Ransomware
Moderators: pompeiisneaks, Colossal
- David Root
- Posts: 3540
- Joined: Fri Aug 04, 2006 3:00 pm
- Location: Chilliwack BC
Ransomware
I have run into this twice in the last few weeks, both from the same source. (It displays the same contact phone #). In both cases an immediate manual power down was effective, but I am wondering how this stuff gets past my malware protection, and what else I might do to prevent it.
I have Malwarebytes Premium and Malwarebytes Anti-Exploit, and am using the Windows 10 antivirus. I've found both Malwarebytes software to be generally very effective otherwise.
You computer gurus out there have any tips?
I have Malwarebytes Premium and Malwarebytes Anti-Exploit, and am using the Windows 10 antivirus. I've found both Malwarebytes software to be generally very effective otherwise.
You computer gurus out there have any tips?
When I was a boy I was told that anyone could become President. I`m beginning to believe it--Clarence Darrow
Re: Ransomware
Take a look at AVIRA ;^)
Re: Ransomware
I don't know if it will help, but I don't think it won't hurt anything. Get the free ccleaner. Get it directly from the Piriform site and not anywhere else http://www.piriform.com/ccleaner/download?upgrade
Allow it to do a general cleaning. Before you do it, make sure you know web addresses, logins, and passwords, as these may get wiped in the process. When it's done, allow it to clean the registry. In my experience, the tool is harmless, but sometimes helpful. This could take a while or not depending on the amount of clutter.
After updating Windows Defender, you might unplug from the internet (physically unplug the cable or power down the wifi or both), disable MalwareBytes, and allow Defender to scan your machine, probably overnight, for a full scan. It might find something.
I am thinking you have a cookie, something cached, and/or possibly a registry entry that is allowing the problem past your blockade. Ccleaner should get rid of it/them. Those ransomware people are smart. Once they get a foothold, they won't let up until they get you, so you might be wise to do more that use one brand of defense.
All of this stuff is free.
Allow it to do a general cleaning. Before you do it, make sure you know web addresses, logins, and passwords, as these may get wiped in the process. When it's done, allow it to clean the registry. In my experience, the tool is harmless, but sometimes helpful. This could take a while or not depending on the amount of clutter.
After updating Windows Defender, you might unplug from the internet (physically unplug the cable or power down the wifi or both), disable MalwareBytes, and allow Defender to scan your machine, probably overnight, for a full scan. It might find something.
I am thinking you have a cookie, something cached, and/or possibly a registry entry that is allowing the problem past your blockade. Ccleaner should get rid of it/them. Those ransomware people are smart. Once they get a foothold, they won't let up until they get you, so you might be wise to do more that use one brand of defense.
All of this stuff is free.
Re: Ransomware
and what else I might do to prevent it.
Turn off javascript and cookies in your browser.
Turn off javascript and cookies in your browser.
Re: Ransomware
It appears that you may have run into a fake ransomware infestation if an immediate power down avoided the problem. The serious ransomwares will go and encrypt your files *first* then lock the machine and tell you that you're toast.
That doesn't help much, though. If you have even that, something has slipped through your shields, which means that the shields are not good enough. 68 is right - turn off javascript and cookies in your browser and only selectively allow javascript. "Noscript" is good for this.
And Phil is right - get a good antivirus. I stopped trusting the Windows provided safety net about 15 years ago. Go get an "internet security suite" that is updated often, even daily, and live with the interference it causes. It's much less interference than having 100% of your machine's files gone, instantly.
And finally, implement the only really good protection for ransomware: backups. You need to be backing up your machine regularly, and must do it to a backup store that is NOT writeable from the machine as an attached drive. New ransomware looks for and encrypts attached drives. I use a backup server in the closet that does incremental backups as write-once, read-only after that, so only the current incremental can be overwritten, not the history. They can only affect the current overwrite.
Expensive? Yes. But IMHO, not as expensive as instantly losing all your files, and probably not more expensive than paying even one ransom, which may or may not get your files back.
That doesn't help much, though. If you have even that, something has slipped through your shields, which means that the shields are not good enough. 68 is right - turn off javascript and cookies in your browser and only selectively allow javascript. "Noscript" is good for this.
And Phil is right - get a good antivirus. I stopped trusting the Windows provided safety net about 15 years ago. Go get an "internet security suite" that is updated often, even daily, and live with the interference it causes. It's much less interference than having 100% of your machine's files gone, instantly.
And finally, implement the only really good protection for ransomware: backups. You need to be backing up your machine regularly, and must do it to a backup store that is NOT writeable from the machine as an attached drive. New ransomware looks for and encrypts attached drives. I use a backup server in the closet that does incremental backups as write-once, read-only after that, so only the current incremental can be overwritten, not the history. They can only affect the current overwrite.
Expensive? Yes. But IMHO, not as expensive as instantly losing all your files, and probably not more expensive than paying even one ransom, which may or may not get your files back.
Re: Ransomware
No one should live without backups. There's no excuse. People are getting free cloud space and USB 3.0 large hard drives are now well under $100. You don't need a server in the closet ;-} but it's great idea if you've got what you need lying around doing nothing. Heck, buy 2 USB drives and swap them every day. The ransomware can't get to the unplugged drive. Just make sure the USB drive has an image. While not hassle free, the image is the shortest route to a full restore.
Here...$60 US, comes in your choice of 6 colors! http://www.tigerdirect.com/applications ... &CatId=136
or this, same price, 4 colors available. http://www.tigerdirect.com/applications ... &CatId=136
Here...$60 US, comes in your choice of 6 colors! http://www.tigerdirect.com/applications ... &CatId=136
or this, same price, 4 colors available. http://www.tigerdirect.com/applications ... &CatId=136
Re: Ransomware
Well, if you know me, you know that anything worth doing is worth over-doing.
I have a number of computers here at El Rancho, and being able to back them all up automatically, in the background is the only way I can get it done. I'm also paranoi... er, very cautious about security because of some early experiences in my day job. So for me, the server in the closet made sense.
For more normal people, you're dead right - go get a pluggable disk drive and do backups.
There are some issues with ransomware and pluggable drives, as the steady improvement of ransomware has led to versions that look for network drives, whether named drives, or just network connected, and encrypt those drives first, before they start on the local computer. This is obviously to give the malware a chance to lock you out of backups, too.
The trick with defeating ransomware is to have a backup that the ransomware can't get to to encrypt. In my case, the backups are network connected, but are themselves automatically backed up to a second tier of incremental backups that are held as read only by a non-windows, non-apple, non-linux operating system. Once made, an incremental backup is both small, and not encryptable by outside network connected software.
I did mention that I'm not entirely normal about this, right?
But back at backups, you really need at least two backups to get around ransomware. You need your normal, day to day backup that saves you from dying power supplies, lightning, and the vagaries of the power line. Then you need a backup that is older - before the ransomware started encrypting things, and not network or USB, eSATA, etc. connected where the ransomware can get at it. That obviously means that you have to not connect the ransom-ware-proof older backup at a bad time, when the ransomware is in the middle of corrupting your files.
So some care is needed, and some thought. Ransomware has the potential to suddenly destroy all your computer history, and it is intensely profitable to the malware world, as well as being a small-victim crime, so that the larger resources of the enforcement world can't be effectively focused on it. Ransomware will get better and better at finding your files and holding you hostage. I'm in a situation where I would think of that as a personal disaster, perhaps on a par with a house fire. So I'm not entirely sane about this - to the point of using hardened backups off-site where even fires can't get at them.
... wha? Oh. Sorry. I feel better now. I'll shut up.
I have a number of computers here at El Rancho, and being able to back them all up automatically, in the background is the only way I can get it done. I'm also paranoi... er, very cautious about security because of some early experiences in my day job. So for me, the server in the closet made sense.
For more normal people, you're dead right - go get a pluggable disk drive and do backups.
There are some issues with ransomware and pluggable drives, as the steady improvement of ransomware has led to versions that look for network drives, whether named drives, or just network connected, and encrypt those drives first, before they start on the local computer. This is obviously to give the malware a chance to lock you out of backups, too.
The trick with defeating ransomware is to have a backup that the ransomware can't get to to encrypt. In my case, the backups are network connected, but are themselves automatically backed up to a second tier of incremental backups that are held as read only by a non-windows, non-apple, non-linux operating system. Once made, an incremental backup is both small, and not encryptable by outside network connected software.
I did mention that I'm not entirely normal about this, right?
