You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

Reply
 
Thread Tools Display Modes
Old September 15th, 2021, 06:43 AM   #1
PLC Pie Guy
Member
Canada

PLC Pie Guy is online now
 
PLC Pie Guy's Avatar
 
Join Date: Jun 2013
Location: Halifax
Posts: 1,079
Conti Strain! Are we up the creek?

Hey folks.
Are any of you familiar with something called Conti Strain?
Our entire corporate structure has been taken hostage by it.
All my PLC files now have the extension.QEBEN instead of .ACD, .RSS as well as just about every other type of file on the network. In each folder is a read me.txt file that has instructions on how to pay them in order to return the files to us.

Itís completely over my head and the IT folks Iím sure are pulling their hair out now. This is day 2. All I can do now is on my IPhone. This stinks!

My regal question isÖ.. zI do have backups of my PLC files. However, Iím worried that the backups are corrupted as we have no idea how long the offensive file has been with us. Does anyone know of a way I can scan this backup stick somehow before using them? Technically, Iím not even supposed to have this backups on a stick as per company policy, however, it could very well pull us from the flames.

Iím to scared to even put it into my computer!

Iím guessing that itís not going to be a simple solution or IT would have fixed it already. This is the first time in 10 years Iíve seen their systems down.
  Reply With Quote
Old September 15th, 2021, 07:11 AM   #2
drbitboy
Lifetime Supporting Member
United States

drbitboy is offline
 
drbitboy's Avatar
 
Join Date: Dec 2019
Location: Rochester, NY
Posts: 3,400
oh dear.


do not put the stick into any company computer, and do not touch any of the backups inside the company. go to staples or best buy or whatever and get a new computer that has never been in your company, maybe put a fresh linux install on it, and make backups of that stick asap, but do not do it anywhere near the company network.

If the stick is already corrupted it is too late. if the backups are on company servers it is probably too late.

You may be able to upload current programs, without comments, from the PLCs to a new computer, but it will have to be windows, and you will have to load A-B software on it so be sure that computer has never connected to the company network.
__________________
i) Take care of the bits, and the bytes will take care of themselves.
ii) There is no software problem that cannot be solved with another layer of indirection.
  Reply With Quote
Old September 15th, 2021, 07:14 AM   #3
geniusintraining
Lifetime Supporting Member + Moderator
United States

geniusintraining is offline
 
geniusintraining's Avatar
 
Join Date: Jun 2005
Location: SC
Posts: 7,613
Its a long shot but this may help https://www.pcrisk.com/removal-guide...nti-ransomware
__________________
www.PLCCable.com PLC Communication Cables, PLC Trainers, MicroLogix, ControlLogix, Siemens, Allen Bradley and more...OEM and aftermarket supplies... Aftermarket 1784-U2DHP Allen Bradley USB to DH+, new USB to 485 modbus
  Reply With Quote
Old September 15th, 2021, 08:10 AM   #4
PLC Pie Guy
Member
Canada

PLC Pie Guy is online now
 
PLC Pie Guy's Avatar
 
Join Date: Jun 2013
Location: Halifax
Posts: 1,079
How can I tell if the encryption file is already on my backup stick?
  Reply With Quote
Old September 15th, 2021, 08:35 AM   #5
Dravik
Member
United States

Dravik is offline
 
Join Date: Jun 2008
Location: New York
Posts: 1,604
Quote:
Originally Posted by PLC Pie Guy View Post
How can I tell if the encryption file is already on my backup stick?
Go find your IT people and discuss this w/ them.

Do not try to do this yourself.

If that key is your only backup, you may have exactly 1 shot to avoid scrapping it.
  Reply With Quote
Old September 15th, 2021, 08:37 AM   #6
pturmel
Member
United States

pturmel is offline
 
Join Date: Jul 2021
Location: Atlanta
Posts: 102
Open it on a Linux or Mac system, or a brand new computer that you can be sure does not have Conti on it. Look at the file extensions to see if they've been encrypted.


If good, make additional copies of the thumb drive and stick them in a safe place.


