Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi guys

Could you help me with few settings please? how to setup it etc

-      Only computers with the latest updates can login into our network ? via remote access and vpn  ?
-      Should we disable SMB v1? on all computers?  
-      How to block 139, 445 port on the sonicwall
-      how can I block  HTA extension file from downloading ?

thank you
Is there a website / organisation where we join a newsletter or so to be notified on the latest Internet risks, like the recent WannaCrypt etc.

Some kind of a virus / malware / risk alert system. Free or commercial, whatever is best.

The WannaCrypt ransomware: I had to read it in the newspaper, that is not good enough. I want to know, before our clients do.
How do I check a Windows 7 machine to see if it is patched for WannaCry related vulnerabilities?

Is it possible to disable SMBv1 protocol with a group policy?
Hi, the client has Windows Server 2003 running on one server, it's the only server left on this old version. Everything else is 2012 R2. I am unable to do anything about it because the garbage ADP payroll software HandPunch will not run on anything newer.

Given the WannaCry malware issue this weekend, any way to disable SMBv1 on Server 2003? Can't find any guidance on this. It is not a DC, it's a virtualized server that exists solely for running the ADP software, so I'm hoping I can just disable SMBv1 and then go back to the client to talk about how crappy ADP software is.
How to recover files from ransomware ?
Hi Experts
After i lost all data by ransomware attack i need to know that

1- How can i protect my files from this type of virus.
2- How can i protect my Shadow Volume Copies from delete or encrypt.
3- What is the best security polices i need to apply for servers and clients

does ransom ware lock only c drive

alot of this course is about backing up

including windows 10 built in backup

so if I get ransomware on windows 10
all I need to do is click on 'backup program'
Typically when Ransomware connects out to a C2 server to obtain the private key to begin encryption, does that private key get downloaded onto the victims computer?

My thoughts are if it does reside on the victims computer, wouldn't someone be able to use that to also decrypt the files?
Ransomware seems to go after shadowcopies.  Is there a way to protect shadowcopies from infection?

Today My exchange server rebooted on it's own and on my desktop was _decrypt_my_files text file

**all your work and personal files have been encrypted**
buy special software <nemesis decryptor>
https://*.onion.to to get details.

I am hoping this is a hoax, does anyone know of this?
I have a question for about .zepto which I think is a Ransomware virus that change a punch of Pictures on someones computer to .ZEPTO and gives them an IE icon.  I was a bit surprised because I run Deep Freeze on this persons system locking the OS C: Drive partition and having all data on the 2nd partition which is the F: drive.  I installed and ran Kaspersky but it came up 100% clean.  Any ideas?
Recently one of our sites suffered a ransomware attack. Luckily we had good image backups and were able to roll back to the previous healthy backup so downtime was only a few hours.

We now want to determine the point of the attack.

The site setup is as follows:

Office with 60 users
2 x Host Servers in a Hyper V Cluster with 4 VMs
One of the VMs is a 2012 Terminal server
Fortinet Firewall in place
10 users work from outside the office
They have laptops with software VPN on each
They firstly connect to the VPN and then RDP to the TS
ESET AV installed on all machines

Following the attack we checked all internal machines for ransomeware - we used malwarebyte - all machines appear to be clean

We examined the infected terminal server and discovered the following:
A high number of failed login attempts using various different accounts before the attack
Successful login via an AD user called accounts that is current not in use
Within a minute an executable file was downloaded to the downloads folder of this user profile
The following day the wallet ransomware signature was found under this user’s profile

We have kept the terminal server off since the attack.

My question is where is the likely source of the attack? Only VPN traffic is allowed through the firewall. Was the terminal server itself compromised or would it be more likely one of the laptops and in turn the TS?

Any help would be appreciated - thanks

hi everyone
i have got a task  to do complete study on ransomeware , can any one help me geeting complete details like
1. what exactly is ransomeware
2. how it is attached
3. how to prevent
4. what exactly it does
5. how effective it is
6. what are the different ways it will attack
Ransomware is a concern for everyone and SOPHOS has come out with this Intercept X product that they claim to stop modern exploits, including zero-day and ransomware.

