OT: Rise of GandCrab virus

Discussion of anything and everything relating to chess playing software and machines.

Moderators: hgm, Harvey Williamson, bob

Forum rules
This textbox is used to restore diagrams posted with the [d] tag before the upgrade.
Post Reply
User avatar
Eelco de Groot
Posts: 4148
Joined: Sun Mar 12, 2006 1:40 am
Location: Groningen

OT: Rise of GandCrab virus

Post by Eelco de Groot » Sat Sep 29, 2018 12:28 pm

Just a warning. Had not heard about this yet.
https://nos.nl/artikel/2252585-nieuwe-r ... uters.html

It is ransomware that locks all your files. After paying 1000 Euro you can get them restored. They even have a helpdesk installed. The virus avoids Russian computers. This may be a ruse, to blame Russians. There is no cure, because the virus is constantly being changed to circumvent anti virus programs. Of course, general practices still apply and can help a bit.

I copy some general advice from https://www.bleepingcomputer.com/news/s ... nsom-note/
I hope that site itself is safe.
  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!
Install good antivirus software. Be extra careful with any executables of doubtful origin (chessprograms!). Use a phone if you have that to communicate (e-mail, What'sApp), because I don't think Android is affected by this (not totally sure about that though). Block (mal) advertising as that is mentioned as a tool to spread the virus.
But of course you knew all this.
Debugging is twice as hard as writing the code in the first
place. Therefore, if you write the code as cleverly as possible, you
are, by definition, not smart enough to debug it.
-- Brian W. Kernighan

MikeGL
Posts: 893
Joined: Thu Sep 01, 2011 12:49 pm

Re: OT: Rise of GandCrab virus

Post by MikeGL » Sat Sep 29, 2018 2:28 pm

Thanks for the info.
My officemate, a native of India, told me ghand refers to butt or ass.
I think backup is the most important, the others like below are useless:

[*] Do not open attachments if you do not know who sent them.
[*] Do not open attachments until you confirm that the person actually sent you them,
[*] Scan attachments with tools like VirusTotal.
[*] Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
[*] Use hard passwords and never reuse the same password at multiple sites.

Useless because the above won't help you if you get the ransomware via driveby download or autodownload after you visited questionable sites
(not just porn sites, but from recipe sites, lyrics sites, religious sites, parenting sites, medical sites etc.). I experienced this when I was watching funny video in a blog and i noticed the latency or time to buffer increased, when I minimised the browser there's a huge .exe file sitting down on my /user/Desktop/ folder. I sent that fiile to VirusTotal then it was positive for Trojan/RAT so I deleted the binary.
Eelco de Groot wrote:
Sat Sep 29, 2018 12:28 pm
Just a warning. Had not heard about this yet.
https://nos.nl/artikel/2252585-nieuwe-r ... uters.html

It is ransomware that locks all your files. After paying 1000 Euro you can get them restored. They even have a helpdesk installed. The virus avoids Russian computers. This may be a ruse, to blame Russians. There is no cure, because the virus is constantly being changed to circumvent anti virus programs. Of course, general practices still apply and can help a bit.

I copy some general advice from https://www.bleepingcomputer.com/news/s ... nsom-note/
I hope that site itself is safe.
  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!
Install good antivirus software. Be extra careful with any executables of doubtful origin (chessprograms!). Use a phone if you have that to communicate (e-mail, What'sApp), because I don't think Android is affected by this (not totally sure about that though). Block (mal) advertising as that is mentioned as a tool to spread the virus.
But of course you knew all this.
I told my wife that a husband is like a fine wine; he gets better with age. The next day, she locked me in the cellar.

User avatar
Eelco de Groot
Posts: 4148
Joined: Sun Mar 12, 2006 1:40 am
Location: Groningen

Re: OT: Rise of GandCrab virus

Post by Eelco de Groot » Sat Sep 29, 2018 3:36 pm

Hi Mike, yes I agree backups in this case may be the only sufficient answer. Paradoxically I think people made more backups when harddrives etc. were less reliable. It should be the other way round! But human psychology sometimes is not a rational one.

