[Samba] Ransomware?

Elias Pereira empbilly at gmail.com
Tue May 17 13:38:20 UTC 2016


I'm not aware of the last, but in previous versions, ransomware encrypt all
files and after this he delete original files. If you have a trash/recycle
configured, you can recover these files.





Em 17/05/2016 8:26 AM, "barış tombul" <bbtombul at gmail.com> escreveu:

> Ransomware Overview:
>
> https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX-VeAuzJUgICIUs/pubhtml
>
> .mp3 even got inside.  ( I used fail2ban.)
>
> best regards
>
>
>
> 2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>:
>
> >
> >
> > Am 17.05.2016 um 09:47 schrieb Fabian Cenedese:
> >
> >>
> >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo:
> >>>
> >>>> May I surmise that all the encrypted file now have
> >>>> an extra extension of ".crypt"?  So it is easy to
> >>>> see who got clobbered.
> >>>>
> >>>
> >>> how do you come to that conclusion and even if some malware acts that
> >>> way what makes you sure you can rely on that? IMHO it would only be so
> when
> >>> the developer of the ransomware is a fool!
> >>>
> >>> why should he give you something to make a "locate .crypt" on the
> >>> fileserver and backups easy?
> >>>
> >>
> >> So far most of the ransomware rename the encrypted files and place files
> >> with
> >> instructions with constant names. They don't want to hide the fact that
> >> the files
> >> are encrypted. No, they want you to know that they are and that you have
> >> to
> >> pay to get them back. That's why it's called ransomware. Of course for
> >> people
> >> with backups this makes life a little easier. But for the others...
> >>
> >>
> >>
> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
> >>
> >
> > "so far most" != you can rely on
> >
> > "They don't want to hide the fact that the files are encrypted. No, they
> > want you to know that they are" *yes but* when they are finished an dnot
> > right after starting to encrypt where not much files are affected and
> > backups still in place
> >
> > what they *really* want is act in the background and get caught as late
> as
> > possible when all your backups contain encrypted versions of important
> > documents
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list