Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 2 of 2 < 1 2
Topic Options
#366501 - 13/04/2016 00:49 Re: Malware/sSpyware "build.exe" [Re: Taym]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Though maybe not the same malware as the one discussed in this thread, there is good news on the ransomware front:

http://news.softpedia.com/news/petya-ran...on-502798.shtml
_________________________
Tony Fabris

Top
#366506 - 13/04/2016 15:22 Re: Malware/sSpyware "build.exe" [Re: Taym]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Excellent! I don't know if I've come across that exact variant before, but I've had customers hit by other ransomware infections, so hopefully those will get unlocked too.

Every time I get a call about one of those, I just have to hope that they have a backup of their files. I'm continually surprised by how many of my clients actively choose not to back up their files.
_________________________
Matt

Top
#366509 - 13/04/2016 18:35 Re: Malware/sSpyware "build.exe" [Re: Dignan]
jmwking
old hand

Registered: 27/02/2003
Posts: 775
Loc: Washington, DC metro
Originally Posted By: Dignan
Excellent! I don't know if I've come across that exact variant before, but I've had customers hit by other ransomware infections, so hopefully those will get unlocked too.

Every time I get a call about one of those, I just have to hope that they have a backup of their files. I'm continually surprised by how many of my clients actively choose not to back up their files.


And a backup on a drive not usually connected to the machine! Won't help if your external drive with your backup files gets encrypted, too.

-jk

Top
#366510 - 13/04/2016 20:47 Re: Malware/sSpyware "build.exe" [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Cloud based backup services will help greatly precisely because of because of that.

Also, running your backup script under different dedicated credentials, so that an external backup unit won't be accessible by a standard user. This adds some complexity and has a number of shortcomings, but can help.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#366511 - 13/04/2016 21:19 Re: Malware/sSpyware "build.exe" [Re: jmwking]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5546
Loc: Ajijic, Mexico
Originally Posted By: jmwking
And a backup on a drive not usually connected to the machine! Won't help if your external drive with your backup files gets encrypted, too.
I have two external drives used only for backups that are always physically connected, but are only powered up during actual backups and the [very] occasional retrieval of a file.

Am I right in thinking that this gives me at least some additional measure of protection? I also have two external drives that are only backed up a few times a year that are kept off-premises in a closet at my neighbor's house for ultimate emergencies. I have no "mission critical" information on my computer, but I do have a lot of data (~4 TB, photos, correspondence, tax info, etc.) that I would be pretty unhappy to lose. Nothing that would change my life if I lost it, but there would be inconveniences...

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#366512 - 13/04/2016 23:40 Re: Malware/sSpyware "build.exe" [Re: tanstaafl.]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Quote:
I have two external drives used only for backups that are always physically connected, but are only powered up during actual backups and the [very] occasional retrieval of a file. Am I right in thinking that this gives me at least some additional measure of protection?


Yes, but with the following caveats:

- Only works if you're sure the drive requires external power to operate. For instance some USB drives will get their power from the USB cable. If your drive definitely needs the external power, then, powering it off is the same as disconnecting the cable in terms of infection risk.

- If you get infected with malware, in order to prevent the malware from spreading to the backup drive, you have to know that you've been infected so that you don't unwittingly power on the drive (or worse, begin a full disk backup) while you're infected. Some pieces of malware are very stealthy and don't announce their presence right away (or at all).

- Mustn't reconnect the backup disk until you're certain that the computer has been purged of the malware/ransomware.

I don't know if any ransomware is clever enough to deliberately keep itself quiet for a while, waiting long enough for you to have completed a backup or two before triggering the ransom demand. I have heard of situations where people say that their backups also got held for ransom. I don't know the mechanism in that case, but I can imagine that there might be a couple of scenarios under which that could happen even if the ransomware didn't have a pre-programmed wait. For example, perhaps the ransomware keeps quiet while it's taking the time to encrypt every file on the hard disk, only announcing its presence and "locking" the files at the last instant after the long encryption procedure is done. If one were to make a backup (or even merely connect/powerup the external backup drive) during that phase, then they'd be SOL.
_________________________
Tony Fabris

Top
#366518 - 14/04/2016 07:31 Re: Malware/sSpyware "build.exe" [Re: tanstaafl.]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Originally Posted By: tanstaafl.
I have two external drives used only for backups that are always physically connected, but are only powered up during actual backups and the [very] occasional retrieval of a file.


You should rotate those drives away from the computer periodically, so that they're not connected, and -- if possible -- in a completely different location.

I have a 4 disk rotation for my server: "Daily 1", "Daily 2", "Weekly 1" and "Weekly 2". "Daily 1" and "Daily 2" generally stay connected to the server. "Weekly 1" and "Weekly 2" rotate offsite regularly (though not weekly, as it happens -- because I don't actually visit our Cambridge office as frequently as Hugo would like...). This means that I always have a backup that's (reasonably) recent, that's stored somewhere completely different.

Then, every 6-12 months (I'm not rigorous about it), I "retire" one of the disks, so that -- in effect -- "Weekly 1" becomes "2015-07", "2016-02", etc., and I replace it with a new "Weekly 1". This also allows me to smoothly upgrade to larger backup disks as needed.

This is made much easier by the fact that I use BackupAssist (it's not free), which manages the rotation for me.
_________________________
-- roger

Top
#366621 - 27/04/2016 19:05 Re: Malware/sSpyware "build.exe" [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Yet another piece of ransomware cracked:

http://www.theregister.co.uk/2016/04/27/cryptxxx_cracked/
_________________________
Tony Fabris

Top
#366708 - 18/05/2016 16:51 Re: Malware/sSpyware "build.exe" [Re: Taym]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
And another escalation in the ransomware war:

http://www.networkworld.com/article/3070...ransomware.html
_________________________
Tony Fabris

Top
#367231 - 22/07/2016 00:11 Re: Malware/sSpyware "build.exe" [Re: Taym]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
_________________________
Tony Fabris

Top
Page 2 of 2 < 1 2