Ransomware defense.

AndyPix

wingates wrote: »

<snip> Any advice?

Ditch Vista

psychic_teabag

Tarambor wrote: »

Unfortunately the kernel is the least of your worries. More of a problem is the graphical server and the desktop manager, other packages which your application may rely on which have been regressed and configuration file relocations in newer versions of Linux distros. Even some CLI bash commands commonly used a few years ago can no longer be found in some distros. An example would be ifconfig which is one I recently came across in Arch Linux that no longer exists because the distro dropped it as a default part of the distribution quite some time ago.

That was entirely my point : you can upgrade the kernel to fix security flaws at that level without touching the usermode stuff at all. Because of the backwards compatilbitly of the kernel interfaces, all the old user-mode software should (ideally) continue to run just fine.

yes, there can also be flaws in the user-mode stuff, but they *tend* not to be able to do systemic damage.

psychic_teabag

esuhl wrote: »

If the NHS were going to use GNU/Linux, they'd develop their own custom distro. So it would be up to them if they wanted to stick with one package or migrate to another.

Hmm - I had heard that one of the big problems is "the NHS" is now just a loose collection of independent trusts who do their own thing. Each was now responsible for making its own arrangements with MS for XP support, for example.

Is there still a central bit of NHS that could make their own linux distro. (With the trusts as clients all with different demands - some demanding that nothing change, others wanting the latest and greatest of everything.)

EDIT: this should probably be in the specific NHS security thread, rather generic thread about ransomware.

50Twuncle

Does this ENCRYPTION software, make your HDD a placemat (ie is it non-recoverable - by formatting and reinstalling Windows) ? Nope !!
THEN BACK UP REGULARLY !!
If you are hit - it should be a simple job to recover your data
Or try a VIRTUALBOX virtual disk - if that gets hit - your main partition is safe - you simply delete the Virtual Disk and start again !

Jivesinger

50Twuncle wrote: »

Or try a VIRTUALBOX virtual disk - if that gets hit - your main partition is safe - you simply delete the Virtual Disk and start again !

I wouldn't bank on it - you can access the IP address of the host computer from within a VirtualBox session, and the worm which caused the fuss this week uses IP addresses to spread itself to any networked computer without the patch.

Once a computer on the network is infected, any networked computer can be infected - no-one needs to click on an infected email or link or similar.

It's possible that VirtualBox has some technology to stop this sort of SMB1 traffic, but as I said, I wouldn't bank on it.

AndyPix

It is trivial to disable SMBv1 with a 2 line batch file

novirus

this is not for you home PC
In a company setting you need to get rid of everyone group, enable restore points, enable dfs and publish all your shares to DFS, never use the share name, but use the dfs name. Yes it may not catch everything

for you home PC
On a very separate PCs, one being virtual and one could be linux. no network connection between the two. every day do a snapshot on the vm

jshm2

The quickest way to stop 90% of ransomware/malware is to have group policy setup to stop programs running in your working app directories.

This way, nothing runs in "drive by" or in attachments until you actually save it elsewhere and load it. There are many people dumb enough to click attachments and links they don't know. At least this way no code runs with them doing so.

The NHS (like most multi site corporate networks) has the end users as "admins" by default on the machines and no group policies setup. Hence an infection on one is going to spread pretty quick. Rather ironic than it would happen to an organisation which should know a lot about infection vectors and containment.

AndyPix

jshm2 wrote: »

The NHS (like most multi site corporate networks) has the end users as "admins" by default on the machines and no group policies setup. Hence an infection on one is going to spread pretty quick.

No, no they dont . Not atall. Not one little bit.
Neither the NHS or ANY multisite corperate network !!


You may get the odd remote VPN worker set up as admin but thats it ..



No group policy ???? What networks have you been looking at ? that is crazy
Where on earth did you get that from ??


FYI this ransomware didnt need the user to be admin to spread, it exploited a flaw in SMBv1.
Sheesh

DoaM

JackBo wrote: »

:spam: ???

Would that be useful advice that promotes your own blog?