Has anyone had any experience with this product? Can anyone one confirm this products protection from Ransomware?

Is it possible to decrypt .wallet ransomware?
We have a file extensions of BOXING DAY.xls.id-FCB9A156.[dropped@india.com].wallet
and a ransom note of: If you want to restore your files, write us to dropped@india.com


Hello Experts

I have a DC that was attacked by a ramsomware and now all my shortcuts to the administrative tools are files with .wallet extension is there any way to reconstruct the shortcuts
I have a client with aes256 ransomware on an SBS 2011 server. What is be best removal procedure/product? I have recovered the data but need to be sure the server is clean. I'm finding very little on this bug.
Hi Experts,

File Extension of all the office related files present in one folder has changed to .CFR
Also the name of the files has been changed. Now it includes the original name.original extension_some random number
Now we are not able to open these files.

What is this .CFR extension ?
How should I proceed now ?

No ransomware related mail received asking for ransom. Not sure exactly what had happened.

I am looking for someone who has used https://www.eventsentry.com/blog/2016/03/defeating-ransomware-with-eventsentry-auditing.html to protect against ransomware and their experience with it - pros and cons.  

Please note that we are not looking for the 'ultimate' protection and we are well aware and practice good backups, complex passwords, AV, etc.  We want to focus very specifically on the merits of the Event Sentry approach to the Ransomware issue as per the link I provided - period.  I write this not to chill free flow of thoughts/feedback but to avoid the often generic responses -  'Your best defense is a good backup', etc. -  that questions like this can end up getting.  Or alternatively - "I have never used the product but I use ...." I am not asking for general anti-Ransomware advice - I am focused in this question on one approach.  Again experience with the product is preferred.  Thanks in advance.
Hey guys,
Whats the best defence against ransomware on a remote desktop server? I have a sufficient backup solution in place which will help when we get hit. But thinking more about prevention. Whats the best thing to do or combination?

Currently using malwarebytes premium due to it inbuilt ransomware feature.

I have a Windows 10 laptop that has been infected with Osiris Ransomware that identifies the files it encrypts with the extension '.Osiris'

Seems my existing protections didn't detect it before it spread.

I'm very suspicious of the offers to download removal tools only to find that they detec but do not remove until a payment is made.
I have 5 servers infected with .wallet virus wich encrypted all system files , and files on these servers as per attached , how i can reomve this , these servers using kaspersky endpoint security 10 .
Please let me know your experience with ESET AV's effectiveness against ransomware. I used the KnowBe4 RanSim vulnerability test against my Vipre AV  and it scored a perfect 10 on on the protection.


I ran the same test on ESET AV for Business and it failed all 10 tests.  ESET support told us the simulation isn't "fair" since the RanSim application both creates the temporary test folders and files and then performs the simulated crypto attack on them.  I don't think that is a "fair" answer.  Even MS Windows Defender and an old version of AVG 2013 stopped at least one of the 10 attack methods.

Maybe there are some settings in ESET I'm missing.

Troy Taylor
We just got hit by ransomware.  

We are trying to narrow down the time our system was infected.
How long does it take for the ransomware to get on the system to the time it makes it's self known (When it starts to encrypt files)?
Beside  knowb4.com, kindly suggest 2 more good ransomware simulators for Windows?
The ransim I got from knowb4 give different results when run multiple times
against a product  enSilo on Win 7

Does company below provide one such good product?

Knowb4 has a ransomware simulator but when our enSilo vendor ran it several times
against enSilo, it gives a range of ratings from 2 to 10 (out of perfect 10): enSilo says the
simulator is 'inconsistent' or is it the behavioral aspects of enSilo that's inconsistent ?

When we test against our McAfee AV, we need to get McAfee to block creations of
80+ extensions/files that ransomwares are known to create to get a score of 10/10.

Against Malwarebytes trial copy (with realtime/on-access feature on), the score is
consistently 4/10.

So based on the above, is is the simulator issue or enSilo

Does ransim simulator truly gives a good simulation of ALL & potential future
ransomwares attack simulation?






Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.