SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    How to deal with ransomware
Page 1 2 3 
Go
New
Find
Notify
Tools
Reply
  
How to deal with ransomware Login/Join 
eh-TEE-oh-clez
Picture of Aeteocles
posted Hide Post
quote:
Originally posted by mjlennon:

Currently I'm retrieving those audio and video files to an external drive. I'll reinstall Windows 10 Pro tomorrow. I doubt it's possible to reuse licenses for programs such as Adobe Acrobat, Acronis True Image and MS Office. I may simply have to repurchase.


Your software licenses should still work. Older software usually isn't sophisticated enough to phone the license key back to home base and mark them as used, instead they're algorithm based and the software just checks if the passkey is the right combination of variable characters.

Newer software, like Windows and Office, are either tied to a user account or tied to the hardware with a digital entitlement. In my 25 years of using computers, and reformatting or building new computers every couple of years, I've never had to repurchase software. I never restore applications from backup, I always install fresh copies.
 
Posts: 13067 | Location: Orange County, California | Registered: May 19, 2002Reply With QuoteReport This Post
Member
Picture of fvyellowbird
posted Hide Post
Snip

quote:
Originally posted by ensigmatic:


Or, worse, they run their computers with the Administrator login.


For those of us running as an Admin, what should we be doing? Set up another account without admin rights I'm assuming, anything else? Thanks!



Hell, is other people! J-P S
 
Posts: 1143 | Location: St Simons Island, Georgia USA! | Registered: October 22, 2010Reply With QuoteReport This Post
Member
posted Hide Post
quote:
Originally posted by fvyellowbird:
Snip

quote:
Originally posted by ensigmatic:


Or, worse, they run their computers with the Administrator login.


For those of us running as an Admin, what should we be doing? Set up another account without admin rights I'm assuming, anything else? Thanks!


YES!
 
Posts: 1095 | Location: Fort Worth, Texas | Registered: August 11, 2010Reply With QuoteReport This Post
Oh stewardess,
I speak jive.
Picture of 46and2
posted Hide Post
quote:
Originally posted by Ronin1069:
quote:
Originally posted by creslin:
Personally if I came home and found my computer in that state.. I'd simply wipe and reload the OS.
Any files that I'm concerned about keeping I have staged on multiple machines and/or in the cloud.

It would merely be an annoyance of a couple hours while i re-install.

This. 100% this.

Exactly this.

Disconnect computer from internet, clone drive/save data as needed, wipe and reinstall.

I'd be done in an hour or three and not even 1min would be spent dorking around otherwise. Nothing they can do can stop or thwart this sort of brute force solution.
 
Posts: 25613 | Registered: March 12, 2004Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by fvyellowbird:
Snip

quote:
Originally posted by ensigmatic:
Or, worse, they run their computers with the Administrator login.

For those of us running as an Admin, what should we be doing? Set up another account without admin rights I'm assuming, anything else? Thanks!

If you've already been running with Admin rights you must save your files, scrub the machine, reinstall from scratch, then scan the living bejesus out of your saved data before putting it back on the machine.

Then create non-Admin-rights user accounts and restore your data.

Why? Because a machine that's been run by end-users, using it for everyday tasks, including reading email and browsing the web, has a very high probability of being compromised without the user being any the wiser.

The only way to be sure is "nuke and pave."



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26032 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Member
posted Hide Post
Hard drives today are cheap, as in 1 TB for under 60 dollars cheap. Software to Clone Hard Drives is also inexpensive. BTW, I prefer Acronis and have been using it since 2010 or perhaps a bit earlier.

So, what is a Cloned Hard Drive. It is a 100% EXACT copy of the hard drive in your computer and it only takes about 45 minutes to clone a hard drive with about 400 gb of data. Once you have the clone safely stored away if you get hit with ransomware all you do is replace the hard drive in your computer with that clone. If it's a 6 month old clone you'll have to wait around for 6 months of updates to your software but once that is done you are back in business with only 6 months of files lost. BTW, that is a hint to clone your primary hard drive at least once a month. If you have come back from a big vacation with a bunch of pictures then clone your hard drive once you have archived all your pictures.

Now for the hardware needed to clone a hard drive conveniently. I use a Vantec IDE/SATA to USB 3.0 adapter. BTW it comes with a power supply to provide the 12V needed to operate an internal 3.5 inch HD as a USB drive. Cost for this adapter was something like 30 bucks at Microcenter.

BTW, portable USB drives have also become rather inexpensive. Currently I have a 1TB portable I keep in my camera bag and that little drive has every single one of my pictures going back to the late 1980's. While I haven't even tried to turn on my Nikon Coolscan in over 10 years there was a time when I spent every free evening scanning slides and negatives.

Summing it all up and there is no reason today to ever put yourself in a position where you have to pay these criminals one thin dime. So I would advise you not pay them anything at all. For one you will be supporting these criminals and encouraging them to continue blackmailing people. In addition if you do a bit of reading on the net you'll find that in a lot of cases people who do pay up never do get their files back.


