MrWrighty 6 Posted June 8, 2017 Share Posted June 8, 2017 (edited) Just been hit by Cry36. All files encrypted and the last part of the name includes [don-corleone@mortalkombat.su].vs95l Running 4.5 File Security on server and 5.0 Set Endpoint protection on all clients. All managed by Remote Administrator. Real time protect had been disabled by the encryptor program on the server. Set failed to recognise the encryptor files. Server is SBS2011 and Clients are Windows 7 64bit and Windows 10 64bit. Have run the ESETEternalBlueChecker.exe and the server passed the test. It is fully patched. How did this get through. Edited June 8, 2017 by MrWrighty Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted June 8, 2017 Administrators Share Posted June 8, 2017 EFSW 4.5 is very old and modern Windows Server systems are not fully supported. What's more, it's missing advanced protection technologies for protecting against advanced malware, such as LiveGrid, Advanced Memory Scanner, Exploit Blocker, etc. I'd strongly recommend uninstalling EFSW 4.5, installing v6.5 and protecting the settings with a password to prevent potential attackers from disabling or uninstalling the AV. The same goes for Endpoint and ERA; the latest version providing best protection is ESET Endpoint Security 6.5 which also includes Network attack protection module as opposed to ESET Endpoint Antivirus. This module was able to proactively protect unpatched computers from recent WannCry attacks when EternalBlue exploit was exploited to spread WannaCry through LAN. ESET Endpoint Security v6 was one of 3 security products to prevent exploitation of the infamous vulnerability in SMB. As for decryption possibilities, please email samples[at]eset.com a couple of encrypted Office documents, payment instructions as well as a zip archive generated by ESET Log Collector as per the instructions linked in my signature. Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted June 8, 2017 Author Share Posted June 8, 2017 If that is the case, why is ERA Console and Server telling me I have the latest version. There is no indication from the product that I am under protected. Surely under the circumstances ERA should indicate there are later versions available. By the way there is no warning screen just a file ### DECRYPT MY FILES ###.txt which I cannot open (Access Denied) Link to comment Share on other sites More sharing options...
Vo Giang 0 Posted June 9, 2017 Share Posted June 9, 2017 Me too! He requested payment 4 BTC. Link to comment Share on other sites More sharing options...
Recommended Posts