Re: [Skunkworks] PayCript Ransomware
Have you tried restoring from shadow copy? Unless a decryption tool exists for that particular strain of ransomware, then you are SOL. On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke wrote:
On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < skunkworks@lists.my.co.ke> wrote:
By the time we noticed they were also affected. Incremental backups.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke> wrote:
Backups? On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Skunk(ette)s,
We just got hit with the paycript ransom-ware on some of our file servers we've managed t identify the domain accounts running the script and disabled them. Seems to have stopped spreading across the network to our other file servers(for now...48 hours and counting)
Suspected source has also been identified and measures taken. What remains now is finding a way to decrypt the files. The damn fools are asking for 2BTC for them to decrypt and double the amount to charge by the day if not paid.
Anyone else who has had to go through the same? What measures did you take to recover?
Mark, apparently that seems the case as its a relatively new ransomware. Regards, *Kennedy Kairaria* Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q Contact me: [image: Skype] kennedy.kairaria On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke wrote:
On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < skunkworks@lists.my.co.ke> wrote:
By the time we noticed they were also affected. Incremental backups.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke> wrote:
Backups? On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Skunk(ette)s,
We just got hit with the paycript ransom-ware on some of our file servers we've managed t identify the domain accounts running the
script and
disabled them. Seems to have stopped spreading across the network to our other file servers(for now...48 hours and counting)
Suspected source has also been identified and measures taken. What remains now is finding a way to decrypt the files. The damn fools are asking for 2BTC for them to decrypt and double the amount to charge by the day if not paid.
Anyone else who has had to go through the same? What measures did you take to recover?
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
So How do we stop/prevent that Ransomware? From: Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke] Sent: Friday, April 01, 2016 11:45 AM To: Mark Kipyegon Koskei; Skunkworks Mailing List Subject: Re: [Skunkworks] PayCript Ransomware Mark, apparently that seems the case as its a relatively new ransomware. Regards, Kennedy Kairaria Mobile: (254) 724 615232 <mailto:kenkairaria@gmail.com> kenkairaria@gmail.com | <http://www.linkedin.com/in/kairaria> LinkedIn http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/> q Contact me: Skype <https://s3.amazonaws.com/images.wisestamp.com/skype.png> kennedy.kairaria On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke> wrote: Have you tried restoring from shadow copy? Unless a decryption tool exists for that particular strain of ransomware, then you are SOL. On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke wrote:
On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < skunkworks@lists.my.co.ke> wrote:
By the time we noticed they were also affected. Incremental backups.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q
Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke> wrote:
Backups? On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Skunk(ette)s,
We just got hit with the paycript ransom-ware on some of our file servers we've managed t identify the domain accounts running the script and disabled them. Seems to have stopped spreading across the network to our other file servers(for now...48 hours and counting)
Suspected source has also been identified and measures taken. What remains now is finding a way to decrypt the files. The damn fools are asking for 2BTC for them to decrypt and double the amount to charge by the day if not paid.
Anyone else who has had to go through the same? What measures did you take to recover?
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke --- This email has been checked for viruses by Avast antivirus software. http://www.avast.com
Tell people not to be silly and open weird emails and attachments? On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks < skunkworks@lists.my.co.ke> wrote:
So How do we stop/prevent that Ransomware?
*From:* Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke]
*Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware
Mark, apparently that seems the case as its a relatively new ransomware.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 *kenkairaria@gmail.com <kenkairaria@gmail.com>* |
[image: LinkedIn] <http://www.linkedin.com/in/kairaria>
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q
Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke wrote:
On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < skunkworks@lists.my.co.ke> wrote:
By the time we noticed they were also affected. Incremental backups.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q
Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke> wrote:
Backups? On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Skunk(ette)s,
We just got hit with the paycript ransom-ware on some of our file servers we've managed t identify the domain accounts running the script and disabled them. Seems to have stopped spreading across the network to our other file servers(for now...48 hours and counting)
Suspected source has also been identified and measures taken. What remains now is finding a way to decrypt the files. The damn fools are asking for 2BTC for them to decrypt and double the amount to charge by the day if not paid.
Anyone else who has had to go through the same? What measures did you take to recover?
