Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
436 posts

Ultimate Geek
+1 received by user: 281


  Reply # 1954155 9-Feb-2018 11:16
Send private message quote this post

clinty: Is RDP to the server open to the internet? If so we have had cases of actual people ( not bots ) getting creds, logging in, disabling the AV, and manually running the ransomware

Client got hit twice before I figured it out - please,, no commenting on why RDP was open, was subject of many conversations with the client

Clint

 

This.

 

I also got hit but fortunately the external drive was so big and the CPU so slow that it only got 25% through the HDD before I noticed it shut it down. I did every virus scan under the sun and found nothing at all. Confused I talked to IT guys that do this for a living and they reckoned same as Clint above. No anti virus is going to stop that.

 

A recent backup saved my bacon.




291 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1954254 9-Feb-2018 12:48
Send private message quote this post

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

 

 


 
 
 
 


212 posts

Master Geek
+1 received by user: 37


  Reply # 1954292 9-Feb-2018 13:00
One person supports this post
Send private message quote this post

Ford:

 

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

Kind of, but things can be done to greatly reduce the chances of being impacted, so I wouldn't interpret that as there is no point in trying to protect yourself.


15788 posts

Uber Geek
+1 received by user: 4285

Trusted
Lifetime subscriber

  Reply # 1954358 9-Feb-2018 13:58
One person supports this post
Send private message quote this post

For our setups, if customers need RDP Access to a server, it's never the main server (We setup a dedicated RDP Server), it's almost always a virtual and recently we have recommended modern Anti Ransomware AV tools like Sophos Intercept X and Webroot which can remediate issues once detected. 

 

The biggest threat to RDP we have seen is old users, with poor quality passwords. Most our users change thier passwords regularly (6 monthly) and have reasonably secure passwords. We usually set those for them.

 

FSRM has been effective, but recently we saw FSRM triggered, but only after most of the files had been encrypted, because instead of using Alphabetical or such, it used newest files first.

 

 

 

 




291 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1954621 10-Feb-2018 03:48
Send private message quote this post

Thanks for those.
I'll try some suggestions
So far the issue still hasn't appeared on the workstations
But we have backups

781 posts

Ultimate Geek
+1 received by user: 154


  Reply # 1954646 10-Feb-2018 08:43
Send private message quote this post

Encrypt your backups as well and put them in a hidden share with only admin access.


2122 posts

Uber Geek
+1 received by user: 635

Subscriber

  Reply # 1954733 10-Feb-2018 11:59
Send private message quote this post

Ford:

 

Hi

 

So by the sounds of it, it doesn't matter how good the IT department is. And anything has the potential to put ransomware on a server, and all one can do is restore from a backup.

 

For the moment all workstations are OK. I will look at setting up VPNs perhaps better than RDP

 

 

 

 

 

 

 

 

The likely cause is a user has fallen for a phishing scam, or plugged something they shouldn't have into a desktop or server. IT Security isn't just an issue of the IT Department, it's up to users to be vigilant also. Recommend end users have some cyber security training of some sort so they know what to look for if they haven't already. Especially Exec and Finance, usually the ones who don't want to do it are the largest target.


2122 posts

Uber Geek
+1 received by user: 635

Subscriber

  Reply # 1954747 10-Feb-2018 12:05
Send private message quote this post

lNomNoml:

 

Encrypt your backups as well and put them in a hidden share with only admin access.

 

 

 

 

I personally wouldn't count on that. Use a proper backup solution rather than hackery. Plenty of cloud offerings or even good old LTO.


436 posts

Ultimate Geek
+1 received by user: 281


  Reply # 1955507 12-Feb-2018 09:14
One person supports this post
Send private message quote this post

lxsw20:The likely cause is a user has fallen for a phishing scam, or plugged something they shouldn't have into a desktop or server. IT Security isn't just an issue of the IT Department, it's up to users to be vigilant also. Recommend end users have some cyber security training of some sort so they know what to look for if they haven't already. Especially Exec and Finance, usually the ones who don't want to do it are the largest target.

