Page 1 of 3 123 LastLast
Results 1 to 10 of 25
  1. #1
    Untangler
    Join Date
    Mar 2011
    Posts
    49

    Default I was hit with Ransomeare!

    Well after 12 yrs as admin/network guy I have been hit with a Ransom ware derivative. The files encrypted were on a NAS rack appliance. Users first noticed that when tried open a file it's type was not recognized. When I was notified I found a text message requesting payment for the decryption key. I am a paid subscriber to the antivirus module but it slipped through probably as an email attachment.

    Servers were updated with newest windows updates on Friday as well as all user machines. The NAS was the only file system that did not habe an update. My fault? Not sure on that will need to look at the NAS OS, I was under the impression that it was Linux based.

    I'm lucky as my backups are done nightly off site so I am in the process of replacing the encrypted files.

    Heres my process for cleaning it up.
    1)Run Malaware bytes on all servers and user pc,s.
    2)Delete all encrypted files from NAS.
    3)Run Windows AV on all systems.
    4)Replace all deleted files from last good backup.

    Recovery is still happening, in retrospect I should have gone to offsite with large external drive, pulled the Giles I needed then recovered from external drive. Over VPN is a slow process. Oh well live and learn.

    Hopefully this helps somebody else.

    What client AV is everybody using? I have always used the Windows Security without issue, perhaps I've just been lucky.

    Thanks.
    Rob

  2. #2
    Untangler
    Join Date
    Mar 2011
    Posts
    49

    Default I was hit with Ransomware!

    Well after 12 yrs as admin/network guy I have been hit with a Ransom ware derivative. The files encrypted were on a NAS rack appliance. Users first noticed that when tried open a file it's type was not recognized. When I was notified I found a text message requesting payment for the decryption key. I am a paid subscriber to the antivirus module but it slipped through probably as an email attachment.

    Servers were updated with newest windows updates on Friday as well as all user machines. The NAS was the only file system that did not habe an update. My fault? Not sure on that will need to look at the NAS OS, I was under the impression that it was Linux based.

    I'm lucky as my backups are done nightly off site so I am in the process of replacing the encrypted files.

    Heres my process for cleaning it up.
    1)Run Malaware bytes on all servers and user pc,s.
    2)Delete all encrypted files from NAS.
    3)Run Windows AV on all systems.
    4)Replace all deleted files from last good backup.

    Recovery is still happening, in retrospect I should have gone to offsite with large external drive, pulled the Giles I needed then recovered from external drive. Over VPN is a slow process. Oh well live and learn.

    Hopefully this helps somebody else.

    What client AV is everybody using? I have always used the Windows Security without issue, perhaps I've just been lucky.

    Thanks.
    Rob

  3. #3
    Master Untangler
    Join Date
    Mar 2009
    Posts
    126

    Default

    I have a non-Untangle school that has been caught out on 4 occasions​ in the past 9 months... They have 2 full time IT staff that have recovered from ransomware by restoring from offsite RSYNC backups on each occasion; one being a 2+TB affair. On each occasion I have put it down to an inevitable combination of staff denial, Outlook MAPI email client and a poor choice of AV vendor... On Tueaday I was reviewing the school's response to last Fridays WannaCrypt outbreak (which they thankfully avoided) and found that despite one member of the team having patched servers, almost all Windows clients had not been patched in months. Further, just over a third of their Windows machines were in one error state or another and so not running or without up to date AV definitions. On enquiring why these essential maintenance tasks are not being done I was told that they need to set up a calendar with events to remind them. Arrgghh - how wrong could I have been!

    Sent from my Nexus 5X using Tapatalk

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,804

    Default

    I've only ever been hit my one crypto, and the fault was with the VPS host that hosted the two platforms in question.

    They didn't rotate their management account password for three years, it was broken and both machines dropped at the same time. Afterward they tried to tell me they had different passwords on each platform. Now, both platforms have Duo, and the provider doesn't have admin access to my VPSs.

