New
#10
Like I said technically it can be easy to block, but office politics and such is always the painful part.
Ransomware attacks reported on Windows machines internationally
-
-
New #11
What are your thoughts on:
a. a white listing program (only 'approved' programs are allowed to be run- suitable for systems such as the NHS runs day to day that always run the same programs
b. Cryptoprevent
CryptoPrevent Malware Prevention Foolish IT
c. RansomFree by Cybereason
Ransomware Protection - RansomFree by Cybereason
(I have these last two installed)
-
-
New #13
What I'd like to know is how they get files encrypted...
Is UAC the weak link here?
Lets say one adds a block of random bytes at certain offsets (including the header), not encryption as such, but that altered file needs to be saved in it's corrupt state - can that be done as standard user?
Edit..
Yep, of course... was focusing on system files... which is not the case... need some coffee to wakey, wakey
-
New #14
Hi, no issues with Avast... and I can't speak at all for their effectiveness other than what's on their site... just thought I'd give them a whirl. Cryptoprevent is updated periodically- the commercial version auto-updates. I've had that on my PC for months. The other one I came across recently.
CryptoPrevent: Does it work? - Anti-Virus, Anti-Malware, and Privacy Software
Another nice tool is HitmanPro.Alert with CryptoGuard. There is an entire topic devoted to it with questions any answers by an Authorized SurfRight Rep.
* CryptoGuard prevents your files from being taken hostage
-
New #15
This may give some idea how it works, Craig:
From: The Rise of Locky: Dridex Crew Bets on Ransomware | Invincea
Anatomy of a Locky Infection
In Figure 3 below, we show the event timeline from Invincea’s Threat Management console for an attempted Locky infection. In this example, a Microsoft Word document attached to an email with a file name beginning with “invoice” was opened by a user protected by Invincea.
The weaponized Word document – likely using malicious macro scripts – launched a program to drop and run Locky ransomware. Next, back-up versions of the OS were deleted, and the data was encrypted. Finally, the ransomware instructions were presented to the user and the original Trojan was deleted from the machine to defeat forensic analysis. Of course, none of these actions actually damaged the user’s computer or data because Invincea’s spear-phishing protection was in place.
-
New #16
Thanx FafThis may give some idea how it works, Craig:
From: The Rise of Locky: Dridex Crew Bets on Ransomware | Invincea
Anatomy of a Locky Infection
In Figure 3 below, we show the event timeline from Invincea’s Threat Management console for an attempted Locky infection. In this example, a Microsoft Word document attached to an email with a file name beginning with “invoice” was opened by a user protected by Invincea.
The weaponized Word document – likely using malicious macro scripts – launched a program to drop and run Locky ransomware. Next, back-up versions of the OS were deleted, and the data was encrypted. Finally, the ransomware instructions were presented to the user and the original Trojan was deleted from the machine to defeat forensic analysis. Of course, none of these actions actually damaged the user’s computer or data because Invincea’s spear-phishing protection was in place.
This thing is becoming a real concern.. we need to get to the bottom of it.
-
New #17
Hi there
@Superfly and @Fafhrd
Scrambled ASCII text based stuff doesn't need anything like Word Macros etc etc.
The usual way is to scan / check email attachments -- but that is no good against a LOW TECH attack that doesn't use attachments, macros or anything else in Ms Office or equivalent.
You can very easily code a binary file into a bog standard ASCII TEXT message so the email server won't recognize say an illegal inbound .exe file or Ms word macros etc.
Now on the workstation the email message does it's nasty business -- it's really a program - and won't be detected by any Virus scanning stuff and there you are --it's only a matter of time before the backend database is corrupted to such an extent it becomes inoperable without a restore etc.
Old XMODEM / YMODEM / ZMODEM protocols for example. Since ASCII compresses down very much a trick was to convert the file to ascii and compress it before transmission -- this made for shorter transmission times -- very important back in the days where BAUD rates were still being used -- 2400 BAUD (old Hayes Modem) was regarded as a state of the art bit of kit !!!!!.
It's almost impossible these days to ban emails in a workplace and confidential emails are often transmitted in scrambled form as people don't want this in plain text all over the Internet.
Unfortunately there is always a fundamental weakness in CLIENT / SERVER systems -- it doesn't matter HOW SECURE the server is because an authorised user will always be allowed to update the real data base from some sort of front end terminal. Most countries have fairly stringent "Data Protection Acts" so if confidential data is being updated on to the backend it's almost impossible to verify the "compliance" of the data without breaking the various laws governing the storage of confidential data.
In large organisations where you could have serveral 1000's of terminals with all sorts of levels of staff it is virtually impossible to ensure these machines won't get hacked.
It's not easy solving this stuff -- but a better solution is to use distributed systems rather than central Client / Server systems --in fact even the "Dreaded Cloud" would be more effective.
It will require expense and initiative to bind this all together so people can get data from various sources to get a complete record -- that's where I believe the guys who want to make money in I.T will be involved in next -- not a trivial problem at all.
Cheers
jimbo
-
New #18
The thing with this hack is looks like it's being spread by the NSA's eternal blue hack which doesn't require a user to run a compromised file on their system, it just hits systems that haven't had the MSFT patch against it that was released a few months back.
-
-
New #19
It all depends on what your email client opens the ascii file with.
Notepad would just try to send it to the screen and fail to show the binary characters properly.
If it's your browser, or an email client like outlook, then anything may happen.
Quote
Related Discussions
