Ransomware infections reported worldwide

originally posted by: Vroomfondel
Its great that you got system restore to work. My experience has been the exact opposite.

In this case it looks like the malware only deactivates system restore, as was able to see the restore points (but I didn't use them) after reactivating system restore with:

BCDEDIT.EXE /SET {DEFAULT} RECOVERYENABLED YES

The only issue I have with external drives as back-ups is that they are really no different than internal drives. They are always on when the computer is running.

That depends, some have an on/off switch.

These viruses usually take some time to trigger. Either on a specific date, after a certain number of keystrokes, whatever. That is why I think off-line back ups are best. The hot swap drive bay is the easiest and least expensive way to accomplish that and makes the back ups quick and easy to do.

And that's also why I do backups of the backups every week, into a different external disk that is located in a different place. Besides that I also copy the backup to an online storage service from time to time.

You are definitely right when you said that people won't do their back-ups or any other maintenance if its not fast and easy. Its not fun sitting there listening to a hard drive click watching the little light flash, even if it can save all your data. Make it as painless as possible and people still have a hard time doing it but at least some of them try.

I use Areca Backup. It's easy to install and configure, and you can tell it to do only incremental backups, in which it only copies files that were changed in some way, reducing the time and disk space it takes to backup the files. It even has an option to create a .bat file that you can use schedule to be activated whenever you want to make automated backups. When you need to recover the files then the interface is easy to use and takes only a little time for it to recover the files. In case you don't even have the program installed you can still get the backedup files, as they are stored as zip files, but then you have more work to get all the files, as the incremental backup makes it harder to get all the files manually.

This is over....for now....according to this report:

The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.

.......

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

Source

originally posted by: fleabit
Also I guess you must mean level 1 and perhaps 2 helpdesk? Sometimes you get those types, but usually once someone has the smarts to learn something else beyond that, they are usually your normal perhaps somewhere more-geeky person, same as anyone else. I've rarely met a sysadmin, SharePoint adminstrator, DBA, programmer, whatever.. that were as you describe above. And some of those guys really -are- very smart. I've met some pretty brilliant people in the IT industry over the years. Sometimes a bit of ego accompanies their role.. but not usually, I don't see it very often.

Not just help desk, but I do mean the general "computer guy" stuff, especially if it's hardware based. DBA's are technically IT but I hold a better opinion of them. Programmers I consider CS rather than IT.

Anyways, I'm not trying to insult IT workers or anything, I hold a few IT certs myself and a degree in it, plus I've done a bit of that work. It's honest work, but I think a lot of it only exists because business people don't want to learn how to do anything, and they don't want to pay engineers to maintain the things they build. So we have a field populated by people who only know how to use parts of tools. Then again, I'm more of a programmer so I'm pretty sure hardware engineers have the same view of me.

My CT alarm is going off on this one.

So, some random guy looks at the virus code and registers a domain from it which ends the spread of the virus (claiming he didn't know it would do that) and nobody thinks this is suspicious?

I'm not buying it.

I don't think the people responsible thought that others could actually die because of their actions and they shut it down.

So... where's the investigation into the start of this mess? Are we just going to forget that it happened now?

Something stinks about all this.

originally posted by: Noncents
My CT alarm is going off on this one.

So, some random guy looks at the virus code and registers a domain from it which ends the spread of the virus (claiming he didn't know it would do that) and nobody thinks this is suspicious?

I'm not buying it.

I don't think the people responsible thought that others could actually die because of their actions and they shut it down.

So... where's the investigation into the start of this mess? Are we just going to forget that it happened now?

Something stinks about all this.

You raised a good point. This seems to be an abrupt end to a major hacking incident. But if that guy is legit, then whoever is responsible will most likely strike back, and worse than before out of anger.

Note to mod: Sorry about the long quote from that report. I tried to keep it short. Tx!

originally posted by: dianajune
You raised a good point. This seems to be an abrupt end to a major hacking incident.

It's a good point but this wasn't a hacking incident.

Already posted. leaving a link

Link

it's bad because even newer (up to Windows 10) can be targeted also.

Not by this attack, this was targeting older systems.

Sadly the company I recently took over as IT manager was using an external company to patch their systems, and now that I have moved away from them to another company for some NOC support, I am finding the servers are all terribly out of date. So my weekend is now being spent patching servers, blocking ports on firewalls, etc. One of the dangers of fully relying on an external contractor for all your IT needs. They often suck, because no one in the company knows enough about IT to have any idea if they are actually doing their job. Always pays to have an inside guy looking out for your company.

originally posted by: dianajune
Here's a scary thought:

This could be the start of a much worse scenario than a demand for money. The WW3 forum here at ATS has been very busy. Imho it's only a matter of time before all-out war breaks out, short of a miracle from the Lord Jesus Himself.

What would be a good way of defeating an enemy and make it harder for them to retaliate in war? Cyber attacks. Get them in such a way they can't use their defense systems, all of which are computerized.

This is one reason an EMP attack can be deadly. Take out a country's ability to defend itself and it's a sitting duck.

I think this could be where we're headed, but hopefully I am wrong. Just speculating at this point.

