Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bleeping Computer's Ransom 32 article picked up by BBC & ComputerWorld


  • Please log in to reply
10 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,832 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 05 January 2016 - 10:36 AM

Congrats to Bleeping Computer, Fabian Wosar of Emsisoft, and xXToffeeXx on the discovery of Ransom32.

 

http://www.bbc.com/news/technology-35224859?ref=yfp

 

http://www.computerworld.com/article/3018972/security/ransom32-first-of-its-kind-javascript-based-ransomware-spotted-in-the-wild.html



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 05 January 2016 - 10:43 AM

It was also picked up by ThreatPost who messed up Emsisoft's name :P

https://threatpost.com/new-javascript-ransomware-sold-as-a-service/115755/

Also, Fabian is now known as Fabio Wosar!

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:10 AM

Posted 05 January 2016 - 11:16 AM

Emsisoft is probably one of the most commonly misspelled security companies, right there with Malwarebytes.

Back to the topic, Linux and Mac users aren't safe from ransomware anymore.

#4 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 24,832 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 05 January 2016 - 11:38 AM

I refuse to use a browser that cannot block Scripts. That goes a long way to avoiding an infection.



#5 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:10 AM

Posted 05 January 2016 - 01:34 PM

Post#4, very wise indeed. Although I would never suggest anyone do something like rely on NoScript ALONE (always have an anitvirus as well because noscript only stops drive-bys, it doesn't do anything about files you've downloaded of your own will, nor does it do anything to fix or minimize the impact of infections) it has, as a layer of defence "infront of my antivirus" probably been my strongest layer of protection. In these days of drive-by downloads and malvertising a computer using a browser which does not have scriptblocking capabilities/extensions will become infected very quickly.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:10 AM

Posted 14 January 2016 - 01:34 AM

Emsisoft is probably one of the most commonly misspelled security companies, right there with Malwarebytes.

Back to the topic, Linux and Mac users aren't safe from ransomware anymore.

 

Thanks & that's what I pointed out in the Linux section, being that I'm a subscriber to the Emsisoft Blog & active user of EAM or EIS on my Windows systems. :)

 

http://www.bleepingcomputer.com/forums/t/602097/its-time-to-begin-taking-security-seriously-even-linux-users/#entry3907895

 

rp88 has it right in Post #5 above, while NoScript may indeed be one of the best browser security add-ons available, it cannot do it all alone, the system must have some type of security installed. :thumbup2:

 

This threat has to be taken seriously, with computer users not only running a quality security solution, full disk images must also be taken on a regular basis to prevent paying a ransom to decrypt, and user's data that's of importance must not be stored on the OS drive only. Rather to an external, USB drive (both of these are at all time lows in price per GB) or optical disks. 

 

Plus one should also, if OEM computer, create their recovery disk sets & store these in a safe place. Any encryption would also get the Recovery partition needed to reinstall Windows. Or if self installed, know where their install media is, which may include a downloaded ISO. If so, move to an external, after burning a copy to DVD. After using, be sure to detach external drives & USB sticks, otherwise the chance of being encrypted are as great as the drive(s) & their partitions on the computer. 

 

Good Luck & Stay Safe! :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 24,832 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2016 - 08:49 AM

This threat has to be taken seriously, with computer users not only running a quality security solution, full disk images must also be taken on a regular basis to prevent paying a ransom to decrypt, and user's data that's of importance must not be stored on the OS drive only. Rather to an external, USB drive (both of these are at all time lows in price per GB) or optical disks.

 

One of the best pieces of advise that most people do not follow because they do not know it exists. I think it also best not to have the external drive you use for images always attached to the computer. Isn't it possible for the encryption malware to also encrypt external drives which are attached and mounted? Not sure if the malware encrypts image file extensions though.


Edited by JohnC_21, 14 January 2016 - 08:51 AM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2016 - 10:30 AM

Certain Cryptoware can also encrypt files on external devices (such as external hard drive and USB), NAS, network shares, etc. Some even force mount shares that are still saved in Windows to encrypt the files there.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:10 AM

Posted 15 January 2016 - 03:37 AM

 

This threat has to be taken seriously, with computer users not only running a quality security solution, full disk images must also be taken on a regular basis to prevent paying a ransom to decrypt, and user's data that's of importance must not be stored on the OS drive only. Rather to an external, USB drive (both of these are at all time lows in price per GB) or optical disks.

