Sup Forums,
The company I work for is getting blasted with an RSA 4096 ransomware virus (pic related) and all I'm finding online is how to remove it and nothing to do with how it operates.
I'm to the point no where I ethics are out the door and I can infect a retired computer to recreate the virus and figure out how it works that way.
Is there any other way to go about learning these things or should I just go ask spiceworks?
Restore a previous backup.
What kind of garbage company do you work for where this was even possible?
Hell, who the fuck was stupid enough to introduce this virus to a work PC in the first place?
>how does it work?
By encrypting your files, you fucking moron.
>running work pcs with admin privileges
HAHAHAHAHAHA
Install Gentoo and never worry about malware again.
It encrypts your files and store the private key in their server. You can't do shit.
I don't think you tuff guys get the point of what I'm saying. Were trying to build a script to prevent it from installing to a specific root. We will push that through a windows patch but only after we figure out how this this works.
Do you feel big? Do you feel tough bc you can jump to conclusions and force you "superiority" on le n00b xDd? kys or help brainstorm faggots.
^^
especially you faggot
I don't think you know how computers or Google work desu.
>Were trying to build a script to prevent it from installing to a specific root
Don't give it permissions to install there.
IM TRYING TO FIGURE OUT WHERE THE FUCK IT INSTALLS YOU FUCKING RETARD
>BAWWWWWWW!!!!!!!!! why won't Sup Forums be my tech support?!!!!1111oneone
I'm an intern ;_;
>pls respond
You seem like you have never written anything in that sector. Even the smallest virus can escape all your plans by just using random folders and filenames.
>inb4 how does that even work out?
It is called permutation.
Cryptlocker can only be stopped by not being stupid and surfing on sites nobody knows, with flash enabled (and possible java and other stuff).
Install linux and just enable a few websites that you know. Disable all usbs, dvd drives and everything else too because your people are fucking stupid I guess.
also
>secure trip
are you like the 4chang god bc ur cool
Probably somewhere on the C:\ drive
I get the feeling the OP lied about his qualifications to get a job, and now, he is freaking out because he is going to get fired.
Yes.
In temp folder, usually.
What's more important, you should figure out what kind of file is that. We got hit by js executed by WScript, so I denied the WScript execution.
once again, kys edge-lordington le basement warlock
Don't be so mad OP
ok, but I'm having a hell of a time rn m8
That's the thing, I'll try my best to find it but it doesn't seem to be there.
What so you manage to secure your computers from one instance of a crytolocker attack but what happens when one of the hundreds of other variants find their way in?
We keep getting hit with locky and the most effective way of combating it is to just restore from the nightly back up.
You should only be getting a serious infection on one PC and encryption on any discoverable share drives.
If your share drives are not write protected based on AD credentials than get your shit together. If this malware has managed to get into other PCs and encrypt them as well than your permissions are a fucking joke.
The reason this is so effective is because there is no easy counter to something like this. You and your buddies can go write as many scripts as you want but your best bet is to stop your users from downloading the fucking things. Not playing Mr Robot and wasting time
If I was your boss, and I learned that you were so under qualified that you had to go to a website made for weeaboos who like anime to learn how to stop one of the most common security threats facing PC's because of your incompetence, I'd have you fired on the spot
>mfw Windowsfags can't force a policy that only allows executables that match a whitelisted SHA512 to run
lmaoing @ your company
>what is a group policy object
>>mfw Windowsfags can't force a policy that only allows executables that match a whitelisted SHA512 to run
literally lmaoing, show me in group policy where you can specify a whitelist with executable hashes.
How the fuck did you even get a job in IT? Did your certifications come in a cereal box? This is pathetic
I'm going to look this over after work, thanks for the input.
Is that AppArmor or SELinux?
Time to format your disk and install from backup.
Retard.
pls kys
do it for the kids
Unfortunately, the best way to get past these is actually paying the ransom. There isn't a lot of ransomware that you can crack within the time limit they give you to pay.
