How do you go about cleaning up ransomware, do you look for decryption keys in memory or on the file system. What’s the process?

Rrrrr

Rrr

Rrrŕrr

Ŕrŕrrrrrŕ

ok can you stop?

The probascis has come from the inside r u sayng arppoisoning is kinda limp?

Giggity

Probably lies to scare the user.

Wym dedicated box ? Sorry i

@@BossModeGod box = computer set-up (commonly called machine). I didn't want to write machine twice as thought it may be confusing. Turns out box is confusing too. Oh well.

@@threeMetreJim oh well. Appreciate it, anyways.

My guess is that there was an ultra specific use case the developer ran into where he needed to run that specific command or just any command that did nothing. We will probably never know what that use case was. However, it does make it a bit easier for malware classification for both signature and behavior based detection.

There are quite a few ways this can be done, but one of the biggest (and easiest for me to explain) examples I can think of is CVE-2024-22254 from earlier this year. To give a very watered-down explanation, if someone can get admin access to one of your VMs, they can use this exploit to trigger an out-of-bounds write and escape the VM to the host machine. Unfortunately, VMware does not provide many details on the method of exploitation, but there may be a proof of concept I missed. Hope that helps!

@@elementpotato7771 nice sounds interesting

@@elementpotato7771 So just to clarify this up, is a malware able to cause serious damage to my host from the VM, or only minor damage?

@@privatechannel1272 I would say it ultimately depends on the malware, but I believe VM escapes are most commonly used for initial access. They are pretty rare, so it’s hard to say for certain. But honestly, in my business environment, I treat all of them as if they have potential to do serious harm to our systems. The reason for this is because even if the VM escape exploit does not cause harm to the machine at all, and is only used to get initial access to the host machine, attackers can then chain other exploits to do malicious activity to the host anyway. (Sorry for any weird formatting, editing comments on mobile is hard)

@@elementpotato7771 Ok thanks for providing a little more info 👍 I guess I could also look up some videos on this topic too.

It got admin right thought that driver included within the malware. That driver is signed, meaning that it is a legit thing, but it has vulnerabilities for the actually malware to exploit and escalate the privilege to system level.

Bro you’re fucked😅

lol like the private key is literally in the registry😂

Or better ransomware Protection windows firewall sucks my ass

unfortunately it doesn't work that way, there's first the recon stage, bad actors know when best moment to fire of the payload, plus the moment you notice files getting encrypted, it's final stage of a process that started long ago, disconnecting that one pc doesn't mean there the attack is running simultaneously across the network, best bet is having so security best practices in place to contain such threats

@@ekowlloyd I didn't mean a network but I always wondered how ransomware could spread through a network since you would be running it on a non admin account and each accounts drive should have bitlocker

@@tomato.mp4 on a network, the bad actors go through several extend lengths of recon stages to exploit vulnerabilities or find that one colleague that has a file somewhere with passwords stored thinking it's safely hidden, there are tactics to escalate privileges over an extended period, one they gain admin access, they begin the payload. if you are referring to stand-alone device not connected to the network, then indeed pulling the plug might interrupt the payload. ps: no idea why auto-correct messed up my grammar in my first response :p