"silently encrypt and decrypt on the
fly for months" so the thieving scum have backdoored their product.
Ransomware has been detected infecting master file tables, rendering Windows PC useless unless payment is made. When first executed, the Petya malware will reboot the victim's machine, and run what appears to be a Windows check disk scan as a mask for the encryption process. A screen is then displayed that directs users to a …
"Vastly more prevalent on Windows of course, but lately some miscreants have been sharing the love - "
...who take the fun out of using computers.
OK, these assholes destroy lives, life, etc., but dammit - my PCs are not just my livelihood, but my recreation. My PCs are my ever-configurable toys. Each computer is "My Precious!"
If you mess with my tools or mess with my toys:- bad stuff will happen!!
A pox on you people! Just die and do the Human Race a huge favour!!
[I now return to my nuclear fallout shelter where my Precious(es) hide, switched off, safe inside their EMP-hardened welded-shut copper-walled boxes. At least, I think they are in there...]
Just discussing with my colleagues and no matter how clever it is, there is always someone who lets this malware in.
Education is amazingly effective in combating malware, yet the vast majority of companies I have performed consulting at completely ignore it in favour of tin that they haven't got the in-house skills to use/maintain.
Things are getting better and people are starting to wake up, but compared to the Threat Actors involved with the creation of malware, they are nowhere near.
"Education is amazingly effective in combating malware, yet the vast majority of companies I have performed consulting at completely ignore it in favour of tin that they haven't got the in-house skills to use/maintain."
Because education isn't as effective as you think. Guaranteed there's that someone in your group who isn't capable of learning. To quote the comedian, "You can't fix stupid." And before you can suggest firing him, more often than not the idiot's up top.
Our mail server is set to kill anything that I think might be a malicious attachment - the delivery of these always spikes during a holiday and this morning the logs showed our accounts being flooded over the last few days with .js attachments inside zip files containing "unpaid invoices"
What continually surprises me is the number of organizations that really SHOULD KNOW BETTER who keep trying to send me .HTML documents - yep, I kill those on site too (sic).
Not only do the miscreants hassle innocent people and destroy their data, but this scumware risks helping the US Government message on backdooring encryption. Of course, that is not the solution to the problem, but since when has that stopped a politician from pushing a point ?
Except possibly that people start to realize that backups are a must.
Nope. Some of these f*ckers leave time between crypto and activation so your backups are infected too. You'd have to go back weeks, which means that all work between the last clean backup and the trigger is effectively lost until you pay.
But that's not your only problem.
Once you give in to this blackmail, there is no guarantee you have not started another timebomb that you'll be made to pay for later so your best bet is then to back up your data ASAP and rebuild the system underneath from scratch, which means you're facing quite some downtime before you can truly have some confidence in your machine. Imagine this happening at any medical practice.
> Nope. Some of these f*ckers leave time ...
I actually watch which files are transferred with each backup (rsync being used). If I don't see why some particular files are transferred then I check. More afraid of corruption by hardware problems, though.
Surely more "professional" solutions are possible, but this is a home environment. All catastrophes I have seen (and that is quite a few) happened because no backup existed at all.
Ransomware has been detected infecting master file tables, rendering Windows PC useless unless payment is made.
We already knew that. Oh, wait, this isn't about Windows 10.
Joking aside, I hope the people who do this will die slowly and painfully of a horrible disease. There is apparently no limit to the lowness criminals will go to collect some coin. F*ckers.
... 3 position physical (key?) switch on drive (or array)
(1) looks to the BIOS/OS like a normal drive (or array) but keeps, inaccessibly and invisibly, all previous versions of files; perhaps also ignores destructive operations such as partitioning and formatting
(2) all versions above become visible but drive is read-only
(3) disk accessible as normal for partitioning, formatting or just maintenance (e.g. deleting of old versions of files).
I'm not sure that my drive usage is typical but it seems to me that ordinary file store disk usage would not be greatly increased by keeping all previous versions of files - by far the biggest chunk of my diskspace is taken up by files that are their initial version.
Even if this were not practical for operational disks or arrays, surely it's achievable for disk-based back-up solutions?
Yes, knacker the PC of the idiot who decided opening that strangely named attachment from the obviously spoofed email address was a good idea so that they can't infect the network. We can always re-image the PC.
It's the other stuff that encrypts the fileshares that's the proper PITA.
Also: String these fuckers up by their genitals and stone them to death with LTO tapes.
Problem is, what if that's your boss?
That's frequently the way. We've had malware brought on-site by people up to and including the Board. One clueless twerp brought three malicious payloads on to the network through his frequent surfing of "free" porn sites using Internet Explorer.
We now ban connection of anything "unapproved" on to the network on pain of instant dismissal. There is an "open" wi-fi for the (l)users if they're desperate to connect their personal gear to the interweb - this seems to satisfy them and has gone a long way to keeping our networks secure!
"We now ban connection of anything "unapproved" on to the network on pain of instant dismissal."
That still doesn't solve the problem of the unapproved stuff being brought in by the ones who write the rules. Try to dismiss them and they'll turn around and dismiss YOU first, AND they outrank you.
Isn't it great that Windows 8 and 10 include a full backup program that creates a system image? Oh wait, no they don't. That was one of my requests for Windows 10 that was ignored. I want to know why Microsoft thought removing a proper backup program and disabling F8 by default was a good idea. I want to find the persons who made that decision and I want to smack some sense into them.
