Ransomware: Versions who spread in network and attack locked files from SQL-Servers coming up

by butsch 3. March 2016 18:25

Ransomware in Switzerland/Schweiz: Locky, Cryptlocker what will come next and what if they spread/distribute within the LAN and attack SQL/Exchange and Backup Files/Dumps.


MAR/2016: Several Swiss companies including governments and hospitals/Healthcare have been hit by Ransomware the last few weeks. This goes from KMU (SBS) to Enterprise. At least people are beginning to think about security in a new way again.

The ransomware wave will also wipe out smaller security AV-firms because they don't supply the full branch of systems and appliances customer's needs to solve the current problem. Price and budget suddenly does not matter and more expensive appliances come into the game.

Either you move to enterprise security or you turn off the Internet. If you don't follow one of the paths you sooner or later loose data because "Murphy's law" will make sure backup number Incremental Job X-1 did not run on day x you catch the next Ransomware.


What's the problem or news because I restore Files and all seems fine. Out IT-budget leaves me no other solution as CIO.

The latest Mcafee blog shows a direction we are afraid off and if you are not you may need to investigate and read further or have a very optimistic view.

The people begin to attack SQL DUMP, SQL Files and as example also Veeam files.


In short all files which are important and locked. With some OS exploit leaks or tools like Mimi Katz you may reach Domain Admin or Service user Credentials and that's where the fun will begin and enterprise will jump around in panic. (https://adsecurity.org/?p=2362)

To gain profit from ransomware people will start taking down Database Servers or Exchange Servers with smaller databases like Public Folders so they can encrypt those.

Often those have their own Backup solution like Replicas in SQL or DAG with Local Storage in Exchange. The whole VEEAM and B2D only revolution gives us another headache in that direction.

Even when you use separate credentials for NAS/SAN/CIFS how safe are those and where are they stored?



Sample code from Mcafee Analyze with SQL parts

After the ransomware and key have been distributed to the victim's machines,

sqlrvtmg1.exe and the batch file re1.bat are also distributed.



@echo off

for /f "delims=" %%a in (list.txt) do ps -s \\%%a cmd.exe /c if exist

C:\windows\sqlsrvtmg1.exe start /b C:\windows\sqlsrvtmg1.exe



Filename: Sqlsrvtmg1.exe

MD5: 5cde5adbc47fa8b414cdce72b48fa783


The main function of the file "sqlsrvtmg1.exe" is to search for locked files, especially backup related files.



Global Enterprise Solution?


Here is how Mcafee tries to solve it:

EXAMPLE: A new file Germany.exe comes into the enterprise (Via installation, through Windows Installer, on USB Stick, Through Clickonce installer, through E-Mail, through web download)

  • If it comes through E-Mail or Web filter the Mcafee appliances are connected to the SANDBOX and TIE so the info from the clients is also known by the external Filters. All info about all files is in the EPO-Server.
  • *1) That one of the KEY Quiz points because there is better or EQUAL web filter and SPAM Filters (Like Fortigate Fortimail) or the IPS from Fortigate. But then you don'0t have the info connected to Mcafee Server.

Next point would be the cW7/W10 client:

  1. VSE = Virus Protection on client with regular patterns and Heuristic

    Also the Tie-Agent will scan the file

  2. TIE = Software Agent and Linux appliance which does intelligent Black and Whitelist of Executables based on CLOUD hashed plus info from VirusScan

If it's still unclear then what the file does it will be analyzed in the ATD Sandbox which analyzes the file

  1. ATD = Appliance Sandbox which then open the file automatic on a emulated W7 / W10 client with office. Like you get back a Snapshot, open the file, Check it and reset Snapshot.
  2. (HIPS) = If HIPS (HOST IPS) client is on client it will monitor behaviour from the file AFTER is have gotten green light from above.

*1) Separate Manufactures

In the past separating manufactures in security was sometimes a good thing. Then you had several suppliers and ITIL-Risk Analyze looked better.

With Ransomware time has come where you have to watch a file incoming though all endpoints and ways.

We will have to attach Endpoint on laptops, Desktop, VDI, Firewall NG, Web filters, SPAM Filters in one part.

The solution would be to buy all from one producer that has all in the portfolio. Since Intel bought Mcafee and this will go into Chips for me the producer is clear.

If Ransomware Malware will come to TPM/CPU/NIC/Chipset Intel-Mcafee will be the company who can solve it.


Mcafee TIE Module in mcafee EPO-Server screenshot:

Information which the software rated the Executables. Is it new? Where it run? Was there before with other MD5? Etc.

Trust based on Certificates and files:

Rate/Scan Files based on VIRUSTOTAL info by just one mouse click:

Alerts Enduser could SEE if you turn it on:


Ransomware in Switzerland: Locky, Cryptlocker what will come next and what if they spread/distribute within the LAN and attack SQL/Exchange and Backup Files/Dumps.


See also:





Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: