Ransomware infected pfSense

KOM

Gotta love this guy.  Shows up, claims his pfSense box got own by ransomware, and then disappears into thin air.

brkaus

@KOM:

Gotta love this guy.  Shows up, claims his pfSense box got own by ransomware, and then disappears into thin air.

Possibly embarrassed that the ssh password was "password"

johnpoz

Maybe he just on vac?

MadelineDickson63gmail.c

Another ransomware - http://soft2secure.com/knowledgebase/odin-file-virus
Most ransomware come with email attachments and rogue links - do not click anything suspecious

Harvy66

BritneySpears_Naked.exe!!! OMG! I must click the email attachment!

jimp

@Harvy66:

BritneySpears_Naked.exe!!! OMG! I must click the email attachment!

While also opening the Anna Kournikova equivalent, for good measure.

Koman

I think that the main cause of ransomware infection is between LCD and chair  ;D
As I know the only way to decrypt locked files including this new Odin (http://myspybot.com/odin-virus/) is to use shadow copies extract tools like ShadowExplorer (http://www.shadowexplorer.com/downloads.html) or similar.
But the best option is to have backups of all your important data in separate hard drive/usb drive/cloud.

KOM

But the best option is to have backups of all your important data in separate hard drive/usb drive/cloud.

This has been the best advice for a plethora of computer issues going back 35+ years, but it still seems like everyone has to learn it the hard way.

jimp

And another offline copy in a locked safe off-site.

chris4916

All of this being said, and obviously I do share  ;), there is something to be noticed: with default set-up, meaning not access allowed from outside, pfSense doesn't offer, as far as I understand, anything against brute force attack from the LAN.

Sure one can set-up FW rules to limit this, build VLAN, use strong admin password but if one device on the LAN side get infected by piece of code executing brute force attack against your default gateway, how do you notice and prevent it?

From WAN, this is quite simple… and furthermore covered by default set-up
From LAN, this is another story and perhaps some mechanism "a la fail2ban" may help on the internal side.

jimp

We already have it. 15 denied logins via GUI or SSH gets your IP banned for an hour, even local.

chris4916

Cool, this is what I didn't know. Excellent, thank you.
and most likely enough to fight brute force if your admin paswword is not "password" or "admin"  ;D ;D ;D