Ransomware

Ransomware

Postby Otto » Mon Jul 30, 2018 2:50 pm

Hello,
I am planning an easy protection of my WINHOTEL data against ransom ware.
As I know that in my data folder should only be dbf, ftp and cdx files I thought I could have a FW program running at startup and checking all the winhotel data folders.
If there is a file with a different filename we should shutdown the sever.

Do you think we can program such a software.
It would be good if this could be a service.
How do we start the program best?

How could we restart the server that we do not run in a loop after an attack.

Thank you for your help in advace
Otto

Code: Select all  Expand view

#include "FiveWin.ch"
static oWnd, oTimer
//----------------------------------------------------------------------------//

function Main()
   DEFINE DIALOG oWnd FROM 3, 3 TO 20, 50 ;
      TITLE OemToAnsi( "Testing timers" )

   ACTIVATE DIALOG oWnd ;
      ON INIT  StartTimer()

return nil

//----------------------------------------------------------------------------//
function StartTimer()
   DEFINE TIMER oTimer OF oWnd ;
      INTERVAL 300 ;
      ACTION ( check() )

   ACTIVATE TIMER oTimer
return nil
//----------------------------------------------------------------------------//


function check()
   local aDir   := directory( "x:\xwhdaten\DATAWIN\" + "*.*","DHS")
   local I := 1
   local cFilename := "
"
   local lFehler := .f.
   local cFehler := "
"

   oTimer:Deactivate()



   FOR I := 1 to len( aDir )
      lFehler := .T.

      if    aDir[ I , 1 ]  <>  "
."
         if ALLTRIM ( UPPER( cFileExt( aDir[ I , 1 ] ) ) ) = "
DBF"
            lFehler := .f.
         endif
         if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "
FPT"
            lFehler := .f.
         endif
         if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "
CDX"
            lFehler := .f.
         endif
         if lFehler = .t.
            cFehler += aDir [ I, 1 ] + CRLF
            FWLOG cFehler
            winexec( "
abmelden.bat" )
         endif

      endif
   next

   oTimer:activate()
return nil
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby karinha » Mon Jul 30, 2018 3:51 pm

João Santos - São Paulo - Brasil - Phone: +55(11)95150-7341
User avatar
karinha
 
Posts: 7811
Joined: Tue Dec 20, 2005 7:36 pm
Location: São Paulo - Brasil

Re: Ransomware

Postby Otto » Mon Jul 30, 2018 4:36 pm

Hello João

we do have a defense quality product – a really professional one - installed.
But the attacker have uninstalled the software.
If you restart the PC the ransomware is active and starts immediately to encrypt.

At the moment it seems to me that a solution I plan is best for our data.

Maybe we should send an email with the filename which trigger the shutdown.
But you should not loose any time before shutdown.

Best we furnish a boot USB stick with the server. So you can start save and check the system.

Does someone know if you could start with a stick and then open for example TeamViewer?

Best regards
Ottio
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby Rick Lipkin » Mon Jul 30, 2018 7:31 pm

Otto

With the addition of Windows 10 Spring edition .. Defender now has a Ransom Ware Folder protection option :

Image

Image

And you can select any folder you like to be included in protected folder list:

Image

The Protected folder is new and it comes free with Window 10 .. I just hate adding 2 or 3 additional protection programs to an OS .. I see machines come into the shop with Avast, McAfee, Symantec .. and people complain their machines are running slow ..

The only protection against ransom ware is regular backups that you insert the backup drive, run the backup and REMOVE the backup drive .. because most ransomware can jump and also encrypt any drives plugged into the computer ..

Its all about personal due-diligence .. and trying to heuristically use a program you create needs to look at behavior, files and changes in file ( sizes) ..etc .. Defender does all that .. not that I am a Microsoft sales person .. just an idea .. defender is not perfect and it detects heuristic changes in files .. and active .dbf's may sound a false alarm. :idea:

My 2 cents worth
Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2665
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Ransomware

Postby TimStone » Mon Jul 30, 2018 9:26 pm

I have my program set to do an automatic zip backup of all data files, and those are saved to another location. I recommend an external drive and an automatic copy of that to a cloud drive. Since each zip is uniquely named, multiple days are available to restore.

For my own system, I have regular backups across multiple devices, and they are offline when not being used. So a ransomware attack on my main computer yields them nothing. I simply wipe the system clean, and reinstall from my alternate computers.

The other important factor is to warn clients to avoid any communication that could trigger ransomware. If I have any doubt at all about something coming into my system, I do not allow it.
Tim Stone
http://www.MasterLinkSoftware.com
http://www.autoshopwriter.com
timstone@masterlinksoftware.com
Using: FWH 23.10 with Harbour 3.2.0 / Microsoft Visual Studio Community 2022-24 32/64 bit
User avatar
TimStone
 
Posts: 2944
Joined: Fri Oct 07, 2005 1:45 pm
Location: Trabuco Canyon, CA USA

Re: Ransomware

Postby Otto » Mon Jul 30, 2018 9:42 pm

Hello Rick
do you know if we can get DEFENDER for WINDOWS SERVER 2012 R2 and WINDOW SERVER 2008.
Thank you in advance
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby Otto » Mon Jul 30, 2018 9:47 pm

Hello Tim
thank you.
We do have a similar system. We use WINDOWS SERVER BACKUP. Up to now these backup targets were save.
But who knows for how long.
Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby dutch » Tue Jul 31, 2018 10:58 am

Dear Otto,

I've faced with it and I change my backup procedure to zip to local drive (client) with different extension and including password.
BACKUP20180731.EZ4

It can avoid the ransomware, because it will scramble only database, document and picture. My customer have inflected but I can restore from it.