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
------------------------------ [image: Avast logo] <http://www.avast.com/>
This email has been checked for viruses by Avast antivirus software. www.avast.com
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards Brian Ngure
No sysadmin worth his salt should trust users with such a big responsibility. The challenge is to build a resilient system with backups, regular updates and strict control over user rights. On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack. *Kind Regards,* *Alex.K.Gitahi.* On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$. On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Francis Irungu,
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk=... Kind Regards, Catherine Njoroge On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$.
On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto: skunkworks@lists.my.co.ke>] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Francis Irungu,
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset From: Catherine njoroge via skunkworks [mailto:skunkworks@lists.my.co.ke] Sent: 01 April 2016 13:29 To: francis irungu <francisirungu@gmail.com>; Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] PayCript Ransomware https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk= pulse-det-nav_art Kind Regards, Catherine Njoroge On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$. On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack. Kind Regards, Alex.K.Gitahi. On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: No sysadmin worth his salt should trust users with such a big responsibility. The challenge is to build a resilient system with backups, regular updates and strict control over user rights. On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 <tel:%28254%29%20724%20615232> _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> >_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> <mailto:skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> > wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 <tel:%28254%29%20724%20615232> >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> > | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke> <mailto:brian@pixie.co.ke <mailto:brian@pixie.co.ke> >> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke -- Francis Irungu, _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke <http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5 dpBsW2BFKB48pTv46N5wfjWzd3_yKVZmZLR1k1H6H0?si=5122342703595520&pi=51d3353c-c af9-491b-903e-3a20fadee200>
I have installed this AntiRansomware tool from bitdefender ... https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-r... Not sure whether it is any good or its just giving a false sense of security. On Fri, Apr 1, 2016 at 3:06 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset
*From:* Catherine njoroge via skunkworks [mailto:skunkworks@lists.my.co.ke]
*Sent:* 01 April 2016 13:29 *To:* francis irungu <francisirungu@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Subject:* Re: [Skunkworks] PayCript Ransomware
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk=...
Kind Regards,
Catherine Njoroge
On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$.
On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Francis Irungu,
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
[image: http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5d...]
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards Jimmy Thuo
Securing the mail server sounds nice. How about those using Google Apps? On Fri, Apr 1, 2016 at 3:06 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset
*From:* Catherine njoroge via skunkworks [mailto:skunkworks@lists.my.co.ke]
*Sent:* 01 April 2016 13:29 *To:* francis irungu <francisirungu@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Subject:* Re: [Skunkworks] PayCript Ransomware
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk=...
Kind Regards,
Catherine Njoroge
On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$.
On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Francis Irungu,
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
[image: http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5d...]
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards Brian Ngure
Google already scan your attachemnts. That's why most of these ransom exes are being transmitted through dropbox or self hosted mail servers. From: Brian Ngure [mailto:brian@pixie.co.ke] Sent: 01 April 2016 15:22 To: Joseph M Owino <jpmuga@gmail.com>; Skunkworks Mailing List <skunkworks@lists.my.co.ke> Cc: Catherine njoroge <katewacuka24@gmail.com>; francis irungu <francisirungu@gmail.com> Subject: Re: [Skunkworks] PayCript Ransomware Securing the mail server sounds nice. How about those using Google Apps? On Fri, Apr 1, 2016 at 3:06 PM, Joseph M Owino via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset From: Catherine njoroge via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ] Sent: 01 April 2016 13:29 To: francis irungu <francisirungu@gmail.com <mailto:francisirungu@gmail.com>
; Skunkworks Mailing List <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > Subject: Re: [Skunkworks] PayCript Ransomware
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk= pulse-det-nav_art Kind Regards, Catherine Njoroge On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$. On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack. Kind Regards, Alex.K.Gitahi. On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> > wrote: No sysadmin worth his salt should trust users with such a big responsibility. The challenge is to build a resilient system with backups, regular updates and strict control over user rights. On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 <tel:%28254%29%20724%20615232> _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> >_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> <mailto:skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> > wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 <tel:%28254%29%20724%20615232> >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> > | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke> <mailto:brian@pixie.co.ke <mailto:brian@pixie.co.ke> >> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> >>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke -- Francis Irungu, _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke -- Regards Brian Ngure <http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5 dpBsW2BFKB48pTv46N5wfjWzd3_yKVZmZLR1k1H6H0?si=5122342703595520&pi=04f876b3-d 1af-48e7-be8f-0d4a0fc78ffd>
http://motherboard.vice.com/read/is-the-us-cert-alert-on-hospital-ransomware... https://www.us-cert.gov/ncas/alerts/TA16-091A -- On Fri, Apr 1, 2016 at 3:31 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
Google already scan your attachemnts. That’s why most of these ransom exes are being transmitted through dropbox or self hosted mail servers.
*From:* Brian Ngure [mailto:brian@pixie.co.ke] *Sent:* 01 April 2016 15:22 *To:* Joseph M Owino <jpmuga@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Cc:* Catherine njoroge <katewacuka24@gmail.com>; francis irungu < francisirungu@gmail.com>
*Subject:* Re: [Skunkworks] PayCript Ransomware
Securing the mail server sounds nice. How about those using Google Apps?
On Fri, Apr 1, 2016 at 3:06 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset
*From:* Catherine njoroge via skunkworks [mailto:skunkworks@lists.my.co.ke]
*Sent:* 01 April 2016 13:29 *To:* francis irungu <francisirungu@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Subject:* Re: [Skunkworks] PayCript Ransomware
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk=...
Kind Regards,
Catherine Njoroge
On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$.
On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Francis Irungu,
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Regards
Brian Ngure
[image: http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5d...]
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
and here we're again negotiate, pay , decrypt , backup and format . What to do to not get hit ? this is not a simple switch to linux answer or secure mail server answer . it's a Train user answer and put in the right policies , if you dont have proper tools to deploy policies then unsure that your file servers cannot execute any files i.e. remote executions and also securing the file server. this way only the infected user machine will be formated On Sat, Apr 2, 2016 at 2:38 PM, MotoBaridi via skunkworks < skunkworks@lists.my.co.ke> wrote:
http://motherboard.vice.com/read/is-the-us-cert-alert-on-hospital-ransomware...
https://www.us-cert.gov/ncas/alerts/TA16-091A
--
On Fri, Apr 1, 2016 at 3:31 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
Google already scan your attachemnts. That’s why most of these ransom exes are being transmitted through dropbox or self hosted mail servers.
*From:* Brian Ngure [mailto:brian@pixie.co.ke] *Sent:* 01 April 2016 15:22 *To:* Joseph M Owino <jpmuga@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Cc:* Catherine njoroge <katewacuka24@gmail.com>; francis irungu < francisirungu@gmail.com>
*Subject:* Re: [Skunkworks] PayCript Ransomware
Securing the mail server sounds nice. How about those using Google Apps?
On Fri, Apr 1, 2016 at 3:06 PM, Joseph M Owino via skunkworks < skunkworks@lists.my.co.ke> wrote:
In my honest opinion securing your mail server to prevent this kinds of attachments is at least 90% efficient. Many people focus on the network security and because there is no BYOD policy, people are accessing company resources on phones, iPad and home laptops which you have no control of. At the end of the day Security has to be a top-down approach you cant just have a firewall and sail into the sunset
*From:* Catherine njoroge via skunkworks [mailto: skunkworks@lists.my.co.ke] *Sent:* 01 April 2016 13:29 *To:* francis irungu <francisirungu@gmail.com>; Skunkworks Mailing List < skunkworks@lists.my.co.ke> *Subject:* Re: [Skunkworks] PayCript Ransomware
https://www.linkedin.com/pulse/ransom-ware-real-prepared-francis-irungu?trk=...
Kind Regards,
Catherine Njoroge
On Fri, Apr 1, 2016 at 1:12 PM, francis irungu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Implementing a solution like Checkpoint Sandblast for your NGFW can be of help. comes with big $$.
On Fri, Apr 1, 2016 at 12:44 PM, Alex Gitahi via skunkworks < skunkworks@lists.my.co.ke> wrote:
key issue is not user rights but there'll be one user who will out of curiosity open spam email attachments and this will be the start of your system attack.
*Kind Regards,*
*Alex.K.Gitahi.*
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>
wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our
file
>>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken.
What
>>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Francis Irungu,
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Regards
Brian Ngure
[image: http://t.sidekickopen04.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5d...]
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
@Mark, in many places, user convenience is valued over system/data security, and sys admins have no say. Block facebook during work-hours, your boss will be breathing down your neck. Block downloading of .exe files, some C-level person will demand you unblock it, you know, so they can download and install FreeScreenSaver. Whats a guy to do? -- On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Lol, and that is why I said it is a challenge. There is always that fellow that demands full admin rights. On 01/04/2016 12:46, MotoBaridi wrote:
@Mark, in many places, user convenience is valued over system/data security, and sys admins have no say. Block facebook during work-hours, your boss will be breathing down your neck. Block downloading of .exe files, some C-level person will demand you unblock it, you know, so they can download and install FreeScreenSaver.
