engineer92

My Manager will kick me out - RansomWare - MS-DOS Application (.com) - [email protected]

Recommended Posts

See my reply to your PM.  That is not a .COM MS-DOS executable the ransomware appended the file name with an email address.

This appears to be a new ransomware variant and currently is unknown what ransomware family it belongs to or is something entirely new.  Either way, the encrypted data is not recoverable without paying the ransom, which is something we do not recommend under normal circumstances.  Whether your company chooses to pay the ransom depends on how critical the data is to your company that has been encrypted.  Be aware that you are taking a risk of never recovering the data even if you pay the ransom.   Some of these cybercrime gangs will take your money and leave you with encrypted files, some will send you a decrypter with a private encryption key that may or may not work.

The best defense against ransomware is having a backup and recovery plan in place. If your company does not have a backup and recovery plan in place it is paramount that they implement one.  You should always have three backup copies of your data.  One copy on write-once (read-only) media, one local copy, and one off-site copy.

Secure RDP.  RDP is the most common entry point with regards to compromised servers.  Change all RDP passwords, using strong, not easily guessed passwords.  Yes, it is a PITA but necessary to secure your server.  Disable RDP if it is not needed.

Share this post


Link to post
Share on other sites
1 hour ago, Kevin Zoll said:

Secure RDP.  RDP is the most common entry point with regards to compromised servers.  Change all RDP passwords, using strong, not easily guessed passwords.  Yes, it is a PITA but necessary to secure your server.  Disable RDP if it is not needed.

To follow up on what Kevin posted, here are some recommendations for getting started securing RDP:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. Obviously if this is a remote server and RDP is your only access, then you may want to leave the RDP port open for now, as you'll lock yourself out of your server if you disable the port rule to allow RDP.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.