For Windows Server shares, one way to mitigate the spread of ransomware files is by using FSRM to create a filter for files with the ransomware payloads file name extension. It should block the writing of such files and notify you which user's pc is attempting to write the offending file onto the network shared.

Regards

On 21 Sep 2016 19:33, <skunkworks-request@lists.my.co.ke> wrote:
Send skunkworks mailing list submissions to
        skunkworks@lists.my.co.ke

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
or, via email, send a message with subject or body 'help' to
        skunkworks-request@lists.my.co.ke

You can reach the person managing the list at
        skunkworks-owner@lists.my.co.ke

When replying, please edit your Subject line so it is more specific
than "Re: Contents of skunkworks digest..."


Today's Topics:

   1. Re: Cerber Ransomware (Marcus Cicero)
   2. Re: Cerber Ransomware (Alex Watila)
   3. Re: Cerber Ransomware (Chris Ochieng)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Sep 2016 11:12:39 -0400
From: Marcus Cicero <marcus.cicero@protonmail.com>
Cc: Skunkworks Mailing List <skunkworks@lists.my.co.ke>
Subject: Re: [Skunkworks] Cerber Ransomware
Message-ID:
        <x368ubtrymCZ_ug0pEmj4n4JFV8GPyWgD8aZim_PscDuJQQvIpK2PR4f003MhERl6D5u2Nv8-Qv0g0i5mVwQ8g==@protonmail.com>

Content-Type: text/plain; charset="utf-8"

You do know M$ Windows has had this ability built in since the days of XP?


-------- Original Message --------
Subject: Re: [Skunkworks] Cerber Ransomware
Local Time: 21 September 2016 3:36 PM
UTC Time: 21 September 2016 12:36
From: skunkworks@lists.my.co.ke
To: Maisiba Bravo <riggson87@gmail.com>, Skunkworks Mailing List <skunkworks@lists.my.co.ke>


While you guys are working on this, I have seen two situations where both Cerber and Zepto ransomware messed up two entities.

Since then, I have been thinking about how to always be ready to mitigate the effects. And the surest way is backup, backup, backup.

In situations where files are stored on shared drives on the network, the situation is even worse should the share not have a backup elsewhere.

In the meantime, this tool should help Windows users create backups -> http://www.2brightsparks.com/download-syncbackfree.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20160921/e1d62780/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 21 Sep 2016 19:16:49 +0300
From: "Alex Watila" <awatila@yahoo.co.uk>
To: "'Odhiambo Washington'" <odhiambo@gmail.com>, "'Skunkworks Mailing
        List'" <skunkworks@lists.my.co.ke>, "'Maisiba Bravo'"
        <riggson87@gmail.com>
Subject: Re: [Skunkworks] Cerber Ransomware
Message-ID: <031201d21423$90e42f50$b2ac8df0$@yahoo.co.uk>
Content-Type: text/plain; charset="utf-8"

Wash,

Please note that the backup can contain the ransomware since some work with a time bomb.



So in addition to backup include other measures such as antimalware, patched systems, user education etc





Regards,



From: Odhiambo Washington via skunkworks [mailto:skunkworks@lists.my.co.ke]
Sent: Wednesday, September 21, 2016 3:36 PM
To: Maisiba Bravo <riggson87@gmail.com>; Skunkworks Mailing List <skunkworks@lists.my.co.ke>
Subject: Re: [Skunkworks] Cerber Ransomware



While you guys are working on this, I have seen two situations where both Cerber and Zepto ransomware messed up two entities.



Since then, I have been thinking about how to always be ready to mitigate the effects. And the surest way is backup, backup, backup.



In situations where files are stored on shared drives on the network, the situation is even worse should the share not have a backup elsewhere.



In the meantime, this tool should help Windows users create backups -> http://www.2brightsparks.com/download-syncbackfree.html



On 21 September 2016 at 14:48, Maisiba Bravo via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote:

Avoid Ammyy Admin website <http://ammyy.com>

The website is compromised to spread Cerber 3 Ransomware.



http://news.softpedia.com/news/ammyy-admin-website-compromised-to-spread-cerber-3-ransomware-508330.shtml



There are some decryption softwares as quoted in some articles, feared to try any tho'











Bravo









On Wed, Sep 21, 2016 at 2:39 PM, David K. Kandie <kipkanists@gmail.com <mailto:kipkanists@gmail.com> > wrote:

I am victim - still looking for help. All files are now .cerber and have also synced with Office 365

  _____

From: charles kungu via skunkworks <mailto:skunkworks@lists.my.co.ke>
Sent: ‎9/‎21/‎2016 2:23 PM
To: Maisiba Bravo <mailto:riggson87@gmail.com> ; Skunkworks Mailing List <mailto:skunkworks@lists.my.co.ke>
Subject: Re: [Skunkworks] Cerber Ransomware

Yeap. My cleint was attacked by batman_good@aol.com.xtbl

They encrypted some files, and changed them to .xtbl format,  still figuring how to decry pt the files that were not backed up.



