Massive ransomware attack just took out my work and ukraine, anyone else affected?

Soldato
Joined
5 Apr 2009
Posts
24,796
In terms of personal data security, would something like a Western Digital MyCloud be sufficiently detached to avoid encryption by ransomware as either a primary or backup storage location?

Manual backups whilst obviously more easily detached are more prone to 'forgot' and 'didn't have time this week' issues.

Though these all seem to be time based sleeping viruses so would auto backups likely just infect themselves anyway?
 
Man of Honour
Joined
13 Oct 2006
Posts
90,805
In terms of personal data security, would something like a Western Digital MyCloud be sufficiently detached to avoid encryption by ransomware as either a primary or backup storage location?

Manual backups whilst obviously more easily detached are more prone to 'forgot' and 'didn't have time this week' issues.

Though these all seem to be time based sleeping viruses so would auto backups likely just infect themselves anyway?

Even if a backup contained an infection it wouldn't be executed while the data was dormant in storage - worst case you'd need some advanced tools to recover the data to prevent subsequent infection from the backup if there were any executable files within it.

Personally I use a combination of approaches based around a QNAP NAS box for my backup needs including automatic replication and manual "weekly" snapshots to external USB drives I keep separately offline.
 
Caporegime
Joined
29 Jan 2008
Posts
58,898
Surely nobody will be able to get hold of any money from this as the bitcoin accounts will be watched like hawks from governemt agency?

True, though I guess there are laundering services out there, people can use multiple accounts etc...

Other issue is that if this is say a criminal group in Russia then maybe the money laundering etc.. isn't even necessary - depending on who the group are and whether corrupt Russian officials are on their side etc... (yup, even if they've ripped off or damaged a Russian company in the process). I mean this is small fry compared to some of the rather blatant corruption and corporate theft present in Russia.
 
Man of Honour
Joined
13 Oct 2006
Posts
90,805
So just had a rather candid chat with a friend across the pond (at a rather large multinational). They got hit via one of their remote sites, they are still trying to work out the attack vector. Now I've known this guy for quite some time and technically he is on the ball. They have multiple Layer 7 firewalls, email filtering via Mimecast, Cylance on the infrastructure, AppLocker, relevant GPO's, etc. He suspects it came from somebody internal as opposed from the outside. It hit fully patched Windows 2016 & 10 boxes.

Unfortunately IT security is evolving so quick it's difficult to try and keep up :(

I've been wondering with some of the recent attacks if there hasn't been a certain amount of "war driving" type attacks against personal/corporate devices around public hotspots and/or fake hotspots, etc. which have been the initial attack vector to get the infection inside corporate networks that way - its hard to be sure with the approximation of IP geolocation, etc. but some of the recent attacks in the earliest hours of manifestation seemed to spread outwards from major cities in a way I've not seen previously almost like there were teams operating on foot so to speak setting it in motion.
 
Soldato
Joined
6 Mar 2007
Posts
9,736
Location
Surrey
So just had a rather candid chat with a friend across the pond (at a rather large multinational). They got hit via one of their remote sites, they are still trying to work out the attack vector. Now I've known this guy for quite some time and technically he is on the ball. They have multiple Layer 7 firewalls, email filtering via Mimecast, Cylance on the infrastructure, AppLocker, relevant GPO's, etc. He suspects it came from somebody internal as opposed from the outside. It hit fully patched Windows 2016 & 10 boxes.

Unfortunately IT security is evolving so quick it's difficult to try and keep up :(
We are running Mimecast and Cylance along with McAfee so that's slightly concerning!
 
Soldato
Joined
17 Jul 2008
Posts
7,367
Problem is the reality for many organisations is more complex - and going by Windows update history there is a higher chance of a patch breaking things than for most companies being infected by malware :s

We support 1000+ servers in 15 domains with 100+ apps only patchs I have seen cause issues over 10 yeas were caused directly and knowingly by Ms I can assume just for a laugh..

1) repeatedly getting ie to refuse low encryption and superseding that patch 10x why does ie not just tell you it does not like the cert? Ms just get ie to show a generic Web site not found error
2) windows update using 100% cpu time for ever
 
Don
Joined
19 May 2012
Posts
17,050
Location
Spalding, Lincolnshire
Has the method of infection been found yet?

A little worried as a couple of our key servers are not fully patched, and our desktops are in various states of patch (although all have the recent wannacry hotfixes installed).

Yes I know it's not really acceptable, but still trying to recover from 5 years of IT infrastructure neglect. The irony being we are actually currently testing our first WSUS server, but is a "in-between time" project. On the plus side, since me taking over as Manager, at least we have on-site backups on a non-windows platform, daily off-site backups of everything key, group policy including App white-listing, up to date antivirus everywhere, and user education with regards to email/web to help reduce risk.
 
Soldato
Joined
25 Sep 2006
Posts
14,349
We got hit last year and were let down my our outsourced 3rd party not having a successful recent backup and having to rebuild and reprocess everything from the last week. I think they accessed some warehouse terminals left on 24/7 (one which has hideous amounts of malware & viruses on it) and/or our printer IP. It all goes over my head but was reasonably cunning.

Then about a month later a much lower lever crypto virus but that was small fry by comparison.

Safe to say we're well prepared now :o
 
Soldato
Joined
20 Jul 2004
Posts
3,614
Location
Dublin, Ireland
We support 1000+ servers in 15 domains with 100+ apps only patchs I have seen cause issues over 10 yeas were caused directly and knowingly by Ms I can assume just for a laugh..

1) repeatedly getting ie to refuse low encryption and superseding that patch 10x why does ie not just tell you it does not like the cert? Ms just get ie to show a generic Web site not found error
2) windows update using 100% cpu time for ever

Like the Gem of a windows update from Monday last week - the sheer amount of support calls we had to deal with caused by that breaking Outlook. MS patch testing has gotten considerably worse over the last year or two.

Nate
 
Soldato
Joined
30 Nov 2007
Posts
2,989
Location
Bristol, UK
They need to start reversing this trend of sticking every single thing on the Internet. Accept users need access to the Inet for certain things but why aren't some companies core applications air gapped.
 
Soldato
Joined
19 Oct 2002
Posts
14,154
Location
Scotland
Might be coincidence but I had a clear phishing email with link to website to "download attachment" this morning and we have a very good spam/phishing filter (multinational power company) which catches 99.9% of em. Punted it on as a med priority incident to IT.
 
Back
Top Bottom