Whats a guy to do?
--
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote: > Tell people not to be silly and open weird emails and attachments? > > > On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks > <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>> wrote: > > So How do we stop/prevent that Ransomware? ____ > > __ __ > > *From:*Kennedy Kairaria via skunkworks > [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>] > *Sent:* Friday, April 01, 2016 11:45 AM > *To:* Mark Kipyegon Koskei; Skunkworks Mailing List > *Subject:* Re: [Skunkworks] PayCript Ransomware____ > > __ __ > > Mark, apparently that seems the case as its a relatively new > ransomware.____ > > > ____ > > Regards,____ > > __ __ > > *Kennedy Kairaria*____ > > Mobile: (254) 724 615232 > _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>>_ |____ > > LinkedIn <http://www.linkedin.com/in/kairaria> ____ > > http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____ > > Contact me: Skype kennedy.kairaria____ > > __ __ > > On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks > <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>> > wrote:____ > > Have you tried restoring from shadow copy? > > Unless a decryption tool exists for that particular strain of > ransomware, then you are SOL. > > On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> > <mailto:skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke>> wrote: > > >> > >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < > >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>> wrote: > >> > >>> By the time we noticed they were also affected. Incremental backups. > >>> > >>> Regards, > >>> > >>> *Kennedy Kairaria* > >>> > >>> Mobile: (254) 724 615232 > >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> <mailto:kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>> | > >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> > >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q____ > > >>> Contact me: [image: Skype] kennedy.kairaria > >>> > >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke> > <mailto:brian@pixie.co.ke <mailto:brian@pixie.co.ke>>> wrote: > >>> > >>>> Backups? > >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < > >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> <mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>>> > wrote: > >>>> > >>>>> Skunk(ette)s, > >>>>> > >>>>> We just got hit with the paycript ransom-ware on some of our file > >>>>> servers we've managed t identify the domain accounts running > the script and > >>>>> disabled them. Seems to have stopped spreading across the > network to our > >>>>> other file servers(for now...48 hours and counting) > >>>>> > >>>>> Suspected source has also been identified and measures taken. What > >>>>> remains now is finding a way to decrypt the files. The damn > fools are > >>>>> asking for 2BTC for them to decrypt and double the amount to > charge by the > >>>>> day if not paid. > >>>>> > >>>>> Anyone else who has had to go through the same? What measures > did you > >>>>> take to recover? > >>>>>____ >
Checking SPF records and enforcing DKIM should help curb the spread through mail too. Regards, *Kennedy Kairaria* *Software project management, **Applications development & Database Administrator* Mobile: (+254) 724 615232 [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q Contact me: [image: Skype] kennedy.kairaria On 1 April 2016 at 12:46, MotoBaridi via skunkworks < skunkworks@lists.my.co.ke> wrote:
@Mark, in many places, user convenience is valued over system/data security, and sys admins have no say. Block facebook during work-hours, your boss will be breathing down your neck. Block downloading of .exe files, some C-level person will demand you unblock it, you know, so they can download and install FreeScreenSaver.
Whats a guy to do?
--
On Fri, Apr 1, 2016 at 12:31 PM, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
No sysadmin worth his salt should trust users with such a big responsibility.
The challenge is to build a resilient system with backups, regular updates and strict control over user rights.
