Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
620 posts

Ultimate Geek
+1 received by user: 402


  Reply # 1954155 9-Feb-2018 11:16
Send private message

clinty: Is RDP to the server open to the internet? If so we have had cases of actual people ( not bots ) getting creds, logging in, disabling the AV, and manually running the ransomware

Client got hit twice before I figured it out - please,, no commenting on why RDP was open, was subject of many conversations with the client

Clint

 

This.

 

I also got hit but fortunately the external drive was so big and the CPU so slow that it only got 25% through the HDD before I noticed it shut it down. I did every virus scan under the sun and found nothing at all. Confused I talked to IT guys that do this for a living and they reckoned same as Clint above. No anti virus is going to stop that.

 

A recent backup saved my bacon.




333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1954254 9-Feb-2018 12:48
Send private message

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

 

 


237 posts

Master Geek
+1 received by user: 51


  Reply # 1954292 9-Feb-2018 13:00
One person supports this post
Send private message

Ford:

 

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

Kind of, but things can be done to greatly reduce the chances of being impacted, so I wouldn't interpret that as there is no point in trying to protect yourself.


17588 posts

Uber Geek
+1 received by user: 5062

Trusted
Lifetime subscriber

  Reply # 1954358 9-Feb-2018 13:58
One person supports this post
Send private message

For our setups, if customers need RDP Access to a server, it's never the main server (We setup a dedicated RDP Server), it's almost always a virtual and recently we have recommended modern Anti Ransomware AV tools like Sophos Intercept X and Webroot which can remediate issues once detected. 

 

The biggest threat to RDP we have seen is old users, with poor quality passwords. Most our users change thier passwords regularly (6 monthly) and have reasonably secure passwords. We usually set those for them.

 

FSRM has been effective, but recently we saw FSRM triggered, but only after most of the files had been encrypted, because instead of using Alphabetical or such, it used newest files first.

 

 

 

 




333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1954621 10-Feb-2018 03:48
Send private message

Thanks for those.
I'll try some suggestions
So far the issue still hasn't appeared on the workstations
But we have backups

935 posts

Ultimate Geek
+1 received by user: 189


  Reply # 1954646 10-Feb-2018 08:43
Send private message

Encrypt your backups as well and put them in a hidden share with only admin access.


2173 posts

Uber Geek
+1 received by user: 657

Subscriber

  Reply # 1954733 10-Feb-2018 11:59
Send private message

Ford:

 

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

 

 

 

 

 

 

The likely cause is a user has fallen for a phishing scam, or plugged something they shouldn't have into a desktop or server. IT Security isn't just an issue of the IT Department, it's up to users to be vigilant also. Recommend end users have some cyber security training of some sort so they know what to look for if they haven't already. Especially Exec and Finance, usually the ones who don't want to do it are the largest target.


2173 posts

Uber Geek
+1 received by user: 657

Subscriber

  Reply # 1954747 10-Feb-2018 12:05
Send private message

lNomNoml:

 

Encrypt your backups as well and put them in a hidden share with only admin access.

 

 

 

 

I personally wouldn't count on that. Use a proper backup solution rather than hackery. Plenty of cloud offerings or even good old LTO.


620 posts

Ultimate Geek
+1 received by user: 402


  Reply # 1955507 12-Feb-2018 09:14
One person supports this post
Send private message

lxsw20:The likely cause is a user has fallen for a phishing scam, or plugged something they shouldn't have into a desktop or server. IT Security isn't just an issue of the IT Department, it's up to users to be vigilant also. Recommend end users have some cyber security training of some sort so they know what to look for if they haven't already. Especially Exec and Finance, usually the ones who don't want to do it are the largest target.

 

My brothers work got hit twice in a row (saved by backups) - turned out be the office girl clicking on attachments with gay abandon.


1497 posts

Uber Geek
+1 received by user: 338


  Reply # 1955563 12-Feb-2018 10:25
One person supports this post
Send private message

tripper1000:

 

My brothers work got hit twice in a row (saved by backups) - turned out be the office girl clicking on attachments with gay abandon.

 

 

And thats the real issue. 
Staffers who are just stupid, or really dont care. Thats why its often the same person getting their workstation infected multiple times

 

Even Management who know better do get caught, waiting for a DHL/Fedex package & by co-incidence get a bogus DHL/Fedex email that they of course click on (that actually happens )

 

 


17588 posts

Uber Geek
+1 received by user: 5062

Trusted
Lifetime subscriber

  Reply # 1955582 12-Feb-2018 10:55
One person supports this post
Send private message

We have found that Shadowprotect > NAS Unit > Offsite NAS unit is very effective. 

 

Key things: 

 

Setup a folder called backups. 

 

Create a user called backup (or similar) 

 

Put those credentials into SP

 

Don't connect to the NAS from local workstations using those credentials. If you need to manage the backup files directly, remove the credentials from Windows using Net use /delete so there are no ongoing connections from workstations to that share so an encryption can't get access to the backup share under any circumstances. 

 

Get decent AV/Anti-Malware/Ransomware Remediation software.

 

Test your backups regularly. (Restore). 

 

 

 

 

 

 


3243 posts

Uber Geek
+1 received by user: 1765

Lifetime subscriber

  Reply # 1955822 12-Feb-2018 16:07
Send private message

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


620 posts

Ultimate Geek
+1 received by user: 402


  Reply # 1955884 12-Feb-2018 16:33
Send private message

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

Apparently my case was fairy typical of a bunch of schools and businesses in the Auckland area - malware wasn't the cause at all, so patching wouldn't help. It was a rubbish Remote Desktop password that most probably a human used to get in and run a script that they copy/paste. Anything I could remotely do to my computer, they could do.

 

It underscored 2 things for me:

 

1) Use a much stronger Remote Desktop password.

 

2) I was glad I hadn't saved any passwords in my browser, otherwise they theoretically could have made a bunch of on line purchases from ebay/aliX etc.

 

 

 

 

 

 


1497 posts

Uber Geek
+1 received by user: 338


  Reply # 1955885 12-Feb-2018 16:33
Send private message

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 

thats a big assumption
patched PC's & servers. Pfft, doesnt help .

Ive seen plenty of zero day malware , and it gets past fully patched systems.
Plenty of times Ive had to wait up to a 24hours for AV to come up with a new sig to detect the zero day malware Im trying to clean up .

Then there is the malware not detected by anything . Only found via a Mk1 eyeball. Send samples to AV companies & they confirm its a new untill then unkown malware.

 

Click that popup, open that email  :-)


313 posts

Ultimate Geek
+1 received by user: 75


  Reply # 1955888 12-Feb-2018 16:41
Send private message

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 

 

 

Most of the time I see this is because management wants gold plate testing before putting in but have cut IT staff down to least then the number of people needed to do this, stuff remaining is to busy fighting other fires to get patching done. for servers, it always after hours too, with gold plate testing that everything working again after the patching, normal it most of weekend every month if it a medium-size firm.

 

 

 

Problem is when staffing level is right, nothing much happens because the staff has time to put fixes in/patch/upgrade protection/monitor etc before bad thing happens, so management thinks they can cut back in IT staff during restructuring because nothing bad happens.


1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.