Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

WannaCry Enterprise

  • 25-05-2017 8:12am
    #1
    Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭


    I know there's a thread or two on ransomware/wannacry but not covering this aspect.

    Hypothetical question about general behavior of ransomware should it ever infect an enterprise and in particular its impact on network shares and recovery.

    So, likely scenario is: first machine gets infected and sets about its nasty payload of encrypting everything it can see - some of which (depending on account privileges) will be network shares. That's fine - Curse, remove, restore, curse some more, yada yada, curse some more, and head home very late into the evening. However in the meantime the ransomware has wormed its way onto another or many other machines which also set about their nasty payloads - so rinse and repeat the above (a lot of cursing by the end of the day I suspect).

    Anyway to the question, will the ransomware ignore files encrypted by other infections or will it indiscriminately set about encrypting everything in sight including files previously encrypted.

    I suspect it is indiscriminate in its execution of the payload however as most (maybe all) that I've researched do change the file extension, there is a glimmer of hope that recovery via payment of ransom would be possible.

    But, if it is the case that it is indiscriminate in its approach, then paying a ransom (which we know we should never do anyway) is a bit futile either ways as unless you know the exact order that individual files on your network shares are encrypted and decrypt them in that order having paid what therefore i'm guessing would be multiple ransoms in respect of each infected machine, and worse still in a multiple infection situation and parallel execution of the ransomware payload, it equates to an almost certain impossibility. So, a ransom paid in such an enterprise environment could at best only restore a single local working machine (assuming their decryption is successful).

    Has anyone looked at the behaviour in a sandboxed network environment to see what sequencing the ransomware may be using?

    Thanks


Advertisement