On 01/04/2016 12:17, Brian Ngure wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:
So How do we stop/prevent that Ransomware? ____
__ __
*From:*Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke ] *Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware____
__ __
Mark, apparently that seems the case as its a relatively new ransomware.____
____
Regards,____
__ __
*Kennedy Kairaria*____
Mobile: (254) 724 615232 _kenkairaria@gmail.com <mailto:kenkairaria@gmail.com>_ |____
LinkedIn <http://www.linkedin.com/in/kairaria> ____
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
Contact me: Skype kennedy.kairaria____
__ __
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:____
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke <mailto:skunkworks-request@lists.my.co.ke> wrote:
>> >> On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < >> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >> >>> By the time we noticed they were also affected. Incremental backups. >>> >>> Regards, >>> >>> *Kennedy Kairaria* >>> >>> Mobile: (254) 724 615232 >>> kenkairaria@gmail.com <mailto:kenkairaria@gmail.com> | >>> [image: LinkedIn] <http://www.linkedin.com/in/kairaria> >>> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/ q____
>>> Contact me: [image: Skype] kennedy.kairaria >>> >>> On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke <mailto:brian@pixie.co.ke>> wrote: >>> >>>> Backups? >>>> On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < >>>> skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote: >>>> >>>>> Skunk(ette)s, >>>>> >>>>> We just got hit with the paycript ransom-ware on some of our file >>>>> servers we've managed t identify the domain accounts running the script and >>>>> disabled them. Seems to have stopped spreading across the network to our >>>>> other file servers(for now...48 hours and counting) >>>>> >>>>> Suspected source has also been identified and measures taken. What >>>>> remains now is finding a way to decrypt the files. The damn fools are >>>>> asking for 2BTC for them to decrypt and double the amount to charge by the >>>>> day if not paid. >>>>> >>>>> Anyone else who has had to go through the same? What measures did you >>>>> take to recover? >>>>>____
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
hahahahaaa... @brian, the weirder the email/attachment, the more likely it is to be opened and forwarded... who can resist opening "cute_dog_dancing.avi" on a slow Friday afternoon...? Script runs over the weekend... Monday morning chaos, users mad at YOU because they can't access anything... -- On Fri, Apr 1, 2016 at 12:17 PM, Brian Ngure via skunkworks < skunkworks@lists.my.co.ke> wrote:
Tell people not to be silly and open weird emails and attachments?
On Fri, Apr 1, 2016 at 12:13 PM, Martin Mugambi via skunkworks < skunkworks@lists.my.co.ke> wrote:
So How do we stop/prevent that Ransomware?
*From:* Kennedy Kairaria via skunkworks [mailto:skunkworks@lists.my.co.ke]
*Sent:* Friday, April 01, 2016 11:45 AM *To:* Mark Kipyegon Koskei; Skunkworks Mailing List *Subject:* Re: [Skunkworks] PayCript Ransomware
Mark, apparently that seems the case as its a relatively new ransomware.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 *kenkairaria@gmail.com <kenkairaria@gmail.com>* |
[image: LinkedIn] <http://www.linkedin.com/in/kairaria>
http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q
Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 11:39, Mark Kipyegon Koskei via skunkworks < skunkworks@lists.my.co.ke> wrote:
Have you tried restoring from shadow copy?
Unless a decryption tool exists for that particular strain of ransomware, then you are SOL.
On 01/04/2016 11:22, skunkworks-request@lists.my.co.ke wrote:
On Fri, Apr 1, 2016 at 11:01 AM, Kennedy Kairaria via skunkworks < skunkworks@lists.my.co.ke> wrote:
By the time we noticed they were also affected. Incremental backups.
Regards,
*Kennedy Kairaria*
Mobile: (254) 724 615232 kenkairaria@gmail.com | [image: LinkedIn] <http://www.linkedin.com/in/kairaria> http://kennedy-kairaria.g <http://kennedy-kairaria.branded.me/>q
Contact me: [image: Skype] kennedy.kairaria
On 1 April 2016 at 10:58, Brian Ngure <brian@pixie.co.ke> wrote:
Backups? On 1 Apr 2016 10:52 am, "Kennedy Kairaria via skunkworks" < skunkworks@lists.my.co.ke> wrote:
> Skunk(ette)s, > > We just got hit with the paycript ransom-ware on some of our file > servers we've managed t identify the domain accounts running the script and > disabled them. Seems to have stopped spreading across the network to our > other file servers(for now...48 hours and counting) > > Suspected source has also been identified and measures taken. What > remains now is finding a way to decrypt the files. The damn fools are > asking for 2BTC for them to decrypt and double the amount to charge by the > day if not paid. > > Anyone else who has had to go through the same? What measures did you > take to recover? >
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
------------------------------ [image: Avast logo] <http://www.avast.com/>
This email has been checked for viruses by Avast antivirus software. www.avast.com
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards
Brian Ngure
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (11)
-
Alex Gitahi -
Brian Ngure -
Catherine njoroge -
francis irungu -
geoffrey gitagia -
Jimmy Thuo -
Joseph M Owino -
Kennedy Kairaria -
Mark Kipyegon Koskei -
Martin Mugambi -
MotoBaridi