Long term, learn to use non-Windows systems to do everything except run your PLC programming software. Also consider learning to use non-Windows hypervisors to run Windows in isolated VMs.
  Reply With Quote
Old September 15th, 2021, 09:31 AM   #7
PLC Pie Guy
Member
Canada

PLC Pie Guy is online now
 
PLC Pie Guy's Avatar
 
Join Date: Jun 2013
Location: Halifax
Posts: 1,079
What a mess!
  Reply With Quote
Old September 15th, 2021, 09:58 AM   #8
dmroeder
Lifetime Supporting Member
United States

dmroeder is offline
 
dmroeder's Avatar
 
Join Date: Apr 2006
Location: Vancouver, WA
Posts: 2,914
Oh yikes! I think we had one instance here a while back. We had a terrible network connection between, I'll call them, building 1 and building 2. It was on the list of things to be fixed. Someone clicked something in building 2 (servers are in building 1), but luckily, the network connection was particularly terrible that day, the clicker called IT because their computer was acting funny. IT knew what was up and had them disconnect their machine from the network. The figured, had it not been for the crappy network connection, we likely would have been screwed. Procrastination wins again.

We've had some pretty wild phishing attempts. The effort that some of these people go through is unreal.

We also have random click tests, where IT sends out a phony phishing email to see how many people click. I'm always amazed at how many people click. First law of emails, don't click links.
__________________
If you can, support my lifelong friends childhood cancer awareness month band-aid drive (select deliver to Eli) Here is an article.
  Reply With Quote
Old September 16th, 2021, 02:20 AM   #9
JesperMP
Lifetime Supporting Member + Moderator
Denmark

JesperMP is offline
 
JesperMP's Avatar
 
Join Date: Feb 2003
Location: Copenhagen.
Posts: 14,924
Quote:
Originally Posted by dmroeder View Post
We also have random click tests, where IT sends out a phony phishing email to see how many people click. I'm always amazed at how many people click.
That is a great idea. I will suggest that to my IT dept.
We have some instructional videos on how to be safe, but I suspect only a small fraction of people understand and follow the advice strictly. To actively test peoples behaviour is a step up.

And yes, backups that are themselves backed up.
__________________
Jesper
See my profile interests for Q&A
  Reply With Quote
Old September 16th, 2021, 03:33 AM   #10
Saffa
Member
New Zealand

Saffa is online now
 
Join Date: Feb 2012
Location: Bay of Plenty
Posts: 1,261
The last company I worked for used to send out the test phishing emails. If you failed the test, you had a mandatory 30 minute training you had to do within a week.

The training was punishment enough that it made people very cautious.
  Reply With Quote
Old September 16th, 2021, 06:37 AM   #11
geniusintraining
Lifetime Supporting Member + Moderator
United States

geniusintraining is offline
 
geniusintraining's Avatar
 
Join Date: Jun 2005
Location: SC
Posts: 7,613
Google (Gmail) does a good job of filtering spam and phishing emails, I know a lot of companies dont like Google but I have all of my emails ran through them.
__________________
www.PLCCable.com PLC Communication Cables, PLC Trainers, MicroLogix, ControlLogix, Siemens, Allen Bradley and more...OEM and aftermarket supplies... Aftermarket 1784-U2DHP Allen Bradley USB to DH+, new USB to 485 modbus
  Reply With Quote
Old September 16th, 2021, 08:18 AM   #12
Ken Moore
Lifetime Supporting Member
United States

Ken Moore is offline
 
Ken Moore's Avatar
 
Join Date: May 2004
Location: North, West, South Carolina
Posts: 3,157
Quote:
Originally Posted by Saffa View Post
The last company I worked for used to send out the test phishing emails. If you failed the test, you had a mandatory 30 minute training you had to do within a week.

The training was punishment enough that it made people very cautious.
We have the same thing, after you are "hooked" a couple of times, you become extremely cautious. I have marked valid emails as phishy, better safe than sorry.
__________________
Certified Siemens Functional Safety Professional,
ID: SFSP17010238
https://azr.com/
  Reply With Quote
Old September 16th, 2021, 11:29 AM   #13
Peter Nachtwey
Member
United States

Peter Nachtwey is offline
 
Peter Nachtwey's Avatar
 
Join Date: Apr 2002
Location: United Welfare States of America
Posts: 7,535
Backup, backup, backup and keep many snapshots going many days back.


