Ransomware

Post Reply
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Ransomware

Post by Otto »

Hello,
I am planning an easy protection of my WINHOTEL data against ransom ware.
As I know that in my data folder should only be dbf, ftp and cdx files I thought I could have a FW program running at startup and checking all the winhotel data folders.
If there is a file with a different filename we should shutdown the sever.

Do you think we can program such a software.
It would be good if this could be a service.
How do we start the program best?

How could we restart the server that we do not run in a loop after an attack.

Thank you for your help in advace
Otto

Code: Select all

#include "FiveWin.ch"
static oWnd, oTimer
//----------------------------------------------------------------------------//

function Main()
   DEFINE DIALOG oWnd FROM 3, 3 TO 20, 50 ;
      TITLE OemToAnsi( "Testing timers" )

   ACTIVATE DIALOG oWnd ;
      ON INIT  StartTimer()

return nil

//----------------------------------------------------------------------------//
function StartTimer()
   DEFINE TIMER oTimer OF oWnd ;
      INTERVAL 300 ;
      ACTION ( check() )

   ACTIVATE TIMER oTimer
return nil
//----------------------------------------------------------------------------//


function check()
   local aDir   := directory( "x:\xwhdaten\DATAWIN\" + "*.*","DHS")
   local I := 1
   local cFilename := ""
   local lFehler := .f.
   local cFehler := ""

   oTimer:Deactivate()



   FOR I := 1 to len( aDir )
      lFehler := .T.

      if    aDir[ I , 1 ]  <>  "."
         if ALLTRIM ( UPPER( cFileExt( aDir[ I , 1 ] ) ) ) = "DBF"
            lFehler := .f.
         endif
         if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "FPT"
            lFehler := .f.
         endif
         if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "CDX"
            lFehler := .f.
         endif
         if lFehler = .t.
            cFehler += aDir [ I, 1 ] + CRLF
            FWLOG cFehler
            winexec( "abmelden.bat" )
         endif

      endif
   next

   oTimer:activate()
return nil
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
karinha
Posts: 4882
Joined: Tue Dec 20, 2005 7:36 pm
Location: São Paulo - Brasil

Re: Ransomware

Post by karinha »

João Santos - São Paulo - Brasil
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello João

we do have a defense quality product – a really professional one - installed.
But the attacker have uninstalled the software.
If you restart the PC the ransomware is active and starts immediately to encrypt.

At the moment it seems to me that a solution I plan is best for our data.

Maybe we should send an email with the filename which trigger the shutdown.
But you should not loose any time before shutdown.

Best we furnish a boot USB stick with the server. So you can start save and check the system.

Does someone know if you could start with a stick and then open for example TeamViewer?

Best regards
Ottio
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
Rick Lipkin
Posts: 2397
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Ransomware

Post by Rick Lipkin »

Otto

With the addition of Windows 10 Spring edition .. Defender now has a Ransom Ware Folder protection option :

Image

Image

And you can select any folder you like to be included in protected folder list:

Image

The Protected folder is new and it comes free with Window 10 .. I just hate adding 2 or 3 additional protection programs to an OS .. I see machines come into the shop with Avast, McAfee, Symantec .. and people complain their machines are running slow ..

The only protection against ransom ware is regular backups that you insert the backup drive, run the backup and REMOVE the backup drive .. because most ransomware can jump and also encrypt any drives plugged into the computer ..

Its all about personal due-diligence .. and trying to heuristically use a program you create needs to look at behavior, files and changes in file ( sizes) ..etc .. Defender does all that .. not that I am a Microsoft sales person .. just an idea .. defender is not perfect and it detects heuristic changes in files .. and active .dbf's may sound a false alarm. :idea:

My 2 cents worth
Rick Lipkin
User avatar
TimStone
Posts: 2536
Joined: Fri Oct 07, 2005 1:45 pm
Location: Trabuco Canyon, CA USA
Contact:

Re: Ransomware

Post by TimStone »

I have my program set to do an automatic zip backup of all data files, and those are saved to another location. I recommend an external drive and an automatic copy of that to a cloud drive. Since each zip is uniquely named, multiple days are available to restore.

For my own system, I have regular backups across multiple devices, and they are offline when not being used. So a ransomware attack on my main computer yields them nothing. I simply wipe the system clean, and reinstall from my alternate computers.

