Page 1 of 1
Ransomware
Posted: Mon Jul 30, 2018 2:50 pm
by Otto
Hello,
I am planning an easy protection of my WINHOTEL data against ransom ware.
As I know that in my data folder should only be dbf, ftp and cdx files I thought I could have a FW program running at startup and checking all the winhotel data folders.
If there is a file with a different filename we should shutdown the sever.
Do you think we can program such a software.
It would be good if this could be a service.
How do we start the program best?
How could we restart the server that we do not run in a loop after an attack.
Thank you for your help in advace
Otto
Code: Select all
#include "FiveWin.ch"
static oWnd, oTimer
//----------------------------------------------------------------------------//
function Main()
DEFINE DIALOG oWnd FROM 3, 3 TO 20, 50 ;
TITLE OemToAnsi( "Testing timers" )
ACTIVATE DIALOG oWnd ;
ON INIT StartTimer()
return nil
//----------------------------------------------------------------------------//
function StartTimer()
DEFINE TIMER oTimer OF oWnd ;
INTERVAL 300 ;
ACTION ( check() )
ACTIVATE TIMER oTimer
return nil
//----------------------------------------------------------------------------//
function check()
local aDir := directory( "x:\xwhdaten\DATAWIN\" + "*.*","DHS")
local I := 1
local cFilename := ""
local lFehler := .f.
local cFehler := ""
oTimer:Deactivate()
FOR I := 1 to len( aDir )
lFehler := .T.
if aDir[ I , 1 ] <> "."
if ALLTRIM ( UPPER( cFileExt( aDir[ I , 1 ] ) ) ) = "DBF"
lFehler := .f.
endif
if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "FPT"
lFehler := .f.
endif
if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "CDX"
lFehler := .f.
endif
if lFehler = .t.
cFehler += aDir [ I, 1 ] + CRLF
FWLOG cFehler
winexec( "abmelden.bat" )
endif
endif
next
oTimer:activate()
return nil
Re: Ransomware
Posted: Mon Jul 30, 2018 3:51 pm
by karinha
Re: Ransomware
Posted: Mon Jul 30, 2018 4:36 pm
by Otto
Hello João
we do have a defense quality product – a really professional one - installed.
But the attacker have uninstalled the software.
If you restart the PC the ransomware is active and starts immediately to encrypt.
At the moment it seems to me that a solution I plan is best for our data.
Maybe we should send an email with the filename which trigger the shutdown.
But you should not loose any time before shutdown.
Best we furnish a boot USB stick with the server. So you can start save and check the system.
Does someone know if you could start with a stick and then open for example TeamViewer?
Best regards
Ottio
Re: Ransomware
Posted: Mon Jul 30, 2018 7:31 pm
by Rick Lipkin
Otto
With the addition of Windows 10 Spring edition .. Defender now has a Ransom Ware Folder protection option :
And you can select any folder you like to be included in protected folder list:
The Protected folder is new and it comes free with Window 10 .. I just hate adding 2 or 3 additional protection programs to an OS .. I see machines come into the shop with Avast, McAfee, Symantec .. and people complain their machines are running slow ..
The only protection against ransom ware is regular backups that you insert the backup drive, run the backup and REMOVE the backup drive .. because most ransomware can jump and also encrypt any drives plugged into the computer ..
Its all about personal due-diligence .. and trying to heuristically use a program you create needs to look at behavior, files and changes in file ( sizes) ..etc .. Defender does all that .. not that I am a Microsoft sales person .. just an idea .. defender is not perfect and it detects heuristic changes in files .. and active .dbf's may sound a false alarm.
My 2 cents worth
Rick Lipkin
Re: Ransomware
Posted: Mon Jul 30, 2018 9:26 pm
by TimStone
I have my program set to do an automatic zip backup of all data files, and those are saved to another location. I recommend an external drive and an automatic copy of that to a cloud drive. Since each zip is uniquely named, multiple days are available to restore.
For my own system, I have regular backups across multiple devices, and they are offline when not being used. So a ransomware attack on my main computer yields them nothing. I simply wipe the system clean, and reinstall from my alternate computers.
The other important factor is to warn clients to avoid any communication that could trigger ransomware. If I have any doubt at all about something coming into my system, I do not allow it.