It's now obvious to me why Backup functionality was removed starting with Windows 8. If backups were present and the implied restore worked, then this would effectively allow the windows'
users data-slaves to roll-back changes. Microsoft wants to prevent this at all costs, so backup was eliminated, with Microsoft knowing that 99% of their users are too lazy to get a 3rd party package. Anytime you can reduce support costs (by eliminating a software package) and reduce the likelyhood of users doing something undesireable is a win-win, so to speak.
Besides, everyone's data should be on azure anyways - right? (sic).
I wonder what it's going to be like once MS has their Walled Garden (UWP + Store) fully locked down. You know it's coming, slowly.. The heat is being applied very, very slowly.. and within about 5 years, or so, the goose will be cooked.
Presumably as you don't mention Windows 7 as missing it, you are aware of the backup system that allows system images to be created on schedule etc.
You appear to have missed that your request has not been ignored - the backup system from Windows 7 (which existed in Windows 8, but was removed in 8.1 - though you could still manually create a system image) was in fact returned to Windows 10, funnily enough titled "Back Up And Restore (Windows 7)" as it was in Windows 8.
Time to start monitoring how long an incremental backup takes to run, if order of magnitude above 'normal', clearly a lot more files have been modified.
Similarly I think I might see if I can also monitor deduplication ratios and if they change, there's a lot of what was identical blocks of data that is now strangely not so identical.
Seems to me it's ransomware victims buying in and other criminal uses that are preventing the Bitcoin pyramid from collapsing, as victims buying in enables criminals to cash out. Does anyone know of any regular markets where goods and services are exchanged in the open using Bitcoin where there are not crooks involved or tax evasion ? Or have all or nearly all attempts at creating legitimate uses dried up ? I'd like to know, because if there are no genuine uses for Bitcoin, then it seems to me that the conventional currency for Bitcoin exchanges are in effect little more than money launderers.
"Uhh - Microsoft accept btc ... "
It seems they price in and accept $US, and will allow an account to be settled through a Bitcoin payment processor which they immediately convert to the required $US amount. That's not the same thing, as the BC price will change minute to minute while the $US price is more fixed. You could more easily pay a restaurant bill in Spain with a £ debit card using the Visa or Mastercard network - but that doesn't mean the restaurant accepts or trades in £Sterling. http://time.com/money/3658361/dell-microsoft-expedia-bitcoin/
ISTM that you could make a far better case that cash is unnecessary than Bitcoin.
I really hope that more and more regular transactions will start being made with Bitcoin so that control is taken away from banks and other financial institutions, and exchange of money ceases to incur any overheads. As it is, a percentage of what you pay for goods and services goes to the banks or card organisations (even if you pay by cash). When you add together all the payments made to the financial parasites in the chain between manufacturer and consumer, it adds up to a sizeable chunk of the price you are paying.
Bitcoin's no panacea. Bit by bit, various criticisms are emerging: from the ungainly size of the blockchain to elements of corruption to allegations of blockchain manipulation. The whole thing's getting closer to house of cards status where one big snafu (the Mt. Gox scandal came close and still put a serious dent in Bitcoin for a while) will break the trust of the system (and any financial or monetary system needs this to survive).
Or it could just show that where the focus is for the different firms. Businesses need to be able to regularly decrypt their encrypted stuff in order to function. What happens is that malware targets endpoints where data may necessarily have to be decrypted to function, like stuff before encryption or after decryption. The crooks are less caring about being able to decrypt their "clients'" stuff at the end, so they focus on the encryption end.
Yes this is ransomware that overwrites the MBR and then the rogue CHKDSK app overwrites the MFT.
UEFI has nothing to do with it; you're thinking of GPT (probably because they somewhat go hand in hand because Windows requires a UEFI enabled motherboard to boot a GPT formatted disk).
GPT is more secure, yes, but it's not bulletproof. Basically all GPT does (from this standpoint) is store several copies of itself across the disk, so if 1 of the GPT's gets corrupted, it has backups to recover from. Obviously though the issue there is if the ransomware gets smart enough and corrupts ALL the GPT records (which will surely be the next phase that ransomware progresses).
Windows 8 and 10 having 'secure boot' capability helps as well but it doesn't really matter if the GPT (or MBR) is hosed because the OS is not going to boot either way.
Having a protected copy of the MBR and GPT on an external device which the second it detects large changes requires solving a CAPTCHA before it will commit those changes to the backups, would be useful.
Also having a "Kill Switch" that if the AV triggers detect signs of ransomware or someone presses the "Big Red SCRAM Button" physically isolates the affected machine using optomagnetic switches if something bad happens and hard powering down while notifying admins that it has been trashed and to restore from backups.
Having this built into the machine would help, I've always wondered why PC manufacturers don't simply keep compressed backup copies of the drivers and a failsafe OS on the motherboard in protected memory that can be used in the event of a severe system failure.
Acorn used to do this and IIRC the viruses on these were nowhere near as severe as their PC equivalents, thanks to Winbond's new 2Gbit 8 pin SPI chips its more than feasible to include this
as a feature with an "only update from pressed disk" failsafe in the event updates are needed.
1. Users don't do them
2. The tiny percentage of user that do them, expect us to restore it for them.
3. Users think that they have backed up and haven't
I always fail to understand that your average user gets a nice shiny new pc and has no idea on how to use it correctly, its like buy a car straight from the show room without ever getting behind the wheel.
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2020