I've stopped counting.
 
Posts: 5783 | Location: Michigan | Registered: November 07, 2008Reply With QuoteReport This Post
Baroque Bloke
Picture of Pipe Smoker
posted Hide Post
quote:
Originally posted by rduckwor:
quote:
For the past year I have used Malwarebytes, to scan for malware once a day (takes about 20 seconds). It's never reported any malware.



I have never seen MalwareBytes report anything either. How in hell do you get it to scan in 20 seconds? Mine takes at least a hour.

RMD

I just click the “Scan” button on the left side of the Malwarebytes control panel. I’m currently running Malwarebytes 3.0.3.433 on my old MacBook Air.



Serious about crackers
 
Posts: 9699 | Location: San Diego | Registered: July 26, 2014Reply With QuoteReport This Post
Baroque Bloke
Picture of Pipe Smoker
posted Hide Post
rduckwor - I’ve been trying to figure out why we see such different scan times for Malwarebytes. I run on a MacBook Air. Perhaps you run on a PC? Can’t think of anything else, except software version number. I reported my version in the post immediately above this one.



Serious about crackers
 
Posts: 9699 | Location: San Diego | Registered: July 26, 2014Reply With QuoteReport This Post
Member
Picture of logrusmaster
posted Hide Post
RansomWare is truly evil.

Backups, air gap your backups, and keep a copy in one drive. Storage is cheap.

You can have all the AV and all the Patches in the world but if someone comes up with something 'new' its over before it begins.

The only 'secure' method is as others have suggested to create air gapped backups. In theory a backup in the cloud would probably be 'OK' as well as long as the infected machine couldn't right to the files in the cloud.

For me there isn't much of anything 'important' on my PC. The photos I care about are on facebook or elsewhere. I might lose a couple of documents but they are probably in my Gmail e-mail archive anyways.

FDisk, format re-install doo dah dooh dah.


-------------------------
If not me then who? If not now then when?
 
Posts: 618 | Location: Earth | Registered: August 15, 2005Reply With QuoteReport This Post
I'd rather have luck
than skill any day
Picture of mjlennon
posted Hide Post
I'm back. As it turns out, I had MS One Drive synchronizing library files, including photos. All is well. Thanks all for your suggestions. I learned valuable lesson; hope my experience has illustrated how serious a problem this is. The key is "air gap."
 
Posts: 1859 | Location: Fayetteville, Georgia | Registered: December 08, 2005Reply With QuoteReport This Post
Big Stack
posted Hide Post
This would be something a company in the security business could do, but not likely an individual (unless they have significant skill in the area, and a lot of time.)

Someone should be sniffing for for the virus files in the environment and capture them. They must contain both the encryption software and key. If a programmer with enough skill took apart the program, they'd have the key, and be able to sell the service to decrypt the files encrypted by the virus. The mooks who put these things together might use RSA, but I'd be a little surprised (it might be too slow for them.)
 
Posts: 21240 | Registered: November 05, 2003Reply With QuoteReport This Post
Truth Seeker
Picture of StorminNormin
posted Hide Post
It sucks what you went through, but I am glad you are able to recover your files on your own. In hindsight is there anything you opened from an email or download you feel might have installed the ransomware?

I appreciate you posting as I am changing how I backup after reading this and the suggestions. I have several hard drives in my system with one for the operating system and then separate drives for documents, media, and an internal backup drive. I have an external 6TB drive everything backs up to and I also use CrashPlan to backup to the cloud. I keep the external drive plugged in and it backs up new file changes every hour. I now realize I do not have the “air gap” so I have now unplugged the external drive. I will plug it in weekly to do a backup and then unplug it when it is finished and store it in my Gun safe.




NRA Benefactor Life Member
 
Posts: 8901 | Location: The Lone Star State | Registered: July 07, 2008Reply With QuoteReport This Post
I'd rather have luck
than skill any day
Picture of mjlennon
posted Hide Post
No, I have no idea how or even when the malware infected the machine. I was not using it at the time it executed.

I typically leave the machine on 24/7. There are times I like to remote access it from my office. My office was not affected, but we are evaluating our procedures there also. For the time being, we're going to do as some others here have recommended and backup to external drive and disconnect for safe keeping. Cloud backup for mission critical files daily. One Drive, Drop Box, Google it doesn't matter. It would be best if the process sync'd automatically. Ensigmatic listed out a rather elaborate backup process on the top of page 2.

1967Goat, is more knowledgeable than I, noted it's not safe practice to login with admin privileges or disable or reduce User Account Control Settings" below default settings. Yes, it may be an inconvenience sometimes, but it wouldn't allow wholesale encryption.
 
Posts: 1859 | Location: Fayetteville, Georgia | Registered: December 08, 2005Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2 3  
 

SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    How to deal with ransomware

© SIGforum 2024