Re: Ransomware
Posted: Mon Jul 30, 2018 9:42 pm
by Otto
Hello Rick
do you know if we can get DEFENDER for WINDOWS SERVER 2012 R2 and WINDOW SERVER 2008.
Thank you in advance
Otto
Re: Ransomware
Posted: Mon Jul 30, 2018 9:47 pm
by Otto
Hello Tim
thank you.
We do have a similar system. We use WINDOWS SERVER BACKUP. Up to now these backup targets were save.
But who knows for how long.
Best regards
Otto
Re: Ransomware
Posted: Tue Jul 31, 2018 10:58 am
by dutch
Dear Otto,
I've faced with it and I change my backup procedure to zip to local drive (client) with different extension and including password.
BACKUP20180731.EZ4
It can avoid the ransomware, because it will scramble only database, document and picture. My customer have inflected but I can restore from it.
1. Zip with password and change extension to which ransomware will not looking for.
2. Backup via FTP to somewhere (I use Cobrian), like to NAS.
It may help.
Re: Ransomware
Posted: Tue Jul 31, 2018 12:47 pm
by Rick Lipkin
Otto
Windows defender comes standard with Server 2016 and appears not be be disabled easily .. from the brief searches I have made it is unclear if there is a Ransomware component to server 2016 ..
https://docs.microsoft.com/en-us/window ... erver-2016
Rick Lipkin
Re: Ransomware
Posted: Tue Jul 31, 2018 8:44 pm
by Otto
Hello Dutch,
I wouldn’t trust that zip is save.
I have seen encrypted ZIP files.
Here is a screen shot how EMGDBU ended.
Best regards
Otto
Re: Ransomware
Posted: Wed Aug 08, 2018 5:30 pm
by Otto
Hello,
I did some simulation of a ransomware attack. The program starts at start of the server in the system account.
When a encryption is detected the server shuts down.
Please see the video.
Maybe not the best solution but better than nothing.
Best regards,
Otto
https://www.youtube.com/watch?v=iyOOO2XjJgY
Re: Ransomware
Posted: Thu Apr 25, 2019 12:03 pm
by MOISES
Hello Otto,
I have a doubt: since the dbfs when opened are locked, can malware encrypt them?
Thank you. All the best
Re: Ransomware
Posted: Thu Apr 25, 2019 7:07 pm
by Otto
Hello,
I think if the file is open it should not be possible.
But are your files always open?
If a criminal has access to your computer, it's very hard to figure out what's possible.
Best regards
Otto
Re: Ransomware
Posted: Sat Apr 27, 2019 5:44 pm
by TimStone
Being a criminal has become a very profitable occupation so many pursue it.
I think the safest option is daily backups, with each one being unique. Thus when Ransomware strikes, the customer completely reformat the machine, installs the last clean backup, makes the subsequent entries, and continues on. Backups should be redundant ( multiple ) and some stored offsite each day.
My software does a daily backup to a zip file, and a copy of that automatically goes to my cloud server also. In addition, the hardware specialists do a full backup of all files to a cloud service.
For my own use, everything important is backed up every 4 hours to a USB drive, the whole machine ( iMac ) is backed up separately, and directories are also backed up to iCloud and One Drive. It may seem like a lot but we know how aggressive the criminals have become.
Re: Ransomware
Posted: Sat Apr 27, 2019 8:05 pm
by Otto
Hello Tim,
An average restaurant here has about 100 tables.
If the ransomware attack is done at lunch time and you have 100 open tables, then there is a real billing problem.
A daily backup is not sufficient.
Tim a real backup is not that easy as you write.
What software do you use for backup?
Which PCs do you include?
Email system?
Also if you have a backup e restore can take long.
Windows server backup sometimes is searching more than 2 hours before you can access the data.
Then if you restore maybe the latest backup is infected too.
Next try another 2 hours, etc.
I would be glad if you can share a rock solid concept.
>the customer completely reformat the machine, installs the last clean backup,
Do your costumers have a boot disk – if yes do they still have a CD ROM build in
>daily backups,
where do you keep the backup
>the hardware specialists do a full backup of all files to a cloud service.
how long takes a restore - mostly all the PCs plus the server are infected
> backed up every 4 hours to a USB drive
attached drives do not help anything they get infected too
Best regards
Otto