Attachments are just one way this spreads. It is kind of strange because you would think things like standard Windows Defender would already block any executable attachments. But this is buried in programs, all kinds of illegal software, maybe even Windows versions that are illegal? Huge amount of money involved. People maybe ashamed to report computer fraud in general, and it's bad for business reputation if it is a company that is hacked. And police solve almost 0 % of hacks, they don't have the manpower, expertise, equipment, other resources like shared databases with other nations. Continually running behind. Even in Holland where you'd think there is some money to at least invest on manpower etc.. Government does very poorly on ICT all round. Costs millions on not collected taxes that could pay for itself many times if invested in more ICT.
Debugging is twice as hard as writing the code in the first
place. Therefore, if you write the code as cleverly as possible, you
are, by definition, not smart enough to debug it.
-- Brian W. Kernighan

Dariusz
Posts: 109
Joined: Sat Jun 13, 2015 8:08 am
Location: Poland

Re: OT: Rise of GandCrab virus

Post by Dariusz » Sat Sep 29, 2018 4:03 pm

macOS is safe ?
Regards, Dariusz

User avatar
Eelco de Groot
Posts: 4148
Joined: Sun Mar 12, 2006 1:40 am
Location: Groningen

Re: OT: Rise of GandCrab virus

Post by Eelco de Groot » Sat Sep 29, 2018 4:23 pm

Dariusz wrote:
Sat Sep 29, 2018 4:03 pm
macOS is safe ?
Hello Dariusz,

For the moment it seems yes, but I just did a very quick Google check. But they did go to the trouble of building in redirecting to fake antivirus software even for MacOS. Not in the virus itself but in a thing called an exploit kit that in turn can load the virus. See link below for that. The virus is already a year old it seems and software to build new versions is sold on 'black market' if that is the correct term.
If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.
from: https://www.trendmicro.com/vinfo/us/sec ... ransomware
Debugging is twice as hard as writing the code in the first
place. Therefore, if you write the code as cleverly as possible, you
are, by definition, not smart enough to debug it.
-- Brian W. Kernighan

F. Bluemers
Posts: 860
Joined: Thu Mar 09, 2006 10:21 pm
Location: Nederland
Contact:

Re: OT: Rise of GandCrab virus

Post by F. Bluemers » Sat Sep 29, 2018 4:55 pm

your backups might not be safe,
ransomware nowadays scans for other (removable) drives and network drives (older smbversions) and encrypts these too.

Dariusz
Posts: 109
Joined: Sat Jun 13, 2015 8:08 am
Location: Poland

Re: OT: Rise of GandCrab virus

Post by Dariusz » Sat Sep 29, 2018 4:59 pm

Eelco de Groot wrote:
Sat Sep 29, 2018 4:23 pm
Dariusz wrote:
Sat Sep 29, 2018 4:03 pm
macOS is safe ?
Hello Dariusz,

For the moment it seems yes, but I just did a very quick Google check. But they did go to the trouble of building in redirecting to fake antivirus software even for MacOS. Not in the virus itself but in a thing called an exploit kit that in turn can load the virus. See link below for that. The virus is already a year old it seems and software to build new versions is sold on 'black market' if that is the correct term.
If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.
from: https://www.trendmicro.com/vinfo/us/sec ... ransomware
Eelco de Groot, thx for infos. Well, we should be careful..
Regards, Dariusz

corres
Posts: 1558
Joined: Wed Nov 18, 2015 10:41 am
Location: hungary

Re: OT: Rise of GandCrab virus

Post by corres » Sun Sep 30, 2018 8:10 am

We can defend our important programs and data against every harmful program if we have a PC - even an older one - what we use only for internet. The downloaded and controlled materials we can transport to our main PC what we use for works, for chess engines, for etc. with the help of a USB stick or a mobile HDD or a local net.
Naturally we ought to make a copy from the virgin, freshly installed Windows with the help of (for e.g.) Clonezilla and we should store the copy not only on that PC but on our main PC or on a USB stick too.
If we use a PC with two or more HDDs during the use of Internet the the HDDs what we do not use ought to switch off. If a HDD is in the state of switched off there are no kind of harmful program to harm it.
In the above case if it happens an attack at most we lose the data what is on the PC used for Internet.
Personal data, data for banking never store on the PC used for Internet but on a USB stick!

Post Reply