• Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About MobuisNZ

  • Rank
    New Member
  1. One of my clients has been hit with what appears to be a variant of BTC (According to Spywarehunters Ransomware ID) It has encrypted files and postfixed the following extension(s) .[[email protected]].master EG FILENAME.DOC.[[email protected]].master The instructions are all in a txt file called !#_RESTORE_FILES_#!.inf I'll attach the note. They got in through Remote Desktop - One pc on the network has remote access with RDP on a non-standard port and they used the credentials of an account called "staff" which made their life a little easier - Probably a dictionary attack. The very conveniently send the note to the printer so we got 3 copies printed out. Strangely this one didn't attack network drives or attempt to hop machines via shares as being workstations on a domain it had both available to it - Perhaps it crashed?? I have an encrypted and unencrypted version of a word document but I don't want to submit it here as it has the company involved in the headers - Happy to submit it to emsi developers to look at. I'll attach the "ransom note" Because it didn't get the network drives (which were backed up anyway) its more of a massive inconvenience and time waster - Mainly the staff member had stuff saved to his desktop and one document in particular he'd done a few hours work on and the only backup is an old copied sent via email. It would still make his day if an unencryption tool could be made an obviously would benefit others who might be less lucky in what they lose. I've told them at this point Bye bye RDP - We usually now at least have them make a PPTP vpn connection with different credentials and then RDP over that (I know PPTP is not "secure" but its fit for purpose unless someone can inform me why not? My belief is that its encryption standard is dated so a session could be captured and unencrypted). For this client they were doing RDP from an IPAD after hours and Ipad won't do PPTP any more so we'll have to look at other VPN options. Thanks, Matt !#_RESTORE_FILES_#!.inf