Jump to content

Just been hit by Cry36


Recommended Posts

Just been hit by Cry36. All files encrypted and the last part of the name includes [don-corleone@mortalkombat.su].vs95l

Running 4.5 File Security on server and 5.0 Set Endpoint protection on all clients. All managed by Remote Administrator.

Real time protect had been disabled by the encryptor program on the server.

Set failed to recognise the encryptor files.

Server is SBS2011 and Clients are Windows 7 64bit and Windows 10 64bit.

Have run the ESETEternalBlueChecker.exe and the server passed the test. It is fully patched.

How did this get through.

Edited by MrWrighty
Link to comment
Share on other sites

  • Administrators

EFSW 4.5 is very old and modern Windows Server systems are not fully supported. What's more, it's missing advanced protection technologies for protecting against advanced malware, such as LiveGrid, Advanced Memory Scanner, Exploit Blocker, etc.

I'd strongly recommend uninstalling EFSW 4.5, installing v6.5 and protecting the settings with a password to prevent potential attackers from disabling or uninstalling the AV. The same goes for Endpoint and ERA; the latest version providing best protection is ESET Endpoint Security 6.5 which also includes Network attack protection module as opposed to ESET Endpoint Antivirus. This module was able to proactively protect unpatched computers from recent WannCry attacks when EternalBlue exploit was exploited to spread WannaCry through LAN. ESET Endpoint Security v6 was one of 3 security products to prevent exploitation of the infamous vulnerability in SMB.

As for decryption possibilities, please email samples[at]eset.com a couple of encrypted Office documents, payment instructions as well as a zip archive generated by ESET Log Collector as per the instructions linked in my signature.


Link to comment
Share on other sites

If that is the case, why is ERA Console and Server telling me I have the latest version. There is no indication from the product that I am under protected.

Surely under the circumstances ERA should indicate there are later versions available.

By the way there is no warning screen just a file ### DECRYPT MY FILES ###.txt which I cannot open (Access Denied)


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...