So I have been dealing with this the past few days.

https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/

My computer as well as the majority of pcs in the building are infected. Many state employees sitting around unable to work since we rely on electronic data so much. The push to go paperless is backfiring.

And we all got new systems in the past 2 months.

Sounds like someone hacked in using a vendors account vs someone opening a files sent to them.

8 bitcoin per computer

Wow, hadn't heard about this. I'm a .gov too, thanks. Scary crap. Makes me a bit worried since we connect to some of the state's network.

Sent from my SM-T813 using Tapatalk

Ridiculous. It's like a movie.

Wow, hadn't heard about this. I'm a .gov too, thanks. Scary crap. Makes me a bit worried since we connect to some of the state's network.

Sent from my SM-T813 using Tapatalk

As local government I would be like sweet, can't check my email. Oh no.

So I have been dealing with this the past few days.

https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/

My computer as well as the majority of pcs in the building are infected. Many state employees sitting around unable to work since we rely on electronic data so much. The push to go paperless is backfiring.

And we all got new systems in the past 2 months.

Sounds like someone hacked in using a vendors account vs someone opening a files sent to them.

8 bitcoin per computer

Yep...computers make a lot of things easier but they make a lot of things harder. I can't pump gas unless my handheld computer has an order. So that means if I put gas in a tank, and a customer who lives next door needs gas, I can't service the tank without an order in the computer. And I can't do it myself. I have to call in to the company to place the order for the customer. Then the order is input into the system. Then I have to wait for it to be downloaded to my handheld computer. And all this only works if I have cell service...which isn't very reliable or available in the boonies in northern ID. So, most likely, I'll have to wait to service that customer's tank for an entire week which means making a multi-hour drive back to the same spot I'm at right now. It's a fantastically inefficient and costly way of doing business. But they won't allow drivers to input orders which would save countless man hours and an incredible amount of money.

I know it's not the same as a ransomware attack but same idea. We're still held hostage by a f'ed up way of doing things.

Yep. Everything is tied into Skynet with no real plan B. No on dare trust the front line people to make a call. We're all to dumb or dishonest to deviate from the script. I remember watching my dad build our first house. He was pissed every time his hammer had to restart for an update.

Carl in the mail room shouldn't have open the naked Anna Kournikova pics email..

Password on a sticky. Stuck to monitor frame. Posted to instagram. For grandma!

Why didn't they just take a picture of a computer that may or may not belong to CDOT, and send it to CDOT HQ w/ "Final Notice" on the envelope?

"But I wasn't even on the C470 circuit in January!"

"Too bad, pay up."

8 bitcoin per computer

So by today's valuation that's $81,000 per computer.

At this point just wipe all the computers and start from scratch, it would be cheaper.

So I have been dealing with this the past few days.

https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/

My computer as well as the majority of pcs in the building are infected. Many state employees sitting around unable to work since we rely on electronic data so much. The push to go paperless is backfiring.

And we all got new systems in the past 2 months.

Sounds like someone hacked in using a vendors account vs someone opening a files sent to them.

8 bitcoin per computer

Yep, rumors are that we will need to go back to the pre-SAP “Green Sheets” for a little while,

Wonder how February’s payroll is going to be handled ? And the OT that is due this month... And of course the OT that I have racked up this month..... And the fiasco of the bi-monthly pay implimtation that is coming soon.

So by today's valuation that's $81,000 per computer.

At this point just wipe all the computers and start from scratch, it would be cheaper.

They are wiping infected computers now. But still have just started at HQ. I'm guessing at least a month before all is fixed.

They are wiping infected computers now. But still have just started at HQ. I'm guessing at least a month before all is fixed.
Wow. A month? They could really use some automation.

Were the users given least privileged accounts or was everyone a local Admin? Hopefully there weren't any users connected to a network file share with permissions to modify the files.

CDOT has 2000+ employee computers?

Wow. A month? They could really use some automation.

Were the users given least privileged accounts or was everyone a local Admin? Hopefully there weren't any users connected to a network file share with permissions to modify the files.


Not sure exactly what you are asking. But we can not install software without IT connecting to and installing it. Exception is advertised software on the servers.

The virus was pushed to user pcs from the server. Not all systems were affected.

I'm guessing on the time based on how many pcs need cleaning and how long it took to roll out the new pcs.

And yes there are over 2000 computers at CDOT. I think it's approximately 3600 employees.

CDOT has 2000+ employee computers?

This does tell an interesting story about a agency whose job is to maintain roads (not something like administer benefits). Unless the roads are maintained by computer, then it makes sense. But I think we're a few years off from that.

What AV was CDOT using?

I'm part of the security team responding to this incident; not really good for those involved to talk about it while the incident is still in process. I haven't seen anything sensitive posted so far, but thought I would just post a friendly warning.

Understood.

When this is over, if someone can tell me what AV to avoid, I'd appreciate it.

This does tell an interesting story about a agency whose job is to maintain roads (not something like administer benefits). Unless the roads are maintained by computer, then it makes sense. But I think we're a few years off from that.