The other important factor is to warn clients to avoid any communication that could trigger ransomware. If I have any doubt at all about something coming into my system, I do not allow it.
Tim Stone
http://www.MasterLinkSoftware.com
timstone@masterlinksoftware.com
Using: FWH 19.06 with Harbour 3.2.0 / Microsoft Visual Studio Community 2019
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello Rick
do you know if we can get DEFENDER for WINDOWS SERVER 2012 R2 and WINDOW SERVER 2008.
Thank you in advance
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello Tim
thank you.
We do have a similar system. We use WINDOWS SERVER BACKUP. Up to now these backup targets were save.
But who knows for how long.
Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
dutch
Posts: 1395
Joined: Fri Oct 07, 2005 5:56 pm
Location: Thailand

Re: Ransomware

Post by dutch »

Dear Otto,

I've faced with it and I change my backup procedure to zip to local drive (client) with different extension and including password.
BACKUP20180731.EZ4

It can avoid the ransomware, because it will scramble only database, document and picture. My customer have inflected but I can restore from it.

1. Zip with password and change extension to which ransomware will not looking for.

2. Backup via FTP to somewhere (I use Cobrian), like to NAS.

It may help.
Regards,
Dutch

FWH 19.01 / xHarbour Simplex 1.2.3 / BCC73 / Pelles C / UEStudio
FWPPC 10.02 / Harbour for PPC (FTDN)
ADS V.9 / MySql / MariaDB
R&R 12 Infinity / Crystal Report XI R2
(Thailand)
User avatar
Rick Lipkin
Posts: 2397
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Ransomware

Post by Rick Lipkin »

Otto

Windows defender comes standard with Server 2016 and appears not be be disabled easily .. from the brief searches I have made it is unclear if there is a Ransomware component to server 2016 ..

https://docs.microsoft.com/en-us/window ... erver-2016

Rick Lipkin
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello Dutch,
I wouldn’t trust that zip is save.
I have seen encrypted ZIP files.
Here is a screen shot how EMGDBU ended.

Best regards
Otto
Image
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello,
I did some simulation of a ransomware attack. The program starts at start of the server in the system account.
When a encryption is detected the server shuts down.
Please see the video.
Maybe not the best solution but better than nothing.
Best regards,
Otto

https://www.youtube.com/watch?v=iyOOO2XjJgY

Image
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
MOISES
Posts: 824
Joined: Wed Aug 22, 2007 10:09 am

Re: Ransomware

Post by MOISES »

Hello Otto,

I have a doubt: since the dbfs when opened are locked, can malware encrypt them?

Thank you. All the best
Saludos / Regards,

FWH 20.04, Harbour 3.2.0 dev (r1909261630) y BCC 7.40
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello,
I think if the file is open it should not be possible.
But are your files always open?
If a criminal has access to your computer, it's very hard to figure out what's possible.
Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
TimStone
Posts: 2536
Joined: Fri Oct 07, 2005 1:45 pm
Location: Trabuco Canyon, CA USA
Contact:

Re: Ransomware

Post by TimStone »

Being a criminal has become a very profitable occupation so many pursue it.

I think the safest option is daily backups, with each one being unique. Thus when Ransomware strikes, the customer completely reformat the machine, installs the last clean backup, makes the subsequent entries, and continues on. Backups should be redundant ( multiple ) and some stored offsite each day.

My software does a daily backup to a zip file, and a copy of that automatically goes to my cloud server also. In addition, the hardware specialists do a full backup of all files to a cloud service.

For my own use, everything important is backed up every 4 hours to a USB drive, the whole machine ( iMac ) is backed up separately, and directories are also backed up to iCloud and One Drive. It may seem like a lot but we know how aggressive the criminals have become.
Tim Stone
http://www.MasterLinkSoftware.com
timstone@masterlinksoftware.com
Using: FWH 19.06 with Harbour 3.2.0 / Microsoft Visual Studio Community 2019
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: Ransomware

Post by Otto »

Hello Tim,

An average restaurant here has about 100 tables.
If the ransomware attack is done at lunch time and you have 100 open tables, then there is a real billing problem.
A daily backup is not sufficient.
Tim a real backup is not that easy as you write.
What software do you use for backup?
Which PCs do you include?
Email system?
Also if you have a backup e restore can take long.
Windows server backup sometimes is searching more than 2 hours before you can access the data.
Then if you restore maybe the latest backup is infected too.
Next try another 2 hours, etc.
I would be glad if you can share a rock solid concept.


>the customer completely reformat the machine, installs the last clean backup,
Do your costumers have a boot disk – if yes do they still have a CD ROM build in
>daily backups,
where do you keep the backup
>the hardware specialists do a full backup of all files to a cloud service.
how long takes a restore - mostly all the PCs plus the server are infected
> backed up every 4 hours to a USB drive
attached drives do not help anything they get infected too

Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
Post Reply