Either the ransomeware authors fucked up and someone made a decryptor already, or youre fucked and have to pay. Have backups and be less incompetent next time.
We can't do that in our environment.
>We can't do that in our environment.
Well apparently you can fuck up all your files and install malware, so get formatting.
It doesn't matter what you think you can or can't do, you got fucked by ransomware. Restore a backup or accept your fuckup and pay some Russians
I'm not kidding about How much are they asking?
I'm guessing your looking to prevent it from happening again? Well the ransomware virus is just the payload. The attack vector they used to infect the machine is what your looking for, which differs case by case. You can easily mitigate the effects by standard security patches and a good backup policy.
Some of you guys are OK, don't go to work tomorrow.
If your looking to recover your files you will not be able to. Because in order to do that you would have to break RSA-4096. Well i guess you could...it would take about 10 years though.
Autism.
You back up all personal files to a sharepoint or cloud and combat the problem by being smarter than it. Good luck with your Linux meme in the real world where you have to provide service to normies, fucking idiot.
you would have to break RSA encryption*
see
? i think the problem is OP didnt back up his files before ransomware hit.....so yes his only option is to pay the ransom.
see
Question. How do I use a guest account so that viruses and shit can't fucking install? Also, if I try installing a program will it let me? Or would I have to go into admin or enter a password?
Next time wither don't use WIndows or set appropriate security measures
>Is there any other way to go about learning these things or should I just go ask spiceworks?
If you want to learn how it works ask the people that created it or the people that created the way to remove it
i can see through your writing 'skillz' why your office is fucked over.
>not understanding the problem
no one cares about the files, we need to stop happening in the future, sperg
Reverse engineer it on your own kiddo.
Not all strains are the same and most will attempt to infect each account, not just one. Do it on a VM and monitor what it does. Some use known exploits. Others wait for user to let them in.
I'm going to beat your grandma
And on that note, you're not going to be able to "jail" this file with permissions. Nor will it be easily found.
Anti-viruses do most of this for you and much better than probably any script you'll write.
Programs make changes to the disk all the time and not even in the directories they "promise to stay in".
You're looking at tedious sanitation or impossible chasing of "suspicious processes".
Just download the crypto preventer thing from FoolishIT, and set it to the 3rd or 4th setting.
>how do i use a guest account
control panel>user accounts>manage accounts
>will it let me install a program
Probably not as a guest you will have to enter admin password or you can change the group's policy, but then there would be no real point of using a guest account.
Look, guys. OP is not talking about how to save himself from this thing but actually to find out how this works.
He probably just wanted to get praised and raised by his boss for writing a script that could prevent this thing from working.
But you're forgetting something, OP. There are numerous kinds of variants of this thing out there. To stop it completely with just one sample is not going to do anything.
Just leave the job to actual security experts and start picking up the damn phone.
This, so much this. Biggest thing that helped my organisation was to disable macros by default in any MS Office document though
This question is the same as how do i avoid getting virus's remember ransomware is just the payload there are loads of ways it could have got in.
You ever think your company is suspectable to this shit because they have retards like you beinf responsible?
You guys are fucked.
okay, thanks for the input
Right-click the process in task explorer and navigate to the file? Install software to monitor your file system to see where new files are created?
What kind of answer do you expect you ass? Someone to point you to "Ransomware executable finder pro edition 2016" or something? Learn what computers and processes are first, then you'll know what to do using that brain God gave you
>God
O I'm laffin
I knew that would trigger some edgelord hahaha
PS: saged for going offtopic
delete system32
doing it now, wish me lcuk
>Someone to point you to "Ransomware executable finder pro edition 2016" or something?
That was the first times I've laughed today, thanks
Just use Process Monitor.
Get fired, pajeet
misread
>I'd have you hired on the spot
got confused
>mfw Windows has no equivalent of SELinux, grsecurity, AppArmor, TOMOYO, jails etc.
lmaoing at ur OS
SELinux doesn't use SHA512 hashes but you could still configure it to prevent users from running arbitrary executables
This proves, without any doubt, that this guy is pajeet.