I sort of doubt this is in any way something to disable systems, etc. due to war efforts. Also personally don't think WW3 is coming any time soon, as most people have the weird survival instinct kick in to not die a horrible death in a nuclear holocaust.

The most important systems will be protected against this sort of attack. If the Pentagon is running XP, we are all in much deeper trouble than I thought. : )

a reply to: fleabit

It does, but all too often business managers fall prey to survivorship bias. If something will cost $200,000 to prevent, and if it happens the company goes under, but there's only a 0.5% chance of that event happening (each year). Most businesses will see that as a $4,000,000. So by taking the risk and not paying, they can claim they saved the company $4 million dollars. As long as the company remains in business, that's true because said event hasn't happened. If it does happen, the business isn't there to make it an issue any longer anyways.

And anything contracted out, hardware or software is a pain. I've mostly been in academics, only some limited self employment. But I have a real job now. What I've quickly been learning in it, isn't that corporate cogs don't take the path of least resistance, or as capitalism should suggest the path of the most profit, they take the path that guarantees the most future employment. In your case, that's setting up hardware, such that some hours can be logged setting it up again at a later date.

originally posted by: fleabit
I sort of doubt this is in any way something to disable systems, etc. due to war efforts.

I haven't ruled this out as being war related but in a different way. I think within the next few years we're going to see the US taking the initiative and codifying cyber-war laws. I've been saying this for a while. So anything like this and the big internet black out last year get tossed into a 'potentially used to create the demand to create the cyber-war laws' pile.

When people start demanding cyber-war laws they're essentially demanding more strict internet regulation and monitoring.

Funny, I don't remember anyone actually getting busted for causing that big black out last year either...

I work for a company that was hit by this ransomware 400 hundred plus computers are hit. I say every four mins the computer would do a memory dump (lovely blue screen) then restart its self. I tried to quickly to see what the hell was going on in the logs only thing I was getting was a critical errors "kernel Power" not much info (not IT so no access to real info). Lastly the computers are running windows 7 service pack 1

When people start demanding cyber-war laws they're essentially demanding more strict internet regulation and monitoring.

To be fair, people want their cake and want to eat it.. they want safe browsing, laws that protect them from ads and data collection, from tracking what they do online.. but they also want complete freedom. You can't have both. If you want the wild west online, where you can do anything, go anywhere, at any time, and not have -your- Internet rights infringed upon, you can't expect anyone to intercede and regulate those that are spying / tracking / collecting info on you.

I personally would choose freedom because you know.. freedom, and would accept the consequences, but many want protection yet freedom.. they are not going to get both.

a reply to: fleabit

maybe I'll go protection then , as a contributor to freedom overall : but

what do they want anyway, those watchers on ? logs are just logs

originally posted by: ZIPMATT
a reply to: fleabit

maybe I'll go protection then , as a contributor to freedom overall : but

what do they want anyway, those watchers on ? logs are just logs

Most of it is money - your buying history, especially in this day and age of electronic shopping, is quite valuable. The NSA continues to store information for.. who knows why. I was at the site where the NSA was building their 1 mile long data center. Any computer I sent up to the construction site never came back (I gave them crap computers as a result : P ). There must be a purpose.. and while it could possibly be for their supposed fight against terrorism, I sort of doubt it. Terrorists usually don't traipse around the normal web to do their business. Maybe they only catch the really stupid terrorists.

There are a ton of companies that sell data now.. portfolios on anyone they can get data from. Companies that are hiring are more often using those companies to check on possible candidates. Info is big business in many ways. They may be just logs, but people can do quite a bit with them.

originally posted by: fleabit

originally posted by: dianajune
Here's a scary thought:

This could be the start of a much worse scenario than a demand for money. The WW3 forum here at ATS has been very busy. Imho it's only a matter of time before all-out war breaks out, short of a miracle from the Lord Jesus Himself.

What would be a good way of defeating an enemy and make it harder for them to retaliate in war? Cyber attacks. Get them in such a way they can't use their defense systems, all of which are computerized.

This is one reason an EMP attack can be deadly. Take out a country's ability to defend itself and it's a sitting duck.

I think this could be where we're headed, but hopefully I am wrong. Just speculating at this point.

I sort of doubt this is in any way something to disable systems, etc. due to war efforts. Also personally don't think WW3 is coming any time soon, as most people have the weird survival instinct kick in to not die a horrible death in a nuclear holocaust.

The most important systems will be protected against this sort of attack. If the Pentagon is running XP, we are all in much deeper trouble than I thought. : )

I would be interested to know what OS the Pentagon is running. And what about the rest of the Federal gov't? The Feds aren't known for being on top of such things. I know, because when I started work as a Federal employee in the late 90's my office was still using Windows 3.1.

Unbelievable.

Their critical systems would not be running XP, and many would not be online at all. Many probably are not running Windows.

a reply to: dianajune

Even Windows can be made more secure, and a good security goes beyond the OS, if anyone has physical access to a computer then the OS means very little.

That reminds me of what I saw once on the IT department of a ministry here in Portugal, a computer with a post-it on the monitor with the password for one of the servers.

PS: NIST has several security guides, like this one for Windows XP.

It's interesting that the registration data for the kill domain and the domain of the guy who set it up are incomplete, which is against ICANN rules.