MOBITEK MobiGATE Model SG-B-4- L / SG-B-8- L series (model having LAN port)
VCOM version older than 4.5.11
Problem: Windows applications not able to run or the whole PC/server will hang.
In “Windows Task Managmer”, “mcpu.exe” will appear everytime
VCOM connects to modem in MobiGATE then will disappear:-
VCOM for few days, Windows will show an error message “mcpu.exe – Application Error : The application was unable to start correctly (0xc0000142)”:-
“Windows Task Manager” shows high memory usage:-
This will caused other Windows applications not able to run or the whole PC/server will hang:-
Solution: VCOM version older than 4.5.11 has memory leak, causing high memory usage. Therefore, need to install version 4.5.11.
Here are your options, please choose one:-
My MobiGATE is still under warranty, I like to request for a copy of VCOM version 4.5.11
I have subscribed for annual support programme for MobiGATE, I like to request for a copy of VCOM version 4.5.11
My warranty period has expired, I wish to subscribe for annual support programme. I like to request for a quote.
1st Attack: 2019-Nov-20
2nd Attack: 2020-Jan-9, encrypted file with “Harma” suffix
Shut down all PCs on the network.
Disconnect all LAN/ethernet cable from all PCs to prevent any LAN or internet connection.
A PC is infected by ransomware if the files in the PC are encrypted and cannot be opened.
One by one, connect each PC to internet, update virus definition of Windows Defender (or anti-virus software) and run full scan.
Take note of the date and time the files are encrypted on all PCs.
The PC having encrypted files with the earliest date & time is the 1st PC being infected.
On another clean PC that is not connected to the LAN, run full scan on the back-up files and Windows image files that were created by Windows Backup.
If you do not have any back-up of files and a recent copy Windows image file before the attack then recovering from ransomware attack is impossible.
Once the back-up files are scanned and certified clean, then back up a copy of all back-up files and Windows image onto a separate external hard disk.
In case the back-up files and Windows image files are infected when doing restore, you still have a back up copy.
After all PCs are scanned and cleaned by
Windows Defender (or any anti-virus software), one by one:-
restore each PC using
Windows image that is dated earlier then the date of ransomware attack.;
Windows system restore WILL NOT work; if
Windows image file is not available, then
run Windows update to update all Windows securities (KB);
Windows Defender (or any anti-virus software) to run a full scan to ensure that there is no trace of ransomware after Windows has been restored; then finally restore all files that are encrypted by ransomware from
Windows Backup. DO NOT connect all PCs to the LAN at the same time.
One by one, connect PCs to LAN and internet, monitor if there are any files that are encrypted. If there are none, then connect another PC to the LAN. Repeat until all PCs are connected to LAN and internet.
Usually, ransomware is an attachment in e-mail and if e-mail has been identified has the entry of attack, then change the e-mail address.
Enable e-mail redirection for non-spam mail to the new e-mail address.
Delete the old e-mail address that is constantly being attacked by spammer when all customers, suppliers, etc. has been notified on the new e-mail address.
Configure e-mail client, e.g. Thunderbird:-
NOT to download or retrieve all contents of e-mail;
set to download e-mail without any attachment or only the header of e-mail only;
if the e-mail is from a known sender, then only download the full message with attachment.
Avoid running PC in 24 hours x 7 days, set PC to sleep or shut down at 10 pm every night and wake up at 8 am every morning:-
use Task Scheduler to put PC to sleep at night;
use BIOS setting to boot up PC in morning or use Task Scheduler to wake-up PC.
if using Task Scheduler, ensure that “Allow wake timers” is enabled
after recover from a ransomware attack. Change the RDP port number Set anti-virus software to
everyday instead of quick scan on PC. perform a full scan
and replace them with new user accounts as hacker may have obtain the Windows user account. Remove all user accounts of Windows
— remove any unused applications or ports. Review Windows Firewall For SERVERLINK:-
set time period to allow external RDP connection in
Homeland to only allow IP address from home country
that back up files and Windows image in these locations:-
Create a back up policy
external hard disk that is connected on LAN;
cloud or web hosting that is connected via internet;
removable external hard disk that is NOT connected on LAN or internet.
to external hard disk that is connected on LAN. Back up all files using Windows Backup on daily basis
on weekly basis or daily basis to external hard disk that is connected on LAN. Save Windows Image using Windows Backup
(Drop Box, One Drive, etc.) or to web hosting server that is connected via internet. Back up all files in external hard disk to cloud
that is connected on LAN to removable external hard disk that is disconnected from LAN and internet. Back up all files in external hard disk Here is a list of useful back up softwares:-