 

My brothers work got hit twice in a row (saved by backups) - turned out be the office girl clicking on attachments with gay abandon.


1332 posts

Uber Geek
+1 received by user: 284


  Reply # 1955563 12-Feb-2018 10:25
One person supports this post
Send private message quote this post

tripper1000:

 

My brothers work got hit twice in a row (saved by backups) - turned out be the office girl clicking on attachments with gay abandon.

 

 

And thats the real issue. 
Staffers who are just stupid, or really dont care. Thats why its often the same person getting their workstation infected multiple times

 

Even Management who know better do get caught, waiting for a DHL/Fedex package & by co-incidence get a bogus DHL/Fedex email that they of course click on (that actually happens )

 

 


15788 posts

Uber Geek
+1 received by user: 4285

Trusted
Lifetime subscriber

  Reply # 1955582 12-Feb-2018 10:55
One person supports this post
Send private message quote this post

We have found that Shadowprotect > NAS Unit > Offsite NAS unit is very effective. 

 

Key things: 

 

Setup a folder called backups. 

 

Create a user called backup (or similar) 

 

Put those credentials into SP

 

Don't connect to the NAS from local workstations using those credentials. If you need to manage the backup files directly, remove the credentials from Windows using Net use /delete so there are no ongoing connections from workstations to that share so an encryption can't get access to the backup share under any circumstances. 

 

Get decent AV/Anti-Malware/Ransomware Remediation software.

 

Test your backups regularly. (Restore). 

 

 

 

 

 

 


2944 posts

Uber Geek
+1 received by user: 1538

Subscriber

  Reply # 1955822 12-Feb-2018 16:07
Send private message quote this post

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


436 posts

Ultimate Geek
+1 received by user: 281


  Reply # 1955884 12-Feb-2018 16:33
Send private message quote this post

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

Apparently my case was fairy typical of a bunch of schools and businesses in the Auckland area - malware wasn't the cause at all, so patching wouldn't help. It was a rubbish Remote Desktop password that most probably a human used to get in and run a script that they copy/paste. Anything I could remotely do to my computer, they could do.

 

It underscored 2 things for me:

 

1) Use a much stronger Remote Desktop password.

 

2) I was glad I hadn't saved any passwords in my browser, otherwise they theoretically could have made a bunch of on line purchases from ebay/aliX etc.

 

 

 

 

 

 


1332 posts

Uber Geek
+1 received by user: 284


  Reply # 1955885 12-Feb-2018 16:33
Send private message quote this post

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 

thats a big assumption
patched PC's & servers. Pfft, doesnt help .

Ive seen plenty of zero day malware , and it gets past fully patched systems.
Plenty of times Ive had to wait up to a 24hours for AV to come up with a new sig to detect the zero day malware Im trying to clean up .

Then there is the malware not detected by anything . Only found via a Mk1 eyeball. Send samples to AV companies & they confirm its a new untill then unkown malware.

 

Click that popup, open that email  :-)


295 posts

Ultimate Geek
+1 received by user: 67


  Reply # 1955888 12-Feb-2018 16:41
Send private message quote this post

Lias:

 

One of the big things I don't understand, is why organisations are not patching? Very few malware campaigns in general, and that includes ransomware, use fresh 0-days. Most of the vulnerabilities utilised are for things that were patched months or sometimes years ago.

 

 

 

 

Most of the time I see this is because management wants gold plate testing before putting in but have cut IT staff down to least then the number of people needed to do this, stuff remaining is to busy fighting other fires to get patching done. for servers, it always after hours too, with gold plate testing that everything working again after the patching, normal it most of weekend every month if it a medium-size firm.

 

 

 

Problem is when staffing level is right, nothing much happens because the staff has time to put fixes in/patch/upgrade protection/monitor etc before bad thing happens, so management thinks they can cut back in IT staff during restructuring because nothing bad happens.


1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05


One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58


New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56


Samsung launches Samsung Max
Posted 24-Feb-2018 13:52


CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.