[ALUG] Ransomware: most dangerous cyber threat

James Julius jamesraph at habari.co.tz
Thu Nov 10 13:05:27 EAT 2016


Hi Andreas,

Thanks very much for your input,  true the backup should be on separate
physical device and disconnected from the network.

Are you aware of way to restore the encrypted files? the one i came across
was encrypted with .thor extensions.


Kind regards.

On Thu, Nov 10, 2016 at 12:53 PM, Andreas Tauscher <ta at geuka.net> wrote:

> On 10.11.2016 07:29, James Julius via Linux wrote:
> > Hi Haward,
> >
> > The threats is not on Linux machines but on Windows machines, as
> > most of us in one way or another we are supporting someone  with
> > Windows machine, i think we should be aware of this.
>
> This so not correct. TeslaCrypt targets Wordpress and Joomla.
>
> > According to my research it seems there is not way to recover the
> > encrypted files or decrypt it without paying the attacker for
> > decryption keys which also there is not guarantee they will give you
> > the key, the best way is to use the offline backup taken before the
> > virus hit, as the
>
> Offline backup? A "backup" on the physical same machine or even more
> worse on the same physical drive is a copy but not a backup.
>
> > very bad this is when the virus hit one machine it scans all the
> > connected drives which means it can affect server also, and this
> > means it can affect all machines connected to that server.
>
> A system of access rights is needed.
> No user must have administrative rights.
> A user has access only where he needs it. And write access really only
> where needed.
> No relevant files are saved on a workstation or only as a shadow copy.
> A corporate network is split in to subnets e.g. per department and this
> maybe also again into subnetworks.
> Frequently backups.
> The backup system is best not running on the computer backed up. It is
> an independent system.
> A revision control system is an advantage also. If ransom software
> encrypted your documents you still have the last unencrypted revision.
> Really critical systems holding sensitive or important documents don't
> have a direct internet or even LAN connection at all and files and email
> is opened over a remote desktop solution and transferred through a proxy
> system.
>
> > It is very bad threat when you came across it, i think we should be
> > aware.
>
> The infection way No. 1 are e-mail attachments.
> To see if a mail suspicious needs training.
> Most of this mails you really see already on the first view. If you know
> what to look for.
> Often mails are coming from sender addresses you know.
>
> To prevent that your company mail domain is abused to spread ransomware
> a few things are very helpful to prevent this mostly:
> DKIM/DMARC with a strict reject policy if DKIM fails.
> PGP and S/MIME signatures.
> A strict policy how corporate email is used and how a corporate mail has
> to look like.
> Instead this nonsense disclaimer in the footer about confidential
> content and blabla better put there a link to page on your website where
> you explain how an authentic mail from you looks like and how it can be
> verified. If you mail is confidential then send it encrypted.
> For example invoices etc. coming always from the same sender address and
> make your clients aware about this.
>
> Andreas
>
>


-- 

James Julius
Noc/Servers Department
Habari Node Ltd
www.habari.co.tz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20161110/209512eb/attachment.html>


More information about the Linux mailing list