SysAdmin trying to convince CyberSec they ain’t listening. Sniff test tells me something is rotten.
Posted by Bimpster@reddit | sysadmin | View on Reddit | 127 comments
Sysadmin finds funky certs in trusted person and other people (address book) stores on several (most) systems both Windows Server and Workstation OS. Certs issued to SYSTEM, by SYSTEM with San of SYSTEM@ NT AUTHORITY. Certs have no private key attached. Certs are valid for 100 years. RSA sha1 2048 length. The certs are for Encrypting File System and are end entity. In total, about a dozen certs have been identified and collected. Two domains, real offline PKI with issuing and Online responder on separate server. None of the collected certs have been issued or signed by PKI. Am I witnessing a potential long term plan by some hacker attempting to own the network, or am I concerned for no reason? Can’t tell where they are coming from. Something doesn’t smell right. Lack of knowledge response yields answers like “valid OID” or “They’re from Microsoft”. Their bullshit is baffling.
ILikeTewdles@reddit
Well, reading this post has reminded me why I got out of mainstream Sysadmin stuff and have no interest in CyberSec Haha. Effing cert management, bleh.
pIantainchipsaredank@reddit
But where did you go? Is M365 not mainstream?
ILikeTewdles@reddit
The area of M365 I work in ( a subset of functions M365 offers) has no cert management, patching, hardware, OS's to deal with etc. We have a different team that deals in security and compliance as well.
It's awesome.
pIantainchipsaredank@reddit
Any advice for someone that has to do all that mainstream sysadmin stuff? Reading that hit a little too close to home
subboyjoey@reddit
You should grab memory images from several of these workstations and take a look for any anomalous programs
Bimpster@reddit (OP)
Isn't that AV's job? If not, should be...
subboyjoey@reddit
ehh AV bypassing isn’t terribly hard or uncommon, and the types of threat actors that can bypass it would definitely be able to stage an attack and load certs while using something like process hallowing or dll injections which av isn’t the best at tracking, kernel mode vs user mode limitations on how much av can do
but it looks like you ended up tracking it down based on some other comments so definitely feel free to ignore that 😄
although from an IR standpoint, a couple good / baseline memory images thrown in storage for a rainy day can make tracking bad stuff much easier and faster if you do ever have an incident, but that can get pretty space and time intensive
EchoPhi@reddit
Home brew Linux boxes needing ssl certs? If not, issue.
Bimpster@reddit (OP)
Intrigued
EchoPhi@reddit
We have a handful of "life" certs for some internal apps, if you all built some in house stuff, as was standard late 90s early 2k, then it is entirely possible it is just some internal windows signed cert that becomes someone else's problem when you are gone.
If not, those are definitely an issue and I'd find what they're installed to, scrub, and replace with clean certs.
Bimpster@reddit (OP)
Those life certs are all gone. There was a push early 2010's to get off legacy apps requiring them. The certs in the personal stores are fine. Users and computers autoenroll. Users once a month, Computers, once a year. These funky certs are a foreign contaminant.
Snowmobile2004@reddit
100yr certs? really? doubtful
Bimpster@reddit (OP)
Valid from (various dates) ex. 5/15/2024 to 5/15/2124. Yep. 100 years.
Snowmobile2004@reddit
Yeah, I mean I wouldn’t expect 100year certs to ever actually be used for a legitimate production purpose, maybe just for testing. Are these certs for encrypting, you said??
Bimpster@reddit (OP)
EFS yes
Snowmobile2004@reddit
Sounds like ransomware to me, but I have 0 idea. Just my 2 cents.
Bimpster@reddit (OP)
Not inconceivable.
knightofargh@reddit
From a security perspective that seems off. I’d investigate if I were them because it’s a lazy dev who can’t be arsed to maintain certs, a lazy DBA who can’t be arsed, an insider threat or possibly an outside actor.
It could also be someone else’s lazy dev who installed this as part of some COTS package.
Those expiration dates make me assume incompetence but it could also be malice.