On Wed, Sep 21, 2016 at 1:34 PM, Maisiba Bravo via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote:

Any victim?





Bravo


_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94
------------
Other services @ http://my.co.ke




--

Regards,
C . K
















_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94
------------
Other services @ http://my.co.ke







--

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20160921/796569ee/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 21 Sep 2016 20:32:49 +0400
From: Chris Ochieng <jangita.nyagudi@gmail.com>
To: Alex Watila <awatila@yahoo.co.uk>,  Skunkworks Mailing List
        <skunkworks@lists.my.co.ke>
Subject: Re: [Skunkworks] Cerber Ransomware
Message-ID:
        <CA+C-RFE3SNWy0gTB4rMFZ0ypJaZY744ONeP0ydreJFd0+E+Q4g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I've always used Dropbox. Always set the root to my `~/ directory. Always
worked for me even when hit or accidentally learnt sudo find / -delete
-name *.txt. But then again, all my data never exceeded around 4GB

On 21 September 2016 at 20:16, Alex Watila via skunkworks <
skunkworks@lists.my.co.ke> wrote:

> Wash,
>
> Please note that the backup can contain the ransomware since some work
> with a time bomb.
>
>
>
> So in addition to backup include other measures such as antimalware,
> patched systems, user education etc
>
>
>
>
>
> Regards,
>
>
>
> *From:* Odhiambo Washington via skunkworks [mailto:skunkworks@lists.my.
> co.ke]
> *Sent:* Wednesday, September 21, 2016 3:36 PM
> *To:* Maisiba Bravo <riggson87@gmail.com>; Skunkworks Mailing List <
> skunkworks@lists.my.co.ke>
>
> *Subject:* Re: [Skunkworks] Cerber Ransomware
>
>
>
> While you guys are working on this, I have seen two situations where both
> Cerber and Zepto ransomware messed up two entities.
>
>
>
> Since then, I have been thinking about how to always be ready to mitigate
> the effects. And the surest way is backup, backup, backup.
>
>
>
> In situations where files are stored on shared drives on the network, the
> situation is even worse should the share not have a backup elsewhere.
>
>
>
> In the meantime, this tool should help Windows users create backups ->
> http://www.2brightsparks.com/download-syncbackfree.html
>
>
>
> On 21 September 2016 at 14:48, Maisiba Bravo via skunkworks <
> skunkworks@lists.my.co.ke> wrote:
>
> *Avoid* Ammyy Admin website <http://ammyy.com>
>
> *The website is compromised to spread Cerber 3 Ransomware.*
>
>
>
> http://news.softpedia.com/news/ammyy-admin-website-
> compromised-to-spread-cerber-3-ransomware-508330.shtml
>
>
>
> There are some decryption softwares as quoted in some articles, feared to
> try any tho'
>
>
>
>
>
>
>
>
>
>
>
> Bravo
>
>
>
>
>
>
>
>
>
> On Wed, Sep 21, 2016 at 2:39 PM, David K. Kandie <kipkanists@gmail.com>
> wrote:
>
> I am victim - still looking for help. All files are now .cerber and have
> also synced with Office 365
> ------------------------------
>
> *From: *charles kungu via skunkworks <skunkworks@lists.my.co.ke>
> *Sent: *‎9/‎21/‎2016 2:23 PM
> *To: *Maisiba Bravo <riggson87@gmail.com>; Skunkworks Mailing List
> <skunkworks@lists.my.co.ke>
> *Subject: *Re: [Skunkworks] Cerber Ransomware
>
> Yeap. My cleint was attacked by batman_good@aol.com.xtbl
>
> They encrypted some files, and changed them to .xtbl format,  still
> figuring how to decry pt the files that were not backed up.
>
>
>
> On Wed, Sep 21, 2016 at 1:34 PM, Maisiba Bravo via skunkworks <
> skunkworks@lists.my.co.ke> wrote:
>
> Any victim?
>
>
>
>
>
> Bravo
>
>
> _______________________________________________
> skunkworks mailing list
> skunkworks@lists.my.co.ke
> ------------
> List info, subscribe/unsubscribe
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
>
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
>
>
>
>
> --
>
> Regards,
> C . K
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> skunkworks mailing list
> skunkworks@lists.my.co.ke
> ------------
> List info, subscribe/unsubscribe
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
>
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
>
>
>
>
>
> --
>
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
> _______________________________________________
> skunkworks mailing list
> skunkworks@lists.my.co.ke
> ------------
> List info, subscribe/unsubscribe
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
>
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20160921/90077294/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&hl=en
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke

------------------------------

End of skunkworks Digest, Vol 28, Issue 120
*******************************************