Week 4 - THANATOS Ransomware Removal

In my research for computer viruses this week I came across a particularly nasty one called Thanatos.  It is a ransomware that, once activated, encrypts every single file on your computer.  Some of the symptoms you might see when you have been infected are you “can't open files stored on your computer, previously functional files now have a different extension, for example my.docx.locked. A ransom demanding message is displayed on your desktop. Cyber criminals are asking to pay a ransom (usually in bitcoins) to unlock your files.” (pcrisk.com, 2018) When a user logs back in they are prompted with a text file that states: 

"Your computer is encrypted. All data will be lost if you do not pay 0.01 BTC to the specified BTC wallet

1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF

After payment you will receive the decryption code from this mail

c-m58@mail.ru"  (pcrisk.com, 2018)

If you receive, he above message then you know you have been infected.  Since most of us are Windows 10 users we will tackle the removal steps for how to get rid of this pesky bug on that OS.

First thing you want to do is click the windows logo and click the Power icon.  Then choose to restart while holding the shift key down.  When it reboots it will give you a number of options.  Choose Troubleshoot, then Advanced Options.  Once the next window comes available pick Startup Settings and click Restart.  When the next window comes up choose option 5 for Enable Safe Mode with Networking.  Then like normal sign into the account that is infected.  Start your internet browser and then download a legitimate anti-spyware program.  I have previously mentioned Malwarebytes anti-malware in my other blogs and also recommend it here.  Once you have this program downloaded and updated run the program and delete all entries dealing with Thanatos or any other abnormalities that it discovers.

Now your cooking with gas!

Reference

Pcrisk.com (2018). THANATOS Ransomware. Retrieved December 20, 2019, from https://www.pcrisk.com/removal-guides/12339-thanatos-ransomware.

Week 3 - The Hacktool:Win64/AutoKMS threat

The Hacktool:Win64/AutoKMS threat

The majority of people in the world use a Microsoft based operating system.  That leads hackers to targeting Microsoft systems 10 to 1 over other operating systems.  If you are a user of MS, then you need to be that more diligent about keeping your system safe from attacks.  One virus that has been targeting MS system as of late is the Hacktool:Win64/AutoKMS threat.  

Luckily this has been identified by Microsoft and they have built into their Windows Defender program to auto detect and or remove this threat if it is trying or has already infiltrated your system.

"Hack tools are a special kind of riskware. Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way." "Hack tools are a special kind of riskware. Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way." (Malwarebytes.com)

    

    If you do not have Windows Defender to help you clean this from your system, I might suggest that you get a copy of Malwarebytes.  I have been using it for years and it has protected my system on a daily basis since getting it close to a decade ago.

    If you were to use Malwarebytes to clean the hacktool from your system please follow the steps below to do so.

    "Malwarebytes can detect and remove HackTool.AutoKMS without further user interaction.

1. Please download Malwarebytes to your desktop.
2. Double-click MBSetup.exe and follow the prompts to install the program.
3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantine to remove the found threats.
7. Reboot the system if prompted to complete the removal process." (Malwarebytes.com)

    HackTool.AutoKMS. (n.d.). Retrieved December 14, 2019, from https://blog.malwarebytes.com/detections/hacktool-autokms/.

Week 1/2 Threat Management Server

In this weeks posting we are going to be discussing something that can aid in protecting your network against outside threats.  This device is called the the Threat Management Server.

There are several reasons you would want to install a Threat Management Server (TMS).  It has many features that are used to help protect your network.  It has a built-in firewall that inspects traffic inbound and outbound and also filters out malware.  The security features also help to thwart attempts to exploit vulnerabilities which have not been patched yet.  The TMS has routing and remote access capabilities in it as well.  It can act as a router an internet gateway and VPN and a proxy server.  Another reason to add a TMS to your network is to help it be more efficient by enhancing network performance.  It can compress web traffic to improve speed, and also does web caching.  

As you can see, there are many reasons you would want a Threat Management Server as part of your network.  If it were me, I would install a Microsoft Forefront TMG (gateway).  You can simply download the TMG from Microsoft’s website for free.  It comes with very straight forward installation instructions to follow.  Some of the issues you can run into with a TMG is that you can incorrectly configure your firewall rules.  This has the potential to block needed traffic.  In a company setting, you could accidentally block customers from getting to your web domain and this could cause lost revenue.  Although you can no longer purchase the Microsoft Forefront TMG, it is still supported up til April 2020.  I can see this support being pushed further into the future as it is still being used today.