But back at backups, you really need at least two backups to get around ransomware. You need your normal, day to day backup that saves you from dying power supplies, lightning, and the vagaries of the power line. Then you need a backup that is older - before the ransomware started encrypting things, and not network or USB, eSATA, etc. connected where the ransomware can get at it. That obviously means that you have to not connect the ransom-ware-proof older backup at a bad time, when the ransomware is in the middle of corrupting your files.
So some care is needed, and some thought. Ransomware has the potential to suddenly destroy all your computer history, and it is intensely profitable to the malware world, as well as being a small-victim crime, so that the larger resources of the enforcement world can't be effectively focused on it. Ransomware will get better and better at finding your files and holding you hostage. I'm in a situation where I would think of that as a personal disaster, perhaps on a par with a house fire. So I'm not entirely sane about this - to the point of using hardened backups off-site where even fires can't get at them.
... wha? Oh. Sorry. I feel better now. I'll shut up.
Re: Ransomware
A must have PC accessory is a USB stick with windows 10 bootable on it.
You can download the creation program free from Microsoft.
John
You can download the creation program free from Microsoft.
John
Do not limit yourself to what others think is reasonable or possible.
www.johnchristou.com
www.johnchristou.com
Re: Ransomware
R.G. might have the safest plan. That said, I have WD 4TB Cloud Drive that connects via wifi. I keep it turned off 99% of the time but typically turn it on once a month to update stored parts of my various HDs. This would be my entire C Drive, Music, Photos, and DAW software programs. This works for me and the WD Cloud was on sale at Best Buy for $60. It connects via an ethernet port from the device to the router and I have a wi-fi interface on my computer.
I also have an external WD 1T Passport that I typically keep turned off but turn on to externally update my DAW recordings and whatever else when necessary.
I hate dealing with these precautions but I visited a friend who had been hit by a ransom virus a few years (maybe 2?) back and it was not pretty. The only fix was to reinstall Windows and clear all the encrypted files after he ran a malware program. He wasn't going to pay a ransom and I get that. He now has a simultaneous cloning setup going (Mirror Folder) but he does not use his PC for a DAW. I just can't have the background services running while I record and typically shutdown my wi-fi connection when recording, too, just to make sure nothing is running.
BTW, I heard of a hospital that got ransomed and they had no choice but to pay a $2500 ransom a few years back, I think this was in Chicago. These are some f'ed up ppl doing this stuff.
I also have an external WD 1T Passport that I typically keep turned off but turn on to externally update my DAW recordings and whatever else when necessary.
I hate dealing with these precautions but I visited a friend who had been hit by a ransom virus a few years (maybe 2?) back and it was not pretty. The only fix was to reinstall Windows and clear all the encrypted files after he ran a malware program. He wasn't going to pay a ransom and I get that. He now has a simultaneous cloning setup going (Mirror Folder) but he does not use his PC for a DAW. I just can't have the background services running while I record and typically shutdown my wi-fi connection when recording, too, just to make sure nothing is running.
BTW, I heard of a hospital that got ransomed and they had no choice but to pay a $2500 ransom a few years back, I think this was in Chicago. These are some f'ed up ppl doing this stuff.
Last edited by rooster on Tue Feb 07, 2017 6:05 pm, edited 1 time in total.
Most people stall out when fixing a mistake that they've made. Why?
Re: Ransomware
There is one here in Baltimore that got hit this past fall and it is rumored they paid. I expect it was considerably more than $2500. Hospitals are reputed to be very secure because of HIPPA liability. Frankly, I was surprised, yet I wasn't. It only takes one person who isn't paying attention.rooster wrote:BTW, I heard of a hospital that got ransomed and they had no choice but to pay a $2500 ransom a few years back, I think this was in Chicago. These are some f'ed up ppl doing this stuff.
- David Root
- Posts: 3540
- Joined: Fri Aug 04, 2006 3:00 pm
- Location: Chilliwack BC
Re: Ransomware
Thanx guys, what you said is mostly way over my head, but I did buy a copy of Bitdefender. It was a bitch to install, never seen anything so clunky and user unfriendly, but I'm running it in conjunction with MalwareBytes Premium and Malwarebytes Anti-Exploit.
Don't know how that will help but I've not seen a recurrence of ransomware yet.
Don't know how that will help but I've not seen a recurrence of ransomware yet.
When I was a boy I was told that anyone could become President. I`m beginning to believe it--Clarence Darrow