| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 140154 | 2015-08-26 07:17:00 | Ransomeware - Tips on id source/method of infection | CCF (6760) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1407427 | 2015-08-26 07:17:00 | Hi all A machine of ours at work has been infected by a ransomeware, safe to say that we will be reformatting the machine. However before doing so, we need to identify how this infection came about. At this stage Im at a lost of where I can check, thus looking for any tips or suggestions. Below are the areas/items that I have look in for further info. -Av log -Outlook client -Browser history -Windows event viewer -Msconfig -Regedit -Services.msc -User tmp folders -User download folders -Program & Featues Unfortunately all the areas above provided very little detail on what started the infection. The best piece of info we have is from the av log where it should the time of first-incident. The av log showed a HTTP connection was blocked (an unusual url). However this url doesnt exist any where in the browser history. I have manually access all the sites that the machine has visited just prior to the first-incident time (via a temp machine on a standalone network of course), however nothing out of the ordinary and nothing happened, av logs looked clean. All emails within outlook looked fine, trash, spam, sent, inbox etc. Any suggestions would be well appreciated. Cheers |
CCF (6760) | ||
| 1407428 | 2015-08-26 08:04:00 | Good luck finding that out. The few times I've come across ransomware myself people have been faked into installing it by website pop-ups claiming they had viruses and offering to fix it for them. The only way I know that though is because the culprit owned up. I've heard of it happening via E-mail or other means as well though. Others here probably have more experience than I do at this though, I honestly can't remember the last virus I personally ran into. The best defence is user education, people are just way too trusting of warning messages etc. |
dugimodo (138) | ||
| 1407429 | 2015-08-26 08:21:00 | A very high percentage of time the infections come in one of two ways. 1. By visiting sites that are infected, and people often click on things that automatically download and install what ever it is. Fake Adobe flash upgrades for example, Message pops up saying your flash player is out of date - click here -- Thanks - you just downloaded the infections, OR you need to install some Player, codec to "play" this video. 2. By people installing / Upgrading software, 99% of the time they use the default setting which can have god knows what sort of "extras" added in. They often install or upgrade by default because the software vendors push the default settings, if you install via the advanced or custom options it shows each and every step, you can untick these extra programs etc. BUT then there's some that even if you do untick options it installs anyway. Even then people dont look at what they are doing. GOOD example -- Update Malwarebytes - the very last window has two boxes pre ticked. Top one is install the Trial Pro version other Run Malwarebytes. People dont untick the top option, and a month later they get hounded to buy the Pro version. You need better protection and safe guards. One way is to use GPEDIT policies so programs cant be installed without admin permissions, of course you need professional versions of Windows as home editions don't have gpedit. Wont be by emails directly as these infections normally need some sort of exe to activate, email programs by default block exe's. BUT on that note theres always emails that come through as zip files saying they contain invoices, receipts etc, knowledgeable users KNOW not to open these. |
wainuitech (129) | ||
| 1407430 | 2015-08-26 08:27:00 | Email is still the most popular vector, either inside actual attachments or just links to the payload. Also, many legit sites have been histing malware in the syndicated ads they run, which they have no control over and change all the time so may not be there when you go back. Also, some search engines often show fake results - a google search on a virgn win7 today showed me a very convincing fake firefox download page as the first hit, above the real one. It's can be a bit difficult to pinpoint these things, but file timestamps and a good nose are your best bet. |
fred_fish (15241) | ||
| 1407431 | 2015-08-26 09:46:00 | Thanks guys. User downloaded apps and attachments via emails were the first suspicion, however looking through all possible areas where files could be downloaded, none looked unusual, infact very little were downloaded around the infection-time. Same with emails, of all the emails received for that given day/period, all attachments were from official suppliers and associates, unless one of our vendors were infected, then again our av log indicated nothing about outlook. I think one of tomorrows task is go through all received attachments... Does any one know how these ransomware spread these days? Have they been developed into self-propagating worms yet? Example would they be rare or relatively common now days? |
CCF (6760) | ||
| 1407432 | 2015-08-26 11:19:00 | They are common as. What seems to happen is once one gets in, its like a magnet for others. Heres an example. Theres a very well known file conversion program called Format Factory -- BUT how "clean" do you think it actually is ;) I'll give a hint, OK answer -- install it without a reasonably good AV and you will install malware :eek: which antimalware programs will detect and remove. What "Apps" were downloaded ? |
wainuitech (129) | ||
| 1407433 | 2015-08-26 12:38:00 | Actually techniques have improved where no user interaction is needed, a lot of focus is directed at being able to remotely exploit your system and these sell for quite a lot in the black market that its got less chance of being reported to the vendor these days. Sometimes just visiting a web site is all it takes and can happen without any trace of it ever occuring. The best preventative is keeping your system up to date and all programs, especially anything internet related, also should get a program that intercepts a call to encrypt your file system, so you can deny its action. Not sure if some antivirus or security suites have this, but I am sure some would. I am not sure the availability of a 2048bit hash table that could help find the right hash, but this file would be extremely huge if it does exist and probably better than brute forcing as this would take ages if you do take that route, need a lot of luck though. It's quite unfortunate but anyone can get the ransomware and the maker gets a cut from those who do pay to get their data back. Cheers, KK |
Kame (312) | ||
| 1407434 | 2015-08-26 22:17:00 | Does any one know how these ransomware spread these days? 90% are via user stupidity. Its really that simple . Lack of any basic staff training about safe internet use is another factor. This is why in some companies, the same people manage to get their PC infected by malware, time & time again. opening suspicious emails, clicking links in emails, opening suspicious attachments in emails, going to bogus websites , clicking on popups, having blatantly stupid passwords , installing stupid programs that are bundled with malware . Up to date AV & up to date WinUpdates is not reliable protection in the real world. Malware can get in , regardless , but needs some user input to open the door. Using firefox with adblockers & scriptblockers (ghostery) etc would help . The webpage adverts have been used to infect PC's, as sometimes(often) the website owner/admin doesnt even check whats in the adverts or where they point to. |
1101 (13337) | ||
| 1407435 | 2015-08-27 00:38:00 | Thanks guys. User downloaded apps and attachments via emails were the first suspicion, however looking through all possible areas where files could be downloaded, none looked unusual, infact very little were downloaded around the infection-time. Same with emails, of all the emails received for that given day/period, all attachments were from official suppliers and associates, unless one of our vendors were infected, then again our av log indicated nothing about outlook. I think one of tomorrows task is go through all received attachments... Does any one know how these ransomware spread these days? Have they been developed into self-propagating worms yet? Example would they be rare or relatively common now days? You are really just wasting your time. Even if you find out how the infection came in, what then, it wont help you for next time as these things constantly evolve. Who's to say the malware didnt remove all traces of its entry point ? Instead, spend you time on user education . Just assume it was via email or website , the more likely causes. malware can also come in from infected USB sticks : alarmingly common, but AV usually detects that users accessing private webmail , facebook etc : think seriously about blocking gmail, FB, hotmail , disabling USB stick access |
1101 (13337) | ||
| 1407436 | 2015-08-30 22:55:00 | A customer of ours got hit a few times with Cryptolocker in the last few weeks. The infection came from flash-based ads on legitimate websites. If we looked at the web logs, we can see a hit on a page, then the .swf file of the ad and a bunch more files for the malware. Basically, keep your Flash up to date (if you need it installed at all), keep Java up to date (again, if needed), use an AV with Web Reputation, lock down the %APPDATA% folder on the PCs and whitelist any executables that need to run from there. |
autechre (266) | ||
| 1 2 | |||||