Main Area and Open Discussion > Living Room

Be prepared against ransomware viruses..

<< < (10/15) > >>

wraith808:
However we are talking about ransomware and I fear ransomware can't be stopped by limited privileges. Encrypting data is not a system operation, so I think ransomware are allowed to do it even if privileges are low.
I think limited privileges are useful against other kinds of malware only.
-Giampy (July 03, 2015, 05:57 PM)
--- End quote ---

It can be stopped by limited privileges from accessing backups on the network and other machines.  Which was the most tragic part of the incident in the OP.
-wraith808 (July 04, 2015, 09:12 AM)
--- End quote ---

Not necessarily.

Mapped network drives can be created and accessed by users without administrative access unless a group policy exists saying otherwise.

And Windows also allows users to access removable devices regardless of administrative access. Including any remote network filesystem that it has read-write access to.

Messing with user privilege would not have any impact at all on the speed of ransomware encrypting files unless that user privelage change also had associated restrictions on CPU and IPOS resource consumption.


-SeraphimLabs (July 04, 2015, 05:45 PM)
--- End quote ---

It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.

Stoic Joker:
Pardon the interruption, but...
It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.-wraith808 (July 04, 2015, 09:13 PM)
--- End quote ---

Wasn't Code Red a worm that attacked unsecured IIS servers that were running by default in Win2k? I don't recall share hopping being part of its MO.

wraith808:
Pardon the interruption, but...
It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.-wraith808 (July 04, 2015, 09:13 PM)
--- End quote ---

Wasn't Code Red a worm that attacked unsecured IIS servers that were running by default in Win2k? I don't recall share hopping being part of its MO.
-Stoic Joker (July 05, 2015, 08:52 AM)
--- End quote ---

Yeah... my fault.  It was something else during that time that basically propagated itself by re-writing parts of files.  I forget the name at this point- but it was some nifty name.  As I only accessed the shares in question by administrative share, and used another account (admittedly admin on my box) the infection was contained.

bit:
FWIW, found this vid on YT called Script Kiddie Logs into a Honey Pot.
Published on Oct 10, 2012
quote: "I'm running a honeypot using Kippo and someone managed to guess the password (hint: it was password) and played around a bit. As this video shows, he doesn't seem to know much of what he's doing - he misspells many commands, gets frustrated, and finally just deletes the entire filesystem. His IP placed him in southern China."

MerleOne:
Interesting to read that there is no real decryption, just the use of backup and other solutions to recover files !

Navigation

[0] Message Index

[#] Next page

[*] Previous page