1. Zip with password and change extension to which ransomware will not looking for.

2. Backup via FTP to somewhere (I use Cobrian), like to NAS.

It may help.
Regards,
Dutch

FWH 19.01 / xHarbour Simplex 1.2.3 / BCC73 / Pelles C / UEStudio
FWPPC 10.02 / Harbour for PPC (FTDN)
ADS V.9 / MySql / MariaDB
R&R 12 Infinity / Crystal Report XI R2
(Thailand)
User avatar
dutch
 
Posts: 1542
Joined: Fri Oct 07, 2005 5:56 pm
Location: Thailand

Re: Ransomware

Postby Rick Lipkin » Tue Jul 31, 2018 12:47 pm

Otto

Windows defender comes standard with Server 2016 and appears not be be disabled easily .. from the brief searches I have made it is unclear if there is a Ransomware component to server 2016 ..

https://docs.microsoft.com/en-us/window ... erver-2016

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2665
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Ransomware

Postby Otto » Tue Jul 31, 2018 8:44 pm

Hello Dutch,
I wouldn’t trust that zip is save.
I have seen encrypted ZIP files.
Here is a screen shot how EMGDBU ended.

Best regards
Otto
Image
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby Otto » Wed Aug 08, 2018 5:30 pm

Hello,
I did some simulation of a ransomware attack. The program starts at start of the server in the system account.
When a encryption is detected the server shuts down.
Please see the video.
Maybe not the best solution but better than nothing.
Best regards,
Otto

https://www.youtube.com/watch?v=iyOOO2XjJgY

Image
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby MOISES » Thu Apr 25, 2019 12:03 pm

Hello Otto,

I have a doubt: since the dbfs when opened are locked, can malware encrypt them?

Thank you. All the best
Saludos / Regards,

FWH 20.04, Harbour 3.2.0 dev (r1909261630) y BCC 7.40
MOISES
 
Posts: 838
Joined: Wed Aug 22, 2007 10:09 am

Re: Ransomware

Postby Otto » Thu Apr 25, 2019 7:07 pm

Hello,
I think if the file is open it should not be possible.
But are your files always open?
If a criminal has access to your computer, it's very hard to figure out what's possible.
Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: Ransomware

Postby TimStone » Sat Apr 27, 2019 5:44 pm

Being a criminal has become a very profitable occupation so many pursue it.

I think the safest option is daily backups, with each one being unique. Thus when Ransomware strikes, the customer completely reformat the machine, installs the last clean backup, makes the subsequent entries, and continues on. Backups should be redundant ( multiple ) and some stored offsite each day.

My software does a daily backup to a zip file, and a copy of that automatically goes to my cloud server also. In addition, the hardware specialists do a full backup of all files to a cloud service.

For my own use, everything important is backed up every 4 hours to a USB drive, the whole machine ( iMac ) is backed up separately, and directories are also backed up to iCloud and One Drive. It may seem like a lot but we know how aggressive the criminals have become.
Tim Stone
http://www.MasterLinkSoftware.com
http://www.autoshopwriter.com
timstone@masterlinksoftware.com
Using: FWH 23.10 with Harbour 3.2.0 / Microsoft Visual Studio Community 2022-24 32/64 bit
User avatar
TimStone
 
Posts: 2944
Joined: Fri Oct 07, 2005 1:45 pm
Location: Trabuco Canyon, CA USA

Re: Ransomware

Postby Otto » Sat Apr 27, 2019 8:05 pm

Hello Tim,

An average restaurant here has about 100 tables.
If the ransomware attack is done at lunch time and you have 100 open tables, then there is a real billing problem.
A daily backup is not sufficient.
Tim a real backup is not that easy as you write.
What software do you use for backup?
Which PCs do you include?
Email system?
Also if you have a backup e restore can take long.
Windows server backup sometimes is searching more than 2 hours before you can access the data.
Then if you restore maybe the latest backup is infected too.
Next try another 2 hours, etc.
I would be glad if you can share a rock solid concept.


>the customer completely reformat the machine, installs the last clean backup,
Do your costumers have a boot disk – if yes do they still have a CD ROM build in
>daily backups,
where do you keep the backup
>the hardware specialists do a full backup of all files to a cloud service.
how long takes a restore - mostly all the PCs plus the server are infected
> backed up every 4 hours to a USB drive
attached drives do not help anything they get infected too

Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm


Return to FiveWin for Harbour/xHarbour

Who is online

Users browsing this forum: Marc Venken, Silvio.Falconi and 99 guests