Am 17.05.2016 um 09:47 schrieb Fabian Cenedese:> >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo: >>> May I surmise that all the encrypted file now have >>> an extra extension of ".crypt"? So it is easy to >>> see who got clobbered. >> >> how do you come to that conclusion and even if some malware acts that way what makes you sure you can rely on that? IMHO it would only be so when the developer of the ransomware is a fool! >> >> why should he give you something to make a "locate .crypt" on the fileserver and backups easy? > > So far most of the ransomware rename the encrypted files and place files with > instructions with constant names. They don't want to hide the fact that the files > are encrypted. No, they want you to know that they are and that you have to > pay to get them back. That's why it's called ransomware. Of course for people > with backups this makes life a little easier. But for the others... > > https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/"so far most" != you can rely on "They don't want to hide the fact that the files are encrypted. No, they want you to know that they are" *yes but* when they are finished an dnot right after starting to encrypt where not much files are affected and backups still in place what they *really* want is act in the background and get caught as late as possible when all your backups contain encrypted versions of important documents -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160517/00e2c428/signature.sig>
Ransomware Overview: https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX-VeAuzJUgICIUs/pubhtml .mp3 even got inside. ( I used fail2ban.) best regards 2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>:> > > Am 17.05.2016 um 09:47 schrieb Fabian Cenedese: > >> >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo: >>> >>>> May I surmise that all the encrypted file now have >>>> an extra extension of ".crypt"? So it is easy to >>>> see who got clobbered. >>>> >>> >>> how do you come to that conclusion and even if some malware acts that >>> way what makes you sure you can rely on that? IMHO it would only be so when >>> the developer of the ransomware is a fool! >>> >>> why should he give you something to make a "locate .crypt" on the >>> fileserver and backups easy? >>> >> >> So far most of the ransomware rename the encrypted files and place files >> with >> instructions with constant names. They don't want to hide the fact that >> the files >> are encrypted. No, they want you to know that they are and that you have >> to >> pay to get them back. That's why it's called ransomware. Of course for >> people >> with backups this makes life a little easier. But for the others... >> >> >> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/ >> > > "so far most" != you can rely on > > "They don't want to hide the fact that the files are encrypted. No, they > want you to know that they are" *yes but* when they are finished an dnot > right after starting to encrypt where not much files are affected and > backups still in place > > what they *really* want is act in the background and get caught as late as > possible when all your backups contain encrypted versions of important > documents > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I'm not aware of the last, but in previous versions, ransomware encrypt all files and after this he delete original files. If you have a trash/recycle configured, you can recover these files. Em 17/05/2016 8:26 AM, "barış tombul" <bbtombul at gmail.com> escreveu:> Ransomware Overview: > > https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX-VeAuzJUgICIUs/pubhtml > > .mp3 even got inside. ( I used fail2ban.) > > best regards > > > > 2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>: > > > > > > > Am 17.05.2016 um 09:47 schrieb Fabian Cenedese: > > > >> > >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo: > >>> > >>>> May I surmise that all the encrypted file now have > >>>> an extra extension of ".crypt"? So it is easy to > >>>> see who got clobbered. > >>>> > >>> > >>> how do you come to that conclusion and even if some malware acts that > >>> way what makes you sure you can rely on that? IMHO it would only be so > when > >>> the developer of the ransomware is a fool! > >>> > >>> why should he give you something to make a "locate .crypt" on the > >>> fileserver and backups easy? > >>> > >> > >> So far most of the ransomware rename the encrypted files and place files > >> with > >> instructions with constant names. They don't want to hide the fact that > >> the files > >> are encrypted. No, they want you to know that they are and that you have > >> to > >> pay to get them back. That's why it's called ransomware. Of course for > >> people > >> with backups this makes life a little easier. But for the others... > >> > >> > >> > https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/ > >> > > > > "so far most" != you can rely on > > > > "They don't want to hide the fact that the files are encrypted. No, they > > want you to know that they are" *yes but* when they are finished an dnot > > right after starting to encrypt where not much files are affected and > > backups still in place > > > > what they *really* want is act in the background and get caught as late > as > > possible when all your backups contain encrypted versions of important > > documents > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
An update for the nice link of the ransomware overview TeslaCrypt 3.0+ Decryptor : http://support.eset.com/kb6051/ CryptXXX Decryptor: http://www.theregister.co.uk/2016/05/18/cryptxxx_decrypted/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens bar???? tombul > Verzonden: dinsdag 17 mei 2016 13:00 > Aan: Reindl Harald > CC: samba > Onderwerp: Re: [Samba] Ransomware? > > Ransomware Overview: > https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX- > VeAuzJUgICIUs/pubhtml > > .mp3 even got inside. ( I used fail2ban.) > > best regards > > > > 2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>: > > > > > > > Am 17.05.2016 um 09:47 schrieb Fabian Cenedese: > > > >> > >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo: > >>> > >>>> May I surmise that all the encrypted file now have > >>>> an extra extension of ".crypt"? So it is easy to > >>>> see who got clobbered. > >>>> > >>> > >>> how do you come to that conclusion and even if some malware acts that > >>> way what makes you sure you can rely on that? IMHO it would only be so > when > >>> the developer of the ransomware is a fool! > >>> > >>> why should he give you something to make a "locate .crypt" on the > >>> fileserver and backups easy? > >>> > >> > >> So far most of the ransomware rename the encrypted files and place > files > >> with > >> instructions with constant names. They don't want to hide the fact that > >> the files > >> are encrypted. No, they want you to know that they are and that you > have > >> to > >> pay to get them back. That's why it's called ransomware. Of course for > >> people > >> with backups this makes life a little easier. But for the others... > >> > >> > >> > https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_exten > sions_and_known_ransom/ > >> > > > > "so far most" != you can rely on > > > > "They don't want to hide the fact that the files are encrypted. No, they > > want you to know that they are" *yes but* when they are finished an dnot > > right after starting to encrypt where not much files are affected and > > backups still in place > > > > what they *really* want is act in the background and get caught as late > as > > possible when all your backups contain encrypted versions of important > > documents > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba