension helps ensure that Microsoft …
hi experts,

 I've been asked to design it, present it as to why it needs to be done and implemented. Can someone with experience in this subject on how to proceed , what information I need to gather and what steps actions need to be taken to secure and protect uers/network/workstations from ramsomware.
Is MS Windows AV defender bundled free with Win 10?  Any specific
version of Win10 that it comes free?

Win AV defender was touted as blocking the execution of Java, VB
scripts etc: does McAfee or Trendmicro do this as well?  How does
Win AV defender compares in terms of ransomware protection
against other major AV vendors' ?

Can Win AV defender coexist say with McAfee AV & McAfee HIPS agent?

Do we need a separate EPO (just like McAfee) to update Win AV defender
signatures on users' PCs/laptops or WSUS will do?   A few hundred PCs/
laptops in our corporate don't have Internet access






Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.