chuckles_the_cnt
Senior Member
- Joined
- Aug 23, 2021
- Messages
- 596
- Reaction score
- 609
what dont you understand? there's no d in the word ransomware, you brought it on or your wife did? simple
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What is the ultimate French toast topping?
How does randsomware get onto a pc?
- Thread starter Mars
- Start date
The entire machine is encrypted.
The software in question needs full admin access.
I have done full virus scans as well as malwarebytes scans on all other pc's connected to the network and that shared a folder with that pc on dropbox. Everything else came up clean.
Is there anything else we should do?
Yes, but only one user has access and that had a strong password. Further I used a totally random external port when setting up port forwarding.
InvisibleJim
Expert Member
- Joined
- Mar 9, 2011
- Messages
- 4,216
- Reaction score
- 3,345
That may well be it then. The random port and the fact that a vulnerable Windows 7 machine was behind it would be easily discoverable and exploited. Hackers automate that sort of thing so there's no security through obscurity there.
gregmcc
Honorary Master
Is the machine accessable from the internet? Does it have any ports forwarded to it?
I'd double check your router config just in case anyone has gotten remote access to it and setup port forwarding. Also change the password on it. (And make sure it's up to date with firmware)
I did check my router, nothing strange going on there. There was one port forwarded to the machine for remote desktop.
I have recently updated the firmware on it so I'm comfortable with the security there.
So we are sitting with two possible scenario's:
One is the machine was compromised by a remote desktop attack or the software update contained the ransomware.
The timing makes me lean toward the the software update, but its impossible to rule out the other.
Thanks for the info. I'm comfortable now.
The company in question has been employing some dirty tricks on us as a business since we stopped doing business with them, like trying to claim or close our google page, trying to claim our Facebook page, spamming community edits that we are permanently closed, some bad reviews (that I thankfully managed to have removed). I have no concrete proof its them, but I know it is.
I have recently updated the firmware on it so I'm comfortable with the security there.
So we are sitting with two possible scenario's:
One is the machine was compromised by a remote desktop attack or the software update contained the ransomware.
The timing makes me lean toward the the software update, but its impossible to rule out the other.
Thanks for the info. I'm comfortable now.
The company in question has been employing some dirty tricks on us as a business since we stopped doing business with them, like trying to claim or close our google page, trying to claim our Facebook page, spamming community edits that we are permanently closed, some bad reviews (that I thankfully managed to have removed). I have no concrete proof its them, but I know it is.
gregmcc
Honorary Master
This is a very bad idea. Remote desktop open the world is asking for trouble. It's possble they managed to get remote access to the desktop by brute forcing the password, or they maybe got it via phishing. (Or there is a Windows RDP exploit that gives privileged access)
I'd remove remote desktop asap. If absolutely needed then setup a site to site VPN and remote desktop over the VPN.
Failing that, if no VPN is available, then lock down the remote desktop IP to the source IP of the company that needs to connect to it. Hopefully your router can do basic firewall rules, if not then get another router.
Like I asked- was Remote Desktop enabled- as you confirmed yes- that’s how it happened- I hope you switched it off
The password was a randomly generated 10 character password from bitwarden, so I doubt it was brute forced. I would expect an exploit rather than that.
I'll have a look at the security of RDP and other options, RD is part of our workflow. I didn't realise it was such a security risk. I still doubt it was the method tho.
99% it was due to RDP being exposed to the internet.Ive seen this exact thing happen before.As mentioned by others best to use a vpn.If not then change the RDP port from 3389 to another port , but "hackers" will pick this up eventually and you will get "penetrated again"
gregmcc
Honorary Master
This one comes to mind as well - very possible it was a BlueKeep exploit.
As poster above said you can change the ports but that's pointless as the end of the day. Their scanner will eventually pick up the new port.
Bottom line....don't expose a EOL system to the internet.
Thanks for the input guys, I'll go with that.
RDP is a huge part of our workflow simply because it logs the user out of the target pc, making sure that there is no one watching what you do on the other side. I think anydesk can do the same but I dont really want to pay for it.
The other option is to set up a vpn between locations and connect directly to the db, but I don't know jacksht about doing that.
RDP is a huge part of our workflow simply because it logs the user out of the target pc, making sure that there is no one watching what you do on the other side. I think anydesk can do the same but I dont really want to pay for it.
The other option is to set up a vpn between locations and connect directly to the db, but I don't know jacksht about doing that.
LCBXX
Honorary Master
If this POS system is on Windows 7 and reachable by other machines on the same network, getting ransomwared, or worse, is only a matter of time TBH.
You could harden the POS Windows 7 instance by shutting down all non-essential services and their ports from being available over the LAN. Only enable the ports required by the POS system.
You could harden the POS Windows 7 instance by shutting down all non-essential services and their ports from being available over the LAN. Only enable the ports required by the POS system.
William1102
Expert Member
Or you can use ZeroTier or Tailscale when using RDP rather than exposing the pc to the internet
Using this for a year now works perfect and set up that only authenticated users can log in
Eh its gone now and its not that important. I think its more important to secure the current pc's (win10/11).
William1102
Expert Member
Use ZeroTier and add all PCs to that account and log in using RDP the usual way make sure that it is set as a private account on ZeroTier
Edit : ZeroTier is like a VPN but P2P and no need to port forward or expose anything to the internet