What AV was CDOT using?It's in the link above. They are running McAfee. CDOT provided a sample to McAfee and the crypto malware was found to be a new variant which McAfee provided a new DAT to catch.

You can get hit no matter the AV solution. I've managed McAfee in an environment of over 16k systems and it's a good product, but it's only as good as the person managing all of the variables to best suit the environment.

If you're allowing autorun on drives, which includes mapped network drives, it only takes one system to drop an autorun file on the network share to infect all systems using that network share. Ran into that when McAfee kept cleaning an autorun file accessed over the network when Trend AV wasn't catching the infected file on the file server.

Sent from my SM-T700 using Tapatalk

I'm part of the security team responding to this incident; not really good for those involved to talk about it while the incident is still in process. I haven't seen anything sensitive posted so far, but thought I would just post a friendly warning.FASTER!

jk

This does tell an interesting story about a agency whose job is to maintain roads (not something like administer benefits). Unless the roads are maintained by computer, then it makes sense. But I think we're a few years off from that.

What AV was CDOT using?

CDOT is one of the largest engineering companies in the state. They are not just plow drivers and pot hole fillers.

The in house engineering saves the state a lot of cash. Hiring consultant companies to design and administer projects cost at least 3x as much as a state employee. Consultant designed projects have more errors than in house designs, as those designers are not familiar with state and federal requirements. Yes, there are some inefficiencies, mostly do to meaning federal tracking and reporting regs, but the agency is fairly lean. Hasn't grown since the 1970s Evan as budgets grew.

It's in the link above. They are running McAfee. CDOT provided a sample to McAfee and the crypto malware was found to be a new variant which McAfee provided a new DAT to catch.

You can get hit no matter the AV solution. I've managed McAfee in an environment of over 16k systems and it's a good product, but it's only as good as the person managing all of the variables to best suit the environment.

If you're allowing autorun on drives, which includes mapped network drives, it only takes one system to drop an autorun file on the network share to infect all systems using that network share. Ran into that when McAfee kept cleaning an autorun file accessed over the network when Trend AV wasn't catching the infected file on the file server.

Sent from my SM-T700 using Tapatalk

That really sucks!

I just checked my machines and all are set to Default Auto Run which is the "Vista" behavior (prompt before run).

I'll admit, I've been out of that game for awhile, but Mcafee used to be to AV what AOL was to the internet. Something your grandma (or the gov) was suckered into using that had the same actual value of shit. It used to be a virus in of itself.

Now, maybe it's competitive now, but knowing where it came from I'd never touch it. I have a hard time believing it's improved much. Normally, if you want great security, find what software the government is using, and avoid that. The gov't traditionally uses some of the shittiest and least secure programs out there, and it's hard to break tradition. The whole government contracts thing and all....

(Not meant to be offensive to anyone in IT at these agencies, blah blah blah, but for instance, what operating system is every agency still running on? Ah.. yeah... What are the servers? Oh... yeah...)

Also ETA: Not saying an AV would have prevented this either. Just saying I wouldn't recommend McCrappy as good software for home use, knowing the history of it.

No offense taken. :) Budgets, money, people and time. My agency is working pretty hard to keep with the latest and greatest stuff. We're still behind on many things though. McAfee stinks. We're changing. Thankfully we stay off the state's network and have our own. This proves a good reason to keep it that way.

McAfee for home use does suck (different software stack from enterprise software). The enterprise solutions, including ePolicy Orchestrator for management, works quite well. Nothing is prefect.

We block autorun behavior on all Windows systems via Group Policy. It's an easy fix.

The only thing decent about McAfee products is EPO. I still think EPO is overly complicated. McAfee believes they have you by the short hairs because of EPO. ENS 10.x is a little better in the AV department but still lags the more innovative new comers. Many of the new comers are former McAfee employees who set off on their own to start new companies and start with a new foundation not dependent upon signature based detection. McAfee needs to be taken out to pasture. The salesman are a bunch of used car sales rejects, the engineering dept isn't capable of fixing a long list of known bugs and the company has been spun off so many times they can't come up with an identity better than cocaine cowboy John "McAfee".

I'd start switching now unless you want to become a victim of every piece of Ransomware and variants coming down the pipe. I'd recommend setting up and isolated lab with virtual workstations configured like the corporate desktop images (different pw's, similar GPO's). Get malware samples and test away.... All companies and state/govt agencies should be doing this on a continuing basis anyway.

This info is based on horrors of working with many of their products over a long period of time in multiple industries. I'd recommend getting out of McAfee before the state gets burned again. Easier said than done huh? It shouldn't be as political as it is given the loss of so many workstations but the decision will be laden with doubt, funding, testing, project planning and just plain craziness. All is can say is good luck but leave McAfee in the rear view mirror.

A briefing given to me by a very secretive government agency stated they were using Norton products. I had fairly good success with Norton.

