"at long last"? Paid microsoft shill!
17 posts • joined 23 Oct 2014
Just in case she had teslacrypt 3 to 4.2:
This makes me sick. Can we setup a gofundme site to raise money so that she can get her files back? I'd give something.
Perhaps the malware was able to delete her older backups somehow.
All ransomware is known to issue a vssadmin /delete command. 100% of our servers and pcs have vssadmin renamed to be inactive.
Why would you use anything but XP if that's what the machine came with and your software doesn't need windows 7+?
Also I'm guessing that the tablet doesn't have a DVD Drive, in which case you could create a bootable flash drive. Build 10586 can automatically detect a Windows 7 or 8 BIOS certificate and automatically register your copy of windows 10 without upgrading.
Everyone who works in IT knows better than to use an in-place upgrade. Use it to register your hardware id with Microsoft and then do a clean install. It will be much smoother. And you can skip the Microsoft hotmail Id, just choose other, etc... They hide it but it's in there. Just keep looking for it.
And Microsoft is only offering a year of free support for those users
The article says that they "submitted clean but modified files". When the others receive the samples that match closely to a valid file with a few bytes changed, it's very hard to say it's a good or bad file. Poweliks is just a few bytes. I think that it's important to use automated malware analysis tools that can spin up a new vm for every file (like the cuckoo sandbox) to keep up with the million new malware samples every day, to at least flag suspicious files for further human review is the way to go, if they're not already doing this.
I myself have submitted files which I thought were viruses but ended up being benign. They ended up being flagged by Mcafee-Artemis on Virustotal. It was probably a heuristic scan combined with automated analysis, but went awry.
Hmmm, we use dr web's post-infection scanner when a computer has unknown rootkits malware. We call it "throwing the kitchen sink" at a badly infected computer, after mbam and sas scans and subsequent reboots.
We've also seen zero-day malware that gets cleaned from the registry, and therefore cannot run, and mbam and others remove one file from appdata\roaming etc... but leave another dangerous exe file in the same folder. It's benign and doesn't start, but it's still there.
Re: Monitor the database?
It sounds like the next thing in security is something where each save to a script is also cryptographically signed. Here's an excellent idea from the comments on the original article:
Admin access should be restricted to only ssh/sftp sessions using PKI, so useless even if password known/brute forced. Of course one must keep the keys safe and its no protection against vulnerabilities in the web app/os itself, but patching/scanning/pen testing and finally log monitoring do the rest.