F-Secure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About TiZed

since ‎18-09-2018
‎28-09-2018
TiZed
TiZed
Aspirant

Re: Ranssomware .mammon

by TiZed in Business Security
‎28-09-2018 12:40 PM
‎28-09-2018 12:40 PM
Hello again,   Now I can summarize:  1. Attack came from rough open non standard RDP port forwarded to  a local mashine. Ransomware was stated thee for sure. It succeded to encrypt first all the local drives and mapped network drives. Unfortunatelly attacked user had administrative access to other machines defined by the group policy in local network.  2. Further attacker or Ransomware itself succesed to take control on several mashines from the same user group. On the each machine it succeded to take control on Ransomware was installed and run. 3. On some other mashines it succeeded only to inject the Ransomware executable in "c:\users\anyvaliduser\appdata\roaming\system.exe" and to modify registers of the user :"Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"  to point to the executable above so as Ransomware to start on login. 4. I succeded to take a copy of the executable and sent it to the F-Secure support together with some encrypted files and the corresponding Ransom note. I did send a copy to "https://www.nomoreransom.org/bg/index.html" as well. 5. We took care with some improvements tgo avoid  further problems of this kind. We implemented some steps to get better protected /like change of all passwords; improvement of the group policy; disable direct RDP; implementation of network firewall; windows and AVP updates./    6. Recent versions of AVR and Windows Definer are able to detect and remove it. Windows defender is recognizing it as "Ransom:Win32/Pulobe.A" blocking and removing it as well. 7. "https://id-ransomware.malwarehunterteam.com/index.php" is recognizing it as aversion of Scarab and says that a decryptor may be found ... 8.We yet need /we are looking for/ a possible file decryption. We have some unique files encrypted.   ... View more

Re: Ranssomware .mammon

by TiZed in Business Security
‎20-09-2018 05:43 PM
1 Kudo
‎20-09-2018 05:43 PM
1 Kudo
it seems to be combined attack.   For sure I found ransomware executable detected from F-Secure log but somhow 2 minutes later system was rebooted and then  ransomware executable took control before F-Secure and sicceded to block it. Than later real encoding started after my login.   I saw something wrong and swithed the power off. Then I reboted is safe mode and sicceede to find ransomware executable agent. It succeded to ecode some 2/3 of the system disk but fortunately    On some other mashines encoding proces was finished without a human login.  They are 100% encoded excluding the  Windows folders which are not affected. On these mashines we did not find a copy of any ransomware executable agent.   May be attackers were enterer trouh RDP then injected a ransomware executable and did restarted  machines.    We revised our policy for remote access but we cannot avoid it completely. Firewall system is good enough but may be improved I hope.   For sure we should look for any internal network monitoring/blocking  solution. ... View more

Ranssomware .mammon

by TiZed in Business Security
‎19-09-2018 12:17 AM
‎19-09-2018 12:17 AM
we have been using F-secure for many years.   on 12.09.2018 we found some of our mashines encripted by unknown Ranssomware giving .mammon extensions.   our internal ivestigation found several mashines infected trouh the local network using administrative rights. Infected mashines have Ranssomware executable called "system.exe" at c:\users\XXXX\Appdata\roaming /where "XXXX" is username having adminitrative rights on network and local machines/. Ranssomware is encoding local files but any shared folders accesible trough the network.   yesterday we found basic description on   http://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html   our report got registered as ref:_00Db0JXpV._5000X1Z5Ar5:ref   we are wondering why  F-secure was not able to stop or reduce damages.   we are looking for 2 solutions:   1. how to get protected against any possible further attacs of that kind 2. how to recover / decrypt data that have not been backuped recently. ... View more
Latest Tags
No tags yet
Likes given to
View All
Likes from
View All
F-Secure

Other Links


Visit the Community

F-Secure Community

Check our Forums or How-to & FAQs for advice or answers

Help Forums

How-to & FAQs


View User Guides

F-Secure Help

Refer to our getting started guides and product manuals

F-Secure User Guides

Get Support

F-Secure Support

Talk to our Support agents and get answers to your questions

F-Secure Support

  • Facebook
  • Twitter
  • Youtube
  • LinkedIn