Re: [Skunkworks] PayCript Ransomware

1 Apr 2016

      No sysadmin worth his salt should trust users with such a big
responsibility.

The challenge is to build a resilient system with backups, regular
updates and strict control over user rights.

On 01/04/2016 12:17, Brian Ngure wrote:
...
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks
<skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks
    [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>]
    *Sent:* Friday, April 01, 2016 11:45 AM
    *To:* Mark Kipyegon Koskei; Skunkworks Mailing List
    *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new
    ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232
    _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks
    <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
    wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of
    ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke
    <mailto:skunkworks-request@lists.my.co.ke> wrote:
>>
    >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks <
    >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
    >>
    >>> By the time we noticed they were also affected. Incremental backups.
    >>>
    >>> Regards,
    >>>
    >>> *Kennedy Kairaria*
    >>>
    >>> Mobile: (254) 724 615232
    >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> |
    >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria>
    >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
>>> Contact me: [image: Skype] kennedy.kairaria
    >>>
    >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke
    <mailto:brian@pixie.co.ke>> wrote:
    >>>
    >>>> Backups?
    >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" <
    >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
    wrote:
    >>>>
    >>>>> Skunk(ette)s,
    >>>>>
    >>>>> We just got hit with the paycript  ransom-ware on some of our file
    >>>>> servers we've managed t identify the domain accounts running
    the script and
    >>>>> disabled them. Seems to have stopped spreading across the
    network to our
    >>>>> other file servers(for now...48 hours and counting)
    >>>>>
    >>>>> Suspected source has also been identified and measures taken. What
    >>>>> remains now is finding a way to decrypt the files. The damn
    fools are
    >>>>> asking for 2BTC for them to decrypt and double the amount to
    charge by the
    >>>>> day if not paid.
    >>>>>
    >>>>> Anyone else who has had to go through the same? What measures
    did you
    >>>>> take to recover?
    >>>>>____