Re: [Skunkworks] PayCript Ransomware

1 Apr 2016


      Lol, and that is why I said it is a challenge. There is always that
fellow that demands full admin rights.

On 01/04/2016 12:46, MotoBaridi wrote:
...
@Mark, in many places, user convenience is valued over system/data
security, and sys admins have no say. Block facebook during work-hours,
your boss will be breathing down your neck. Block downloading of .exe
files, some C-level person will demand you unblock it, you know, so they
can download and install FreeScreenSaver.
Whats a guy to do?
--
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks
<skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
No sysadmin worth his salt should trust users with such a big
    responsibility.
The challenge is to build a resilient system with backups, regular
    updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
    > Tell people not to be silly and open weird emails and attachments?
    >
    >
    > On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks
    > <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>
    <mailto:skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke>>> wrote:
    >
    >     So How do we stop/prevent that Ransomware? ____
    >
    >     __ __
    >
    >     *From:*Kennedy Kairaria via skunkworks
    >     [mailto:skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke>>]
    >     *Sent:* Friday, April 01, 2016 11:45 AM
    >     *To:* Mark Kipyegon Koskei; Skunkworks Mailing List
    >     *Subject:* Re: [Skunkworks] PayCript Ransomware____
    >
    >     __ __
    >
    >     Mark, apparently that seems the case as its a relatively new
    >     ransomware.____
    >
    >
    >     ____
    >
    >     Regards,____
    >
    >     __ __
    >
    >     *Kennedy Kairaria*____
    >
    >     Mobile: (254) 724 615232
    >     _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>
    <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>>_ |____
    >
    >     LinkedIn <http://www.linkedin.com/in/kairaria> ____
    >
    >     http://kennedy-kairaria.g
    <http://kennedy-kairaria.branded.me/>q____
    >
    >     Contact me: Skype kennedy.kairaria____
    >
    >     __ __
    >
    >     On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks
    >     <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>
    <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>>
    >     wrote:____
    >
    >     Have you tried restoring from shadow copy?
    >
    >     Unless a decryption tool exists for that particular strain of
    >     ransomware, then you are SOL.
    >
    >     On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke
    <mailto:skunkworks-request@lists.my.co.ke>
    >     <mailto:skunkworks-request@lists.my.co.ke
    <mailto:skunkworks-request@lists.my.co.ke>> wrote:
    >
    >     >>
    >     >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks <
    >     >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>
    <mailto:skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke>>> wrote:
    >     >>
    >     >>> By the time we noticed they were also affected. Incremental backups.
    >     >>>
    >     >>> Regards,
    >     >>>
    >     >>> *Kennedy Kairaria*
    >     >>>
    >     >>> Mobile: (254) 724 615232
    >     >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>
    <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>> |
    >     >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria>
    >     >>> http://kennedy-kairaria.g
    <http://kennedy-kairaria.branded.me/>q____
    >
    >     >>> Contact me: [image: Skype] kennedy.kairaria
    >     >>>
    >     >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>
    >     <mailto:brian@pixie.co.ke <mailto:brian@pixie.co.ke>>> wrote:
    >     >>>
    >     >>>> Backups?
    >     >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" <
    >     >>>> skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke
    <mailto:skunkworks@lists.my.co.ke>>>
    >     wrote:
    >     >>>>
    >     >>>>> Skunk(ette)s,
    >     >>>>>
    >     >>>>> We just got hit with the paycript  ransom-ware on some
    of our file
    >     >>>>> servers we've managed t identify the domain accounts running
    >     the script and
    >     >>>>> disabled them. Seems to have stopped spreading across the
    >     network to our
    >     >>>>> other file servers(for now...48 hours and counting)
    >     >>>>>
    >     >>>>> Suspected source has also been identified and measures
    taken. What
    >     >>>>> remains now is finding a way to decrypt the files. The damn
    >     fools are
    >     >>>>> asking for 2BTC for them to decrypt and double the amount to
    >     charge by the
    >     >>>>> day if not paid.
    >     >>>>>
    >     >>>>> Anyone else who has had to go through the same? What
    measures
    >     did you
    >     >>>>> take to recover?
    >     >>>>>____
    >