OT: Rise of GandCrab virus

[Eelco de Groot]

Just a warning. Had not heard about this yet.
https://nos.nl/artikel/2252585-nieuwe-r ... uters.html

It is ransomware that locks all your files. After paying 1000 Euro you can get them restored. They even have a helpdesk installed. The virus avoids Russian computers. This may be a ruse, to blame Russians. There is no cure, because the virus is constantly being changed to circumvent anti virus programs. Of course, general practices still apply and can help a bit.

I copy some general advice from https://www.bleepingcomputer.com/news/s ... nsom-note/
I hope that site itself is safe.

• Backup, Backup, Backup!
• Do not open attachments if you do not know who sent them.
• Do not open attachments until you confirm that the person actually sent you them,
• Scan attachments with tools like VirusTotal.
• Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
• Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
• Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
• Use hard passwords and never reuse the same password at multiple sites.
• BACKUP!

Install good antivirus software. Be extra careful with any executables of doubtful origin (chessprograms!). Use a phone if you have that to communicate (e-mail, What'sApp), because I don't think Android is affected by this (not totally sure about that though). Block (mal) advertising as that is mentioned as a tool to spread the virus.
But of course you knew all this.

[MikeGL]

Thanks for the info.
My officemate, a native of India, told me ghand refers to butt or ass.
I think backup is the most important, the others like below are useless:

[*] Do not open attachments if you do not know who sent them.
[*] Do not open attachments until you confirm that the person actually sent you them,
[*] Scan attachments with tools like VirusTotal.
[*] Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
[*] Use hard passwords and never reuse the same password at multiple sites.

Useless because the above won't help you if you get the ransomware via driveby download or autodownload after you visited questionable sites
(not just porn sites, but from recipe sites, lyrics sites, religious sites, parenting sites, medical sites etc.). I experienced this when I was watching funny video in a blog and i noticed the latency or time to buffer increased, when I minimised the browser there's a huge .exe file sitting down on my /user/Desktop/ folder. I sent that fiile to VirusTotal then it was positive for Trojan/RAT so I deleted the binary.

Just a warning. Had not heard about this yet.
https://nos.nl/artikel/2252585-nieuwe-r ... uters.html

It is ransomware that locks all your files. After paying 1000 Euro you can get them restored. They even have a helpdesk installed. The virus avoids Russian computers. This may be a ruse, to blame Russians. There is no cure, because the virus is constantly being changed to circumvent anti virus programs. Of course, general practices still apply and can help a bit.

I copy some general advice from https://www.bleepingcomputer.com/news/s ... nsom-note/
I hope that site itself is safe.

• Backup, Backup, Backup!
• Do not open attachments if you do not know who sent them.
• Do not open attachments until you confirm that the person actually sent you them,
• Scan attachments with tools like VirusTotal.
• Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
• Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
• Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
• Use hard passwords and never reuse the same password at multiple sites.
• BACKUP!

Install good antivirus software. Be extra careful with any executables of doubtful origin (chessprograms!). Use a phone if you have that to communicate (e-mail, What'sApp), because I don't think Android is affected by this (not totally sure about that though). Block (mal) advertising as that is mentioned as a tool to spread the virus.
But of course you knew all this.

[Eelco de Groot]

Hi Mike, yes I agree backups in this case may be the only sufficient answer. Paradoxically I think people made more backups when harddrives etc. were less reliable. It should be the other way round! But human psychology sometimes is not a rational one.

Attachments are just one way this spreads. It is kind of strange because you would think things like standard Windows Defender would already block any executable attachments. But this is buried in programs, all kinds of illegal software, maybe even Windows versions that are illegal? Huge amount of money involved. People maybe ashamed to report computer fraud in general, and it's bad for business reputation if it is a company that is hacked. And police solve almost 0 % of hacks, they don't have the manpower, expertise, equipment, other resources like shared databases with other nations. Continually running behind. Even in Holland where you'd think there is some money to at least invest on manpower etc.. Government does very poorly on ICT all round. Costs millions on not collected taxes that could pay for itself many times if invested in more ICT.

[Dariusz]

macOS is safe ?

[Eelco de Groot]

macOS is safe ?

Hello Dariusz,

For the moment it seems yes, but I just did a very quick Google check. But they did go to the trouble of building in redirecting to fake antivirus software even for MacOS. Not in the virus itself but in a thing called an exploit kit that in turn can load the virus. See link below for that. The virus is already a year old it seems and software to build new versions is sold on 'black market' if that is the correct term.

If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.

from: https://www.trendmicro.com/vinfo/us/sec ... ransomware

[F. Bluemers]

your backups might not be safe,
ransomware nowadays scans for other (removable) drives and network drives (older smbversions) and encrypts these too.

[Dariusz]

macOS is safe ?

Hello Dariusz,

For the moment it seems yes, but I just did a very quick Google check. But they did go to the trouble of building in redirecting to fake antivirus software even for MacOS. Not in the virus itself but in a thing called an exploit kit that in turn can load the virus. See link below for that. The virus is already a year old it seems and software to build new versions is sold on 'black market' if that is the correct term.

If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.

from: https://www.trendmicro.com/vinfo/us/sec ... ransomware

Eelco de Groot, thx for infos. Well, we should be careful..

[corres]

We can defend our important programs and data against every harmful program if we have a PC - even an older one - what we use only for internet. The downloaded and controlled materials we can transport to our main PC what we use for works, for chess engines, for etc. with the help of a USB stick or a mobile HDD or a local net.
Naturally we ought to make a copy from the virgin, freshly installed Windows with the help of (for e.g.) Clonezilla and we should store the copy not only on that PC but on our main PC or on a USB stick too.
If we use a PC with two or more HDDs during the use of Internet the the HDDs what we do not use ought to switch off. If a HDD is in the state of switched off there are no kind of harmful program to harm it.
In the above case if it happens an attack at most we lose the data what is on the PC used for Internet.
Personal data, data for banking never store on the PC used for Internet but on a USB stick!