Ransomware attacks reported on Windows machines internationally

Page 2 of 11 FirstFirst 1234 ... LastLast

  1. Posts : 520
    Windows 10
       #10

    Like I said technically it can be easy to block, but office politics and such is always the painful part.
      My Computer


  2. Posts : 34,900
    Win 10 Pro (1903) (2nd PC is 21H2)
       #11

    What are your thoughts on:

    a. a white listing program (only 'approved' programs are allowed to be run- suitable for systems such as the NHS runs day to day that always run the same programs

    b. Cryptoprevent
    CryptoPrevent Malware Prevention Foolish IT

    c. RansomFree by Cybereason
    Ransomware Protection - RansomFree by Cybereason

    (I have these last two installed)
      My Computers


  3. Posts : 7,086
    Windows 10 Pro 64 bit
       #12

    dalchina said:
    What are your thoughts on:

    a. a white listing program (only 'approved' programs are allowed to be run- suitable for systems such as the NHS runs day to day that always run the same programs

    b. Cryptoprevent
    CryptoPrevent Malware Prevention Foolish IT

    c. RansomFree by Cybereason
    Ransomware Protection - RansomFree by Cybereason

    (I have these last two installed)
    How do these programs interact with antivirus software - any problems? Ransomfree must be quite uncommon since it is not recognised by Kaspersky Application Advisor.
    Last edited by Steve C; 13 May 2017 at 02:49.
      My Computers


  4. Posts : 3,446
       #13

    What I'd like to know is how they get files encrypted...

    Is UAC the weak link here?
    Lets say one adds a block of random bytes at certain offsets (including the header), not encryption as such, but that altered file needs to be saved in it's corrupt state - can that be done as standard user?

    Edit..
    Yep, of course... was focusing on system files... which is not the case... need some coffee to wakey, wakey
      My Computer


  5. Posts : 34,900
    Win 10 Pro (1903) (2nd PC is 21H2)
       #14

    Steve C said:
    How do these programs interact with antivirus software - any problems? Ransomfree must be quite uncommon since it s not recognised by Kaspersky Application Advisor.
    Hi, no issues with Avast... and I can't speak at all for their effectiveness other than what's on their site... just thought I'd give them a whirl. Cryptoprevent is updated periodically- the commercial version auto-updates. I've had that on my PC for months. The other one I came across recently.

    CryptoPrevent: Does it work? - Anti-Virus, Anti-Malware, and Privacy Software
    Another nice tool is HitmanPro.Alert with CryptoGuard. There is an entire topic devoted to it with questions any answers by an Authorized SurfRight Rep.

    * CryptoGuard prevents your files from being taken hostage
      My Computers


  6. Posts : 1,983
    Windows 10 x86 14383 Insider Pro and Core 10240
       #15

    This may give some idea how it works, Craig:

    From: The Rise of Locky: Dridex Crew Bets on Ransomware | Invincea
    Anatomy of a Locky Infection


    In Figure 3 below, we show the event timeline from Invincea’s Threat Management console for an attempted Locky infection. In this example, a Microsoft Word document attached to an email with a file name beginning with “invoice” was opened by a user protected by Invincea.

    The weaponized Word document – likely using malicious macro scripts – launched a program to drop and run Locky ransomware. Next, back-up versions of the OS were deleted, and the data was encrypted. Finally, the ransomware instructions were presented to the user and the original Trojan was deleted from the machine to defeat forensic analysis. Of course, none of these actions actually damaged the user’s computer or data because Invincea’s spear-phishing protection was in place.
      My Computers


  7. Posts : 3,446
       #16

    Fafhrd said:
    This may give some idea how it works, Craig:

    From: The Rise of Locky: Dridex Crew Bets on Ransomware | Invincea
    Anatomy of a Locky Infection


    In Figure 3 below, we show the event timeline from Invincea’s Threat Management console for an attempted Locky infection. In this example, a Microsoft Word document attached to an email with a file name beginning with “invoice” was opened by a user protected by Invincea.

    The weaponized Word document – likely using malicious macro scripts – launched a program to drop and run Locky ransomware. Next, back-up versions of the OS were deleted, and the data was encrypted. Finally, the ransomware instructions were presented to the user and the original Trojan was deleted from the machine to defeat forensic analysis. Of course, none of these actions actually damaged the user’s computer or data because Invincea’s spear-phishing protection was in place.
    Thanx Faf

    This thing is becoming a real concern.. we need to get to the bottom of it.
      My Computer


  8. Posts : 11,172
    Windows / Linux : Arch Linux
       #17

    Hi there

    @Superfly and @Fafhrd

    Scrambled ASCII text based stuff doesn't need anything like Word Macros etc etc.

    The usual way is to scan / check email attachments -- but that is no good against a LOW TECH attack that doesn't use attachments, macros or anything else in Ms Office or equivalent.

    You can very easily code a binary file into a bog standard ASCII TEXT message so the email server won't recognize say an illegal inbound .exe file or Ms word macros etc.

    Now on the workstation the email message does it's nasty business -- it's really a program - and won't be detected by any Virus scanning stuff and there you are --it's only a matter of time before the backend database is corrupted to such an extent it becomes inoperable without a restore etc.

    Old XMODEM / YMODEM / ZMODEM protocols for example. Since ASCII compresses down very much a trick was to convert the file to ascii and compress it before transmission -- this made for shorter transmission times -- very important back in the days where BAUD rates were still being used -- 2400 BAUD (old Hayes Modem) was regarded as a state of the art bit of kit !!!!!.

    It's almost impossible these days to ban emails in a workplace and confidential emails are often transmitted in scrambled form as people don't want this in plain text all over the Internet.

    Unfortunately there is always a fundamental weakness in CLIENT / SERVER systems -- it doesn't matter HOW SECURE the server is because an authorised user will always be allowed to update the real data base from some sort of front end terminal. Most countries have fairly stringent "Data Protection Acts" so if confidential data is being updated on to the backend it's almost impossible to verify the "compliance" of the data without breaking the various laws governing the storage of confidential data.

    In large organisations where you could have serveral 1000's of terminals with all sorts of levels of staff it is virtually impossible to ensure these machines won't get hacked.


    It's not easy solving this stuff -- but a better solution is to use distributed systems rather than central Client / Server systems --in fact even the "Dreaded Cloud" would be more effective.

    It will require expense and initiative to bind this all together so people can get data from various sources to get a complete record -- that's where I believe the guys who want to make money in I.T will be involved in next -- not a trivial problem at all.

    Cheers
    jimbo
      My Computer


  9. Posts : 10,523
    Windows 10 Workstation x64
       #18

    The thing with this hack is looks like it's being spread by the NSA's eternal blue hack which doesn't require a user to run a compromised file on their system, it just hits systems that haven't had the MSFT patch against it that was released a few months back.
      My Computers


  10. Posts : 1,983
    Windows 10 x86 14383 Insider Pro and Core 10240
       #19

    It all depends on what your email client opens the ascii file with.

    Notepad would just try to send it to the screen and fail to show the binary characters properly.

    If it's your browser, or an email client like outlook, then anything may happen.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:34.
Find Us




Windows 10 Forums