ALIVCC

Server hit by Amnesia Ransome

Recommended Posts

Amnesia2
This ransomware is decryptable!
Identified by 

custom_rule: Encrypted size marker [0x00 - 0x08] 0x0454000000000000

Click here for more information about Amnesia2 
Scarab
This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.
Identified by 

custom_rule: Encrypted size marker [0x00 - 0x08] 0x0454000000000000

Click here for more information about Scarab 
Ransomware Got Past Your Antivirus

Share this post


Link to post
Share on other sites

Would it be possible to attach a copy of an encrypted file to a reply for us to take a look at? Or send one in a private message?

Share this post


Link to post
Share on other sites
On 11/17/2017 at 3:34 PM, ALIVCC said:

Ransomware Got Past Your Antivirus

Amnesia and Amnesia2 ransomwares are installed directly on the effected computer by an attacker who has compromised the system through some sort of remote access software (usually they brute force the administrator account password to gain access via RDP/Remote Desktop), and the attacker simply turns off any anti-virus protection (or uninstalls it) before manually copying the ransomware to the computer and executing it. There is no way for an anti-virus to protect against this sort of attack, since as far as the anti-virus is concerned the administrator of the computer is shutting the protection down.

What you need to do, before doing anything else, is disable RDP access to all workstations and servers, close the RDP port and all Windows Networking ports in the firewall (I'd disable all port rules so that all ports are closed until you have a chance to audit them and make sure that only ports that are absolutely necessary are open), change the administrator passwords on the domain and all workstations, have all users change their passwords, and remove/reconfigure any other remote access software that you use to prevent it from being abused again.

If there are people who need access to RDP from remote locations (home or other sites), then I recommend having them connect using a VPN to access local services rather than opening ports in the firewall for services like RDP that may be exploitable. I also recommend never opening ports globally, but rather only opening them for specific IP addresses that require access. If someone has a dynamic IP address, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Keep in mind that these days automated scripts are almost constantly probing all Internet-connected devices/computers for exploitable services. It's relatively trivial to have a tool like nmap scan an entire IP range and log every open port it finds, and this is easy enough to script using bash on a Linux machine (or even other scripting languages on Linux, Windows, etc).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.