This morning a client called and showed this
on his Windows server...
1. Ransomware is an affiliate program or business today
https://www.wired.com/story/state-of-ransomware-2024/
2. Oops, I told the forum about this attack
Some Lockbit information -> https://www.cisa.gov/news-events/cybers ... /aa23-075a
LockBit Command Line Parameters
Parameters |
Description |
|---|---|
-del |
Self-delete |
-gdel |
Remove LockBit 3.0 group policy changes. |
-gspd |
Spread laterally via group policy. |
-pass |
(32 character value) (Required) Password used to launch LockBit 3.0 |
-path |
(File or path) Only encrypts provided file or folder |
-psex |
Spread laterally via admin shares |
-safe |
Reboot host into Safe Mode |
-wall |
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note |
Thank you, @rockedge. It's good to know.
I took care of that 'Sunday night ransomware' by replacing
the disk with the 'Friday bare-metal back up' (disk clone).
Dunno why lotsa attacks happen on Monday (in my experience). 
@Flash
Though "negotiation" was mentioned, who would negotiate with those kinda people?
Yes, most likely with bitcoin.
That's why I stick to *nightly bare-metal back up (Mon-Fri disks) + *unlimited capacity
& *unlimited versions of cloud back up for businesses.
* Healthcare-related offices are the top targets for ransomware artists cuz the industry
can't afford to lose time.
@sonny That's a smart approach. I was going to say just throw out the HDD and replace with the backup.
Literally toss the drive into the world of electronic junk and never even respond to the extortionists.
You've got great discipline and the diligence to consistently to perform the backups.
