[Important] Your server may be compromised by ransomware


#1

I’ll try my best to dissect what’s going on. After seeing a thread pop up http://mpsocial.com/t/i-had-backup-files-but-it-has-aes-ni-0day-how-can-i-remove/11548 about AES NI 0day encryption ransomware.

I found this piece of news, a few reddit thread, and ongoing reports affecting top servers.

The TLDR; Your server may be h@cked by ransomware stuff.

What can you do? I’m still trying to find for information.

This link below was source from reddit, not entirely sure of it’s legitimacy nor it’s capabilities. They do have a /legit/ twitter https://twitter.com/malwrhunterteam

Use at your own discretion

Apparently the link below is to identify it, but it probably does not decrypt it for you. I don’t have any files to test.

ID Ransomware is a free website that helps victims identify what ransomware may have encrypted their files. The site is able to identify over 300+ ransomware families by specific filename extensions and patterns, ransom note names, known hex patterns, email addresses, BitCoin addresses, and more. If a ransomware is identified, ID Ransomware will give the victim a distinct status on whether it is known to be decryptable or not, and will provide a link to a credible source for more information.

How can you protect yourselves from future exploits?

  1. Always update to the latest windows
  2. Use a continuous sync backup like dropbox, gdrive, megasync

#2

Creates posts about how clicking on links can infect your PC/server with ransomware. Adds lots of clickable links in post.

JK @dddd


#3

#4

alsototallynotavirus.exe


#5

While I am kidding around about this, I am running scans on my VPS and laptop.


#6

Home server is quite unlikely to be compromised “i think”, because this kinda relates to SMB ports, though not all of the ransomware is targeting only those ports. And home IP does not open ports like that “i think”.

Luckily i have a feeling most MP users are not affected, most likely because they’re hosted on the smaller guys that run their own server.

If some are hosted with guys that are hosted with OVH and such, then yeah they could easily be compromised.


#7

I think it was just his home PC that’s infected is it not? Anyhow, it’s best practice to not click links, run scans all the time, and backup important files.

And yeah, most people won’t be affected I am sure, unless someone does some really dumb stuff. I’ve seen it happen so…


#8

Hmm… As far as i’m aware, this particular ransomware is remote code execution by port scanning and injection.

As bizzare as it is, the server doesnt need to be rebooted for code execution.

So the user actually didn’t click any links at all but it was exploited by a real hack.

Anyway, too much digging, i’m out. :laughing:


#9

I didn’t read all of it, I was busy running scans, I will dig into it a bit later as it is always interesting on how this works.

I was just reading the Hola VPN Illuminati network articles for the tenth time thinking about it as business model for residential proxies for IG.


#10

Microsoft has already created an update for all affected versions, make sure you run the update on your VPS.

Here’s how:

https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update


#11

Good share @dddd , though judging by the response this topic got most people aren’t interested in the subject or just going on faith :slight_smile: You’d expect all of them urgently updating their OS and checking everything…


#12

Lets hope they didn’t actually got hit. I saw a twitter post, someone without much knowledge could just run this and hack in easily in under 2 minutes.

Since there are so many IP range, and it takes time, 1 person can’t do all of them at once. So i would say this is an ongoing matter.

In fact, the vulnerability was discovered few months back, and only got widespread due to the leak. But users still got hit because they didn’t update their OS.


#13

Yeah i received an email from my provider
Update update update :muscle::muscle: