Jump to content

Ransomeware .qbix passed through eset endpoint security


Recommended Posts

Hello yesterday a qbix  Ransomware passed through Eset endpoint On a 2012 r2 standard edition in business network with about 15 pc.

As far as we are concerned is about all our customers that have eset endpoint installed on their servers and how can we protect them.

Also if there is something that we can do to decrypt all the infected files please inform us .

Link to comment
Share on other sites

  • Administrators

You wrote that the ransomware passed through ESET. Did you already rule out an attack via RDP when an attacker could log in with administrator rights, pause protection and run the ransomware to encrypt files? This is typically how servers and endpoints get compromised.

Please email samples[at]eset.com and provide the following:
- a handful of examples of encrypted files (ideally Office documents)
- payment instructions (ransomware note)
- logs collected with ESET Log Collector (ESET must be installed and activated on the machine)

Link to comment
Share on other sites

Quote

1. How did the [Backdata@qq.com].QBIX ransomware get on my computer?

The [Backdata@qq.com].QBIX ransomware is distributed via spam email containing infected attachments or by exploiting vulnerabilities in the operating system and installed software.

Cyber-criminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email). And with that, your computer is infected with the [Backdata@qq.com].QBIX ransomware.

This ransomware was also observed attacking victims by hacking open Remote Desktop Services (RDP) ports. The attackers scan for the systems running RDP (TCP port 3389), and then attempt to brute force the password for the systems.

https://malwaretips.com/blogs/remove-backdata-qq-com-qbix/

Edited by itman
Link to comment
Share on other sites

2 minutes ago, One Business said:

The rdp was open but in different port no

This first thing any attacker is going to scan for is open ports on the WAN side of the gateway.

Link to comment
Share on other sites

Since this server has Win 2012 installed on it, have you applied this OS patch: https://forum.eset.com/topic/20484-patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-11811182/ ?

-EDIT- Also the patch needs to be applied to all endpoint devices.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...