Ransomware recovery

We've had a ransomware attack on our Windows 2012 Server which is fine as we have backups of everything (I thought), unfortunately there's one folder which we don't have backups of and it contains the data files for our payroll data. They've all been encrypted with the following extension:

.id-E40940C2.[[email protected]].java

Data restore on everything else is going well, but is there any way of decrypting these files?

No data-recovery info here, but this link does discuss other things that need to be tidied up when getting rid of that flavour of ransomware:

http://www.virusresearch.org/black-mirrorqq-com-ransomware-virus-removal/

And this link appears to have the same kind of info, plus some hints/pointers to ways that might get the data back:

https://howtoremove.guide/how-to-decrypt-ransomware/

Thanks

Almost recovered everything now, it was a hacker that had logged into our system via rdp.

Did you have an insecure password or was it some sort of rdp vulnerability ?

Insecure password, will be looking at all our options now

In your world, what constitutes an insecure password?

I know of two schools of thought about password security. I use LastPass generated passwords like 95Gd33#tWzM6 that are supposedly secure. Others say that a password like "This is my new password for my bank account and nobody will ever figure it out!" is actually more secure against a brute-force attack, with (counting upper/lower case, numbers, and special characters) something like 72 to the 79th power possible solutions. (79 characters, each with 72 possibilities).

I imagine you have been giving considerable thought to password security lately, what are your thoughts on this?

tanstaafl.

The word one would be potentially more secure, if it actually used random words and the exclamation point was at a random location.

When word based passwords are recommended as being secure, they don’t mean English sentences. Google diceware

You've seen this, right?

But the random gibberish password manager ones are very secure, if they are long. You really want 20 characters or so to plan for the future.

If you are going for word based passwords your passwords need to look more like:

rhode-newsman!compel-pulse-facedown-Burnout

I use passwords like that for my Apple ID, 1Password and Dropbox passwords. Then everything else is 20 random character stored on DropBox and accessed via 1Password.

Thanks Tony

Yes, trouble is getting users to remember them without emailing themselves an email with subject "Password".

We've stopped all external access to the server for now and when we reinstate it'll probably be through a VPN.

Passwords are tricky, will have to think of a sensible way. Maybe two random words with a random character in between?

The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah...

The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though

That is exactly where I originally got the idea that a secure password doesn't have to be un-memorizable gibberish.

tanstaafl.

But it also shouldn't be a totally normal phrase or sentence.


I always pisses me off when I generate a password that length via Lastpass, and the site comes back and says something like "passwords can only be 6-12 characters long."

SERIOUSLY?

I agree with what you're saying, but how do you change?

I have my personal bank account, mortgage account, credit card account, plus 6 business accounts that I need to remember creds for, plus of course apple, amazon, ebay and my network login.

It's overload, and how secure is it really?

Is there a USB card/dongle based login solution?

Using a dongle isn't really any more secure than using a pure software based password manager. Even with something with some hardware involved, with the current system of usernames and passwords, the plain text password needs to exist and be entered in the browser at some point in the process.

Just use Lastpass or 1Password. Until the world as a whole adopts* a non password based authentication system, we are stuck with storing away big random passwords.

* people have suggested such systems in the past and people are working on some now ( https://www.grc.com/sqrl/sqrl.htm ), but it doesn't seem likely that any such system will be widely used in the near future

Are you including the algorithmic devices that compute a response to a server’s challenge prompt? Such as an online banking ‘calculator’ that renders a numeric response to a numeric challenge, and is time coded, one time use?

How quaint. I though that smart cards had replaced those things years ago -- getting rid of the need for display and keypad (and human errors) ?

They can only really be a second factor in the login process. The problem is they can be stolen/lost.

The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.

Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.

* there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering

How does a smart card help you when you are sat in front of a computer trying to log into your internet banking site ? There is no smart card slot on my computers.

I have a related device for logging into my bank, which you insert your smart card into. But that has a display, keypad and the related human error...

Ah, okay. Several of the computers here have smartcard slots. And those that don't could use USB-connected slots.

Cheers

Mmm.. but none of the smartphones do, and I suppose that going forward those will become increasingly dominant. So any solution here probably needs to be efficient for use with such devices.

[EDIT]
BLE equipped smartcards, anyone?
Or is that pretty much the same functionality as NFC?
[/EDIT]

I suspect USB connected smart card reader would give the banks far more support headaches over and above just handing out these standalone readers that they currently use:

The UK banks seem to be slowly stepping away from all of these devices.

For example you don't need one to install the NatWest banking mobile app on a new device (they use the sadly exploitable route of SMS verification).

From the app I can now do pretty much everything I can do on their online banking site. The app is protected by just a 6 digit numeric PIN.

I wonder how many other US folks here are looking at the smartcard discussion in wonder. It's really a shame credit cards here stuck to magnetic stripes for so long. Seems like the usage of smartcards for payments also helped spur a lot more security advancement efforts in general. I think the only place I've seen widespread smartcard usage outside payments is the military and their chipped ID badges.

Still a shame we "upgraded" to Chip and Signature, and even though we have, my card has been swiped through a magnetic reader more then 10 times this year *sigh*. Banks have a lot of influence on the security field, for better or worse. Telecoms seem to be the other commercial part of the market pushing from time to time.

I've been hearing some interesting possibilities from newer markets that lack the legacy infrastructure and are starting fresh on mobile first solutions.


Find ways to make changing things easier. Almost every environment I've worked in has tried something, only to see it fail later for some reason. The environments agile enough to change and try something new always had a leg up on the ones that had to throw the issue into the unpaid tech debt column.

Google has been pushing Fido U2F alongside their Advanced Protection scheme. I was a beta tester of this stuff years ago and I'm generally impressed. The ten-second summary is that the U2F gadget interacts with your browser and does some sort of public key crypto on a per-website basis, so there's no credential that one web site can get that's useful for attacking you on another website.

The banking world hasn't adopted it at all, so far as I can tell, but they really should.

Yes, we use 3 banks and all have a combo of pwd/device



Call centre and beg has never worked for me.