 

One of the best pieces of advise that most people do not follow because they do not know it exists. I think it also best not to have the external drive you use for images always attached to the computer. Isn't it possible for the encryption malware to also encrypt external drives which are attached and mounted? Not sure if the malware encrypts image file extensions though.

 

 

That's what I mentioned in the post you quoted from. Directly below the quote. :)

 

 

 

Plus one should also, if OEM computer, create their recovery disk sets & store these in a safe place. Any encryption would also get the Recovery partition needed to reinstall Windows. Or if self installed, know where their install media is, which may include a downloaded ISO. If so, move to an external, after burning a copy to DVD. After using, be sure to detach external drives & USB sticks, otherwise the chance of being encrypted are as great as the drive(s) & their partitions on the computer. 

 

Before all of these various 'crypto' attacks were taking place, had a dedicated backup drive within my PC & after backup was through, would auto shut down. This can no longer be relied upon, unless the computer is never connected to the Internet (& what fun is that? :P). So I dusted off my enclosures that had a 1TB SATA-2 HDD in each, deleted backups of computers I no longer had, and started using these again, and added a USB 3.0 docking station for some loose HDD's on hand (have about 5.5TB total backup space). Later on, upgraded the two USB 2.0 enclosures to 3.0 models when on promo, and placed some smaller, older drives in the USB 2.0 ones for backups of computers that has that standard only. Plus added a couple of 2.5" USB 3.0 enclosures for less than $10 each & both were metal for good cooling (I don't mess with plastic models) & both are speedy. 

 

So I wasn't caught off guard when these threats began, though I do create weekly images on an external of my most used installs, also run an internal one right before Windows Update, not so much to be relied upon as an image for months down the road. Rather so that if a funky update messes something up, have an image to quickly revert to w/out doing anything other than selecting the Macrium Reflect WinPE boot option & reload the image on the SSD. Since these occasions are very rare, I use this time to perform a secure erase of the SSD being imaged back to, the reflashing of the cells restores any lost performance. :thumbsup:

 

Normally, I only install security updates anyway, have found most all of the non-security ones has to do with a 'Compatibility for upgrading Windows' or something to perform an action behind my back, some Telemetry updates will resurface from time to time that was removed & hidden. That's why I have my updates set to notify, but not download. In the past, it was download & install when ready, the only thing with that is something urgent can come up, we shut down the computer w/out thinking & it's on. Which makes the backup taken prior to the update a good option to revert to, after we review what was installed. 

 

Otherwise, my weekly or bi-weekly backups are performed on externals while Windows isn't actively running & they're shutdown afterwards & unplugged. Even on my Linux installs, I follow this rule. One cannot truly say that they have a security plan & not also have one for backup in place. This is because there's no such thing as a 'bulletproof' security software choice, if there were one, only the upper middle class & wealthy would have it, as the corporations could charge what they please for the software w/out question, probably more than their corporate clients/per computer. 

 

Finally, we need to examine our collection of software that may be vulnerable. Do we really need the CyberLink 6 LE that shipped with our new Windows 7 computers in 2009, even if running Windows 10 today? Once those of us who created our Recovery Media sets, this software was otherwise crapware & required one or two patches for security. They're not going to patch it more than twice at the most. Since Windows 7 & above has a baked in media burner, along with a Verify option, we don't need this software any longer, nor any other 3rd party burning software. There's no need to have multiple media players either. VLC does fine for most & not bundled with garbage. Many also thinks that because the Java software client shipped with their computers, it's still needed. While that's true for a small minority of users, at least 90% doesn't need the Java software package for anything, and most all security experts agrees on this. 

 

HP & other OEM's that ships Wild Tangent, while if never used (opened), it may pass any Malware scans, yet once opened, Malwarebytes & Emsisoft both will have a field day quarantining infected registry keys, folders & much more. Same with HP's printer software bundles, at least half a dozen spyware or borderline Malware apps are coming for the ride. I've found through experience, to take that 200+MB download & use 7zip to extract the file to a folder bearing the same name, this way, only the printer drivers and only those will be installed.  Plug it in, turn it on, and after it shows install was unsuccessful, install the drivers by opening the Device Manager & when updating the drivers, point it to the extracted folder, it'll find & install the drivers needed.

 

Revo Uninstaller can get rid of a lot of installed crapware, best to use the Advanced mode, and one can use a fully functional 30 day Pro Trial to remove any 64 bit software. Just make sure to complete any tasks within that time, this is a one time shot, without a reinstall, it's impossible to get another Trial version, a key will be needed. 