    One desktop was hit once, but the user ran a bad attachment with an AV client that was only 24 hours out of date. Normally not a big deal, but the zero day got him and he didn't report what happened right away because... well... he had brain cancer that was turning off his vision. He literally didn't see the popup, actually died a month later... ugly affair.

    When then when wcrypt launched I did a full audit on everything I support and I found two hyperv hosts that hadn't been updating in an extremely long time. So I'm trying to figure out how I missed these events. So I guess if there's a point in here, it's that even the best of us can miss things in routine checkups. I'm not sure what to do about it beyond attempting to be more vigilant in the future.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Mar 2017
    Posts
    64

    Default

    Quote Originally Posted by rhrob View Post
    The files encrypted were on a NAS rack appliance. Users first noticed that when tried open a file it's type was not recognized. When I was notified I found a text message requesting payment for the decryption key. I am a paid subscriber to the antivirus module but it slipped through probably as an email attachment.

    Servers were updated with newest windows updates on Friday as well as all user machines. The NAS was the only file system that did not habe an update. My fault? Not sure on that will need to look at the NAS OS, I was under the impression that it was Linux based.
    Just one consideration that usually is not entirely grasped (I'm not saying this is the case ): if the NAS had authenticated shares accessible from the users' workstations, then the malware probably run on any of the PCs that mount those shares; it did not directly hit the NAS. In many instances I saw single user shares encrypted along with the same users' PCs disks.

    doc

  6. #6
    Untangler
    Join Date
    Mar 2011
    Posts
    49

    Default

    Got it. I didn't realize that. It was a fast and furious fee hours. I think it's a good time to take step back and see what went wrong and how to do better, and on the same token what went right. I have been very diligent over the years but this was an opener. If it wasn't picked up on my scan of the email on the UT box, Windows Security failed on the client machine, how best to approach and purchase a enterprise grade AV. Not sure the conseses on whether or not any of the the well known AV would have caught it.

    Great input guys. It really is an ongoing learning process.

    R

  7. #7
    Untangler
    Join Date
    Mar 2017
    Posts
    64

    Default

    Quote Originally Posted by rhrob View Post
    how best to approach and purchase a enterprise grade AV. Not sure the conseses on whether or not any of the the well known AV would have caught it.
    IMHO, there's no enteprise grade AV, if you are referring to detection efficacy. The point is that it is extremely easy to code something that eludes av fingerprints and almost all av products do not offer real heuristics or sandbox/vm analysis. If they do, this happens on the host, not during network transfers.

    So the point here is that the first execution should be stopped by the users themselves (awareness). Lateral propagation can be mitigated by configurations, policies and firewalls/appliances.

    The point of AV is to protect from that 9x% of malicious code, known or slightly modified from the known one. The engine Untangle uses is good. You should also have another different engine on the mail/ftp/whatever public servers, and another different one on the private workstations and servers. The key point is redundancy and layered defenses.

    But keep in mind you won't reach 100% detection. Ever.

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,411

    Default

    Thank God you have backups. Here's my philosophy on how to handle an infected system:

    https://superuser.com/a/512901/1304

    As for AV, that's so last gen. You still want it, but even the best AV isn't all that great these days. The Malware Distribution category (and related categories) in the Untangle Web Filter is generally far more effective.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 13.1 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,804

    Default

    I disagree with the fundamental premise... that 1% of malware you're worried about can be there if you know you're infected or not. We're always one drive by download away from being key-logged. That's why I just fix the machine, because there is no way to ensure the box is clean fresh or not. As soon as the thing sees MSN.com, it's suspect.

    Of course the best answer is a snapshotting system pulling the entire station every hour like a server backup usually. Get sick? Go back in time before the infection. But getting customers to fork over money for such a solution is always difficult.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler Kyawa's Avatar
    Join Date
    Dec 2016
    Location
    Maryland
    Posts
    288

    Default

    Do these things extend to backup drives if they are connected to your PC?

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2