This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Welcome Center
- Contests and Giveaways
- Cybersecurity Challenge
- RansomeWare and Users vs SRP and LS
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Mister_Nobody
Honored Sweeper II
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
10-28-2024
06:08 AM
PART I. Nothing boded ill:
It was Friday the 13th, 13 hours and 13 minutes. Nothing boded ill. The accountant in charge of payroll received an e-mail with an attachment and a suggestion to launch an interactive greeting card.
She entered the password and unpacked the file, then launched the executable file and waited for the funny picture.
The result came quickly - all the company's payroll data disappeared in an instant!
Part II. Quick restore:
Situation concerned the user and she filed a request to IT HelpDesk.
Upon receipt of the request, we immediately disconnected the computer from the network. There were over 5,000 files encrypted on network shares.
We rolled back the data to an overnight backup, halfway through the day users had to re-fill the data.
Part III. Avoid problem:
To avoid future problems, we configured Software Restriction Policy (SRP).
Example, for zip (*We have a lot of exceptions):
%userprofile%\AppData\Local\Temp\*.zip\*.bat
%userprofile%\AppData\Local\Temp\*.zip\*.cmd
%userprofile%\AppData\Local\Temp\*.zip\*.com
%userprofile%\AppData\Local\Temp\*.zip\*.exe
%userprofile%\AppData\Local\Temp\*.zip\*.js
%userprofile%\AppData\Local\Temp\*.zip\*.jse
%userprofile%\AppData\Local\Temp\*.zip\*.pif
%userprofile%\AppData\Local\Temp\*.zip\*.scrAnd created a report in Lansweeper to track SRP-triggers:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.IPAddress,
tblAssets.Username,
tblADusers.OU,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message
From tblAssets
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID And (tblNtlogSource.Sourcename =
'Microsoft-Windows-SoftwareRestrictionPolicies' Or
tblNtlogSource.Sourcename = 'Software Restriction Policies')
Left Join tblADusers On tblADusers.Username = tblAssets.Username
Order By tblNtlog.TimeGenerated DescWe didn't catch any more encryptors.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now