XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Wed Sep 18, 2019 4:32 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Ransomware removal
PostPosted: Wed Aug 14, 2019 8:13 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6648
Location: NYC
https://www.nytimes.com/2019/08/14/opin ... mware.html

Decryption tools (Almost certainly PC only. Haven't heard of anything successful targeting Macs.)

https://www.nomoreransom.org/en/decryption-tools.html

>> As a victim, of course, you may not be sure whether you’re infected with the Marlboro or the Pylocky or the Popcorn or the BigBobRoss strain, but if you upload any of the encrypted files created by the ransomware on your computer, or any email, website or Bitcoin address left behind by the attackers, No More Ransom will let you know if it has any tools that can help.


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Wed Aug 14, 2019 9:04 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 16459
Thanks as always W. :coffee:


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Wed Aug 14, 2019 10:32 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 10075
Location: North of the State of Jefferson
It's good that these tools are being compiled in one place. Ransomware is a scourge that's not likely to improve anytime soon, and such attacks can be enormously destructive. There may be few ransomware packages for Macs at this time, but it's only a matter of time until they're more common.

That said, a cold backup will also do wonders to protect yourself from ransomware, with the added advantage that it will also protect you from power surges and equipment failures. Preferably you'll have rotating cold backups, so that if one gets infected you'll notice before the clean one is swapped in. A ransomed backup is as good as no backup. Another technique might be to write your backups to a conventional (not sparse bundle!) disk image, so that if your ransomer allows a free decryption out of the kindness of his tiny stone-like heart, it can be your 800 GB backup file. This only helps, of course, if the image wasn't mounted when the ransomware ran.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Wed Aug 14, 2019 5:14 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 16459
Quote:
Ransomware attacks are increasingly targeting cloud, datacentre and enterprises infrastructures to ensure more effective – and more lucrative – attacks against organizations.

https://www.zdnet.com/article/ransomwar ... red-files/

Can hardly wait for the whole country to be held ransom... was there a Twilight Zone or Star Trek episode lie that???


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Thu Aug 15, 2019 7:42 am 
Online
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10817
Location: Caught between the moon and NYC
Ransomware typically isn't sophisticated enough to encrypt files that are in use, so if you were to have said disk image mounted read-only, it would be intact because it can't overwrite the in-use disk image file.


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Thu Aug 15, 2019 10:09 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 16459
Wow, never thought of that


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Thu Aug 15, 2019 3:09 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 16459
No end in sight for possibilities...

https://www.bbc.com/news/technology-49343774


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Fri Aug 16, 2019 5:46 am 
Online
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10817
Location: Caught between the moon and NYC
Yeah, they got into a virtualization server and failed to encrypt any of the drives that were mounted because they were all in use by the hypervisor. Of course they also got into the virtualized servers so the contents of those disks were encrypted but the concept holds true. Files that are in use can't be changed except by the application with the lock. Hell, they had that virtualization server available but instead chose to run the encryption process on a 100Mb connected old Core2 Duo system. 50+ thread CPU available, 10Gb NICs, internal 10Gb switches, annnnnnd they encrypt on the slowest system in the building. Those guys were criminals for a reason.

Offline backups - especially multiple iterations of offline backups - are their worst enemy. Identify when the breach happened then just go back to a point before that and restore that backup. Then selectively restore data from newer backups.

It works. It's slow and painful but it works.


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Fri Aug 16, 2019 7:29 am 
Offline

Joined: Thu May 15, 2008 8:16 pm
Posts: 1195
Location: Prescott, AZ
Does this qualify as an 'offline' backup-

I have a TM backup SSD that is not mounted until the middle of the night, right before TimeMachine Editor has a TM backup scheduled. 10 minutes later that drive gets ejected. I have a couple scripts that mount / unmount using Task Till Dawn. I guess that SSD is vulnerable 10 minutes out of the day.

My hope is that were someone to get into my system that back up wouldn't be visible without some poking around.

Here's the kicker- the external SSD back up took a poo recently and I replaced it while the iMac just purred along. Go figure. There goes another $100.

The way things are now, and assuming I could still get into my iCloud data I could start from scratch with my iMac and restore pretty much everything via iCloud. Or so I think!

_________________
Richard
Drink more coffee!!


Top
 Profile  
 
 Post subject: Re: Ransomware removal
PostPosted: Mon Aug 19, 2019 8:34 am 
Online
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10817
Location: Caught between the moon and NYC
Technically if it can be automatically mounted via a script then it can be mounted by the ransomware.

Ransomware isn't just a normal virus that has a bunch of logic built into it and if you can exploit holes in that logic you're safe. It's an actual human being remotely connected to your system who then tries to figure out the best way to ruin your life. Offline is safest because it's literally not attached to the system so they can't get access to it. Multiple media gives you a greater chance of surviving that moment when you attach your backup drive while they're remotely connected and choose that moment to pounce.

The good news is that in most cases they're not all that clever. Unless you're a juicy enough target to sell to a big fish you're normally dealing with someone of very limited experience trying to make a quick buck. If you manage to outwit them they end up losing money because they had to pay hundreds to thousands to tens of thousands of dollars to get access to the tools they're using. You almost never deal with the clever SOBs who wrote the software, you're dealing with guys who bought it from them.

For the most part a volume that isn't mounted on the system is safe. However if it's a volume they could mount or access over the network using your logged in credentials (or installed software) then that data is at risk. It really hinges on how experienced the scumbag is who's looking at your system.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: MonkeyBoy and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group