I am pretty sure we pay a service that checks for known phishing sites and e-mails. They can be tricky. Our IT guy sends company wide e-mails with examples of e-mails with bad intent.


I have used a white filter for years.


Beware of the banners saying this e-mail is good or bad. They can be faked too.
__________________
"Living is easy with eyes closed, misunderstanding all you see...." Strawberry Fields Forever, John Lennon
  Reply With Quote
Old September 21st, 2021, 07:13 AM   #14
PLC Pie Guy
Member
Canada

PLC Pie Guy is online now
 
PLC Pie Guy's Avatar
 
Join Date: Jun 2013
Location: Halifax
Posts: 1,079
This still has us crippled.

Our IT department is fumbling and useless. They are in over their heads and not going to rectify the situation. Everything remains encrypted and missing. Nothing works.
I'm going today to purchase a new laptop, it will be forever free from IT.
I'm going to buy all new software, free of corporate ownership.
Ill go around and pull backups as I'm not sure if the backups that I do have on a stick are infected or not. I'm considering them garbage at this point. I did put it in an old sacrificial computer and they look ok, but what lies beneath is what scares me, I don't know much about how this works.

Here is the issue. Our machines are all tied to the corporate IT controlled switches. I'm guessing its risky action to give my new computer a static IP address and tether it to the network to do uploads. Is there a risk that in connecting my new computer to the network that I will catch this virus so long as I don't upload any files from the network, simply create communication to each PLC and upload?
Does anybody have an opinion on this? Networking isn't my strong suit.

Aside from loosing plant to plant comms by going the IT free route (we have two neighboring plants) The other downside to all this is I will loose my outside access to the plant. I finally, after years of waiting for internet at home just got connected, thanks to Musk. Now because of this, I'm loosing my outside connection before I even get to use it. Iv mentioned getting a second internet connection here free of corporate once again but it might not fly.


Unfortunately this has cast into the stone ages and it seems that there is nobody on our team trying to help. Now its all my problem. They want me to start panicking about it and create a magic solution when its their stupid policies that got us here in the first place... Funny how this works. . Yes I'm a bit sour. I cant believe, I cant conceive how they didn't have a contingency plan. I cant understand why we cant roll our network back to an earlier date. But then again, they cant even keep the office printers reliably on the network.
  Reply With Quote
Old September 21st, 2021, 07:22 AM   #15
the_msp
Lifetime Supporting Member
United Kingdom

the_msp is offline
 
the_msp's Avatar
 
Join Date: May 2008
Location: Northern Ireland
Posts: 1,002
Quote:
Here is the issue. Our machines are all tied to the corporate IT controlled switches. I'm guessing its risky action to give my new computer a static IP address and tether it to the network to do uploads. Is there a risk that in connecting my new computer to the network that I will catch this virus so long as I don't upload any files from the network, simply create communication to each PLC and upload?
Does anybody have an opinion on this? Networking isn't my strong suit.
Don't do it, there is a high risk it will spread to the new laptop as soon as it is connected to the network.

Stop the machines and connect directly to the PLC with them being removed from the network temporarily.
__________________
Regards,

Patrick G. B.Eng MIET

Making the flashy lights flash since the 90's

SCADA - Inductive Automation Gold Integrator | PLC | Control Panels | Robotics | Training

Connect with Matrix Engineering
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
Silo fill measurements with strain gauges. JesperMP LIVE PLC Questions And Answers 5 August 14th, 2013 09:00 AM
Strain gauge scaling/calibration gumball LIVE PLC Questions And Answers 3 May 21st, 2012 07:19 AM
Bench test 4-20ma strain gauge transmitter bravloue LIVE PLC Questions And Answers 8 February 18th, 2010 09:15 PM
Looking for "donut" strain guage Steve Kemp LIVE PLC Questions And Answers 7 July 26th, 2005 06:54 PM
Strain Gauge sparky64 LIVE PLC Questions And Answers 6 September 24th, 2004 08:01 AM


All times are GMT -4. The time now is 08:06 AM.


.