 

These are some things to consider when looking at one's security stance, it can't be confined to one area only, rather the computer as a whole. :)

 

Stay safe! :thumbup2:

 

Cat


Edited by cat1092, 16 January 2016 - 02:30 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#10 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:10 AM

Posted 15 January 2016 - 01:09 PM

"...create weekly images on an external of my most used installs, also run an internal one right before Windows Update..." That's a wise move to make, but users don't generally need to make images THAT often, a few when the system is new are good enough, maybe a few more at later times if you can be sure the system is clean of viruses and you have installed loads of new programs you really like/need (or significantly altered system settings for the better in a long complicated way you can't remember the details of)since your earlier images were made. As backups go the chief defence of files ahould be simple copies of files on USB/DVD/CD/cloud backups (non-synced),these can be made last thing before you turn the machine off each day, just back up the things you've created or edited in the last day's work. Images are for backing up the system state, you absolutely need them but you don't need many of them, an hour or two spent reupdating the updates you need after restoring from an image is worth the savings in the amount of external storage space you would need to buy if you wanted to make images every few weeks.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#11 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:10 AM

Posted 16 January 2016 - 03:41 AM

rp88, I agree with what you're saying & it's indeed a lot of work, yet there's more than just the Windows Updates, it's also the updated installed software to be concerned about. All of this is a lot of work, and though I have Secunia PSI installed that will catch Flash Player & browsers, it doesn't update every program on the computer. For example, it'll still give a 100% score if apps like CCleaner, Speccy & many other utilities are 4-5 versions behind, not counting the fact that nVidia provides updated graphic drivers at least once per month, more often twice. 

 

For me, it's easier to create images than perform all of this work, plus am always finding tweaks (no matter how small) that makes the PC perform better & I may otherwise forget these, even if bookmarked. The 15 minutes it takes to image a dual boot install (Windows 7 & 8.1 Pro), which requires no babysitting once begun, shuts down when through, and the same with restore (though a bit longer), is well worth the time to me to have as close as possible image. Note that on some computers, this is bi-weekly, others monthly right before Windows Update, after any software is upgraded. I have the day for Windows Update on a wall calendar marked with a bold red 'WU', so that I don't forget to perform any software upgrades first. I know that some prefers to image right after the update & prefer prior to make an easy revert. Plus being that some computers are used less frequent, can do a monthly & be OK, as most of the updated 3rd party software is on a USB stick. 

 

Yes, I always keep the first 2-3 images of a computer when I get it, as well as the last 3, and have enough external backup drives to where I can use one for every computer that I have, so space isn't an issue. And make it a point to place the external drive to unplug where I can't miss removing after backup, usually on top of the computer, or to one side or the other of the trackpad on a notebook, depends on where the fastest port is. :)

 

As for my data, I save as generated to a Data partition, and then move to a USB stick & then copy to an external to have two copies. Depending on what the data is, may delete from the folder on the data partition. Mostly what I save there are software upgrades & any upgraded drivers, and on a couple of computers, the motion detection folder for when I'm away to keep an eye on anyone who comes over. That way, when I return home & there's been company, among the first things I do after getting settled is to review any snapshots taken, if one walks in the room. 

 

Though I'm going to get a dedicated device for this soon, and not a PC, rather a surveillance kit & purchase a 2TiB HDD on promo that's designed for 24/7 non-stop usage for this purpose, usually on promo for less than $100 & place the control device in a locked area on my PC desk to prevent tampering/unplugging. This will allow better coverage, higher quality images, and be able to auto zoom in on a person during movement. I won't call names, as some knows I participate here, from time to time items tends to sprout legs, and can't possibly capture everything with two Logitech PC cameras. Plus will get a discount on our insurance for having this installed. 

 

In regards to imaging the computers I use, I see this as frontline protection from Malware & have for some time, and it's the very best System Restore point one can have. I refuse to pay a ransom to a thief to regain what is no more than the OS & other partitions of my computers & since my data is stored securely elsewhere, there's no need to. I have the needed tools to perform total destruction (DOD approved) of what's on a HDD & secure erase SSD's to ensure any infection is gone. 

 

Plus being at home most all of the time, I have the time to perform these tasks for when needed, there's no inconvenience on my end to ensure my protection from criminals. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users