Ransomware

japster79

Active Member
Joined
Apr 3, 2010
Messages
31
One of my mates company has been hit with ransomware and I understand that the mode of infection can come from various methods. I'm curious, is it in any way possible to trace back to how the infection happened? Like was it via email, usb, someone running some illegal copy of software etc. Can a person determine from which desktop the breach happened?
 

rustypup

Expert Member
Joined
Jan 28, 2016
Messages
1,035
Not a simple task, especially given the SOP of deleting syslogs once infection is done.

Answer depends on the environment, (single/multi site), perimeter controls, etc.

Do you know which variant is in play here?
 

japster79

Active Member
Joined
Apr 3, 2010
Messages
31
Not a simple task, especially given the SOP of deleting syslogs once infection is done.

Answer depends on the environment, (single/multi site), perimeter controls, etc.

Do you know which variant is in play here?
I do not know which it is, I was just told all the files on the system is grayed out, and not accessible, with a text note giving instructions for the decryption, payment etc.
 

rustypup

Expert Member
Joined
Jan 28, 2016
Messages
1,035
all the files on the system is grayed out
the file extension is unknown

Depending on variant it is possible the decryption key is still memory resident but this is balanced risk as leaving infected boxes online also exposes the rest of the environment.

Here's hoping they have proper DR in place
 

MightyQuin

Honorary Master
Joined
Oct 6, 2010
Messages
17,278
I do not know which it is, I was just told all the files on the system is grayed out, and not accessible, with a text note giving instructions for the decryption, payment etc.
I hope they have proper backups. New crypto version hit over the weekend. NCOV variation I think...
 

Hemps

Honorary Master
Joined
Jan 19, 2009
Messages
10,258
We had ransomware hit a couple years back, came in via email .pdf but was.exe, Eset didnt pick it up either.
All Firewalls where up and it spread like covid-19, even got into our Backup images which where not shared openly on the network.

How safe is Linux from these ransomware threats?
 

Mystic Twilight

Expert Member
Joined
Dec 23, 2010
Messages
2,067
We had ransomware hit a couple years back, came in via email .pdf but was.exe, Eset didnt pick it up either.
All Firewalls where up and it spread like covid-19, even got into our Backup images which where not shared openly on the network.

How safe is Linux from these ransomware threats?
Fairly safe if the security has been setup properly on access control and executables on the sudo list. What more typically happens is that an infected windows pc has write access to a linux hosted drive (file server samba, etc) and the encryption happens from the windows client.
 

Hemps

Honorary Master
Joined
Jan 19, 2009
Messages
10,258
Freenas has Snapshots which looks interesting.

Need ideas for an offsite backup of our data stored to a desktop pc at my house.
Work has 20/20Mb fibre, I have 20/5Mb vdsl
Something like Debian base, Proxmox 6 running VM's of Freenas storing data, zfs snaphots and Server 2019 for Active directory system state restore if needed.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
22,550
If you can identify the type of ransomware used, you can look for the decryption tool for it.

 

rog163

Well-Known Member
Joined
Jun 25, 2015
Messages
187
Did he have RDP enabled to his server from the net?
 
Last edited:

Hemps

Honorary Master
Joined
Jan 19, 2009
Messages
10,258
Anyone have FSRM with blocking list enabled on their servers?

Have you had any issues
 
Top