I read somewhere that Symantec was getting out of the AV business.

https://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/

I just got out of the Symantec business after their NRA bullshit.

I just got out of the Symantec business after their NRA bullshit.

Yep and amen.

Curious to hear how all this plays out as I am in the .gov sector too and we are in the midst of getting rid of Kaspersky.

1 week, still down.

What's even more humorous is that presidents day weekend, they pushed an updated security patch to prevent this kind of thing.

End of the month.
Yall get paid ok?

End of the month.
Yall get paid ok?

Yes. That was the 1st thing they focused on.

But it’s going to be hell entering the OT from Feb. and the RT for Mar. into SAP when it is finally fixed so that we can catch up.
And being on call is a total pain in the arse, our coms are still down, so we can’t view or fix the traffic signals remotely.

2 weeks in, no progress. All computers, infected or not have been confiscated.

Frustrating, but funny at the same time. Yesterday a construction crew hit a power line and killed the power to our build also. So in the dark literally.

That certainly doesn't sound like the private sector response.

Do yo' thang, sys admins...

https://i.imgur.com/44SyTYt.png

That certainly doesn't sound like the private sector response.

The funding was re-routed the the junkies and their dealers.

Do yo' thang, sys admins...

https://i.imgur.com/44SyTYt.png
I'm old enough that the pic is very funny to me. [Coffee]

Do yo' thang, sys admins...

https://i.imgur.com/44SyTYt.png

I don't get what those tiles are supposed to mean. And what it that big square thing? [hammer]

I'm old enough that the pic is very funny to me. [Coffee]

me too

I'm old enough that the pic is very funny to me. [Coffee]
Me too. Like the degausser too.

The magnet is the crown jewel of the presentation.

Clearly I don't understand this ransomware stuff. Isn't this what backups are for? Just wipe everything and restore from last night's backups. No?

Clearly I don't understand this ransomware stuff. Isn't this what backups are for? Just wipe everything and restore from last night's backups. No?

Backups, a lot of times, are for servers and critical infrastructure, not for endpoint usage. To conduct a backup of an enterprises's entire infrastructure -- every single host, etc., every day would be a massive overload on the architecture.

Imagine 2k endpoints w/ 250GB of data each, but let's just leave out the data servers, etc. (which is where a huge amount of the data resides).

That =



A file size of 500,000 gigabytes can also be expressed as *


4,294,967,296,000,000 .......... bits
536,870,912,000,000 .......... bytes
524,288,000,000 .......... kilobytes
512,000,000 .......... megabytes
500,000 .......... gigabytes
488.28125 .... terabytes




Plus, once the malware is on there it's best to simply wipe it and reimage. Otherwise, you are gambling that some aspect of that malicious code is no longer on the machine -- perhaps having embedded and hidden itself in something innocuous to spring up again. Reimaging a single device takes about 30 minutes to an hour, depending on things. If all went well, and just considering the best case scenario, it would take 1000 hours to reimage the enterprise's workstations. Most shops are set up for imaging a few machines at a time. Enterprise upgrades are planned out for months at a time and usually a dedicated team handles it.

CDOT got hosed.

I would argue that users shouldn't be saving data to their local hard drives, beyond maybe a few files they're actively working on, but I get your point: it's not that the fix is complicated, but that it takes a long time.

Do these ransomeware viruses encrypt NASs / SANs also? If so maybe the backups would be gone too. Tapes FTW!

I agree with you about not saving a ton of stuff locally, but in my experience it takes someone losing everything to drive that point home.

Glad I retired from CDOT in '13. I was a Data Specialist, life would suck for me right now...

Don't know if this belongs here but I had a Jr. dev on my team run rm -rf on a very large very important server the other day. Everything was backed up but it was still a major pain in the ass to restore. Kid asked me what to do when it happened, all freaked out. My answer was start groveling because I'm not going to let this train run me over.

edit: I'm not his boss, he's just on my team.

Don't know if this belongs here but I had a Jr. dev on my team run rm -rf on a very large very important server the other day. Everything was backed up but it was still a major pain in the ass to restore. Kid asked me what to do when it happened, all freaked out. My answer was start groveling because I'm not going to let this train run me over.

edit: I'm not his boss, he's just on my team.

Ouch.

Don't know if this belongs here but I had a Jr. dev on my team run rm -rf on a very large very important server the other day. Everything was backed up but it was still a major pain in the ass to restore. Kid asked me what to do when it happened, all freaked out. My answer was start groveling because I'm not going to let this train run me over.

edit: I'm not his boss, he's just on my team.

Was he @ root level, or deeper into the file structure?

Glad I retired from CDOT in '13. I was a Data Specialist, life would suck for me right now...

Standby to be recalled.

Standby to be recalled.

Not a worry, can not happen.

https://i.imgur.com/cXzWvgM.jpg

Was he @ root level, or deeper into the file structure?

Not at the root level. It was a pretty important folder on our NAS that many other teams use too. I've never personally done that one but I've made a few mistakes that I'll never make twice. In the end I told him to file it under that category.