Bimpster@reddit (OP)
Malice might be an avenue to explore.
knightofargh@reddit
Honestly I’ve been doing sysadmin and now security for a long time. Malice is down the list after in order, laziness, stupidity and honest mistakes.
But your security guys aren’t doing their part if they are dismissing this off hand.
Bimpster@reddit (OP)
Problem is my gut instinct has turned up things their new fangled tools have failed to. So, there’s a bit of jealousy involved. Quite simply I hear; you are a SystemAdmin, why are you so concerned with security? That’s our job. Fer crying out loud, It ain’t even a union shop!
ncc74656m@reddit
There's an easy solution to this - flag to your boss and theirs in an email. Now they either need to look into it, or your ass is covered six ways from Sunday when it inevitably blows up. But do your homework first just to be safe. You want to lay this out ONCE, because after the first denial everything else becomes nagging.
"I brought this up to the security team, and though they weren't concerned, I believe this is still a major risk, or even a potential indicator of compromise. Here's what I found, and the potential causes, anyway I just didn't want to let this lie on the chance I am correct. Let me know if you need anything!"
Bimpster@reddit (OP)
I’m in the “LMK if you need anything” phase. The issue is, once you say that, they expect you to know everything including questions they haven’t thought of asking yet.
no-agenda@reddit
Netlogon script?
Bimpster@reddit (OP)
No. Although some do exist, they are for service accounts running antiquated software requiring a drive mapping to a spoofed DNS address. Yeah, they exist. Not everyone has one though. Good thought, thanks!
ncc74656m@reddit
lol, well, you can't win them all.
Bogus1989@reddit
eww I dont like that type of environment….1ups are so childish…the first thing I do when I realize im the smartest in the room…is not let anyone know…🤣
Bimpster@reddit (OP)
It’s hard when they keep dragging you in to meetings as MS SME.
knightofargh@reddit
Oh. They are that kind of security. Bet there’s a bunch of ISC2 certs among them.
Adversarial approaches to security just make the people who work for a living less likely to want to work with you. Trust your instincts, you are probably seeing a pattern from experience.
Bimpster@reddit (OP)
20+ years.
DSMRick@reddit
It's not like security professionals are immune to laziness, incompetence, or honest fuck ups.
ResponsibilityLast38@reddit
"Never attribute to malice that which can be explained by incompetence" - Mahatma Ghandi (probably)
Jimi_A@reddit
Do you mean Hanlon’s razor?
harrywwc@reddit
Grey's Law: "Any sufficiently advanced incompetence is indistinguishable from malice".
BassKitty305017@reddit
Weaponized incompetence or incompetent weaponization?
cantdecideonaname77@reddit
yes
Cheomesh@reddit
Assuming malice, what could be the ways this is part of an exploit?
knightofargh@reddit
Staging certificates for some kind of ransomware encryption. It’s not the normal way, but a 2048-bit cert as seed would make for some difficult encryption.
It could be some kind of deception tactic. Seeding certificates to see if someone adds them as authorized for SSH.
The whole scenario feels clumsy and half-baked so those are a stretch.
Cheomesh@reddit
Yeah if there's no private key locally it would only be able to authenticate someone coming in remote, right? And if it's ... apparently ... set up to authenticate a local account, the policy preventing local accounts from being used for remote access should tamp it?
knightofargh@reddit
If it’s Windows that private key could be bundled because of how Microsoft handles certs.
Really to me the weird part is the certs being for EFS. They could just be local artifacts of EFS or based on other posts they could be something domain level running during joins. Whole thing is weird, but my instincts say “software or domain config” rather than attack. If it was an attack it would have happened, long dwell times are not common unless it’s a staged zero day. I guess some RaaS payloads have long dwell times to make recovery from backups harder.
Cheomesh@reddit
I may have some holes in my knowledge since I'm not a cert expert - I know you can have files like .cer with the certificate's key inside, but if what he's seeing is in the store then surely it would have installed the key along side?
Ludwig234@reddit
Yeah, if a certificate has a private key Windows says so in the Cert store. I doubt it matters at all how the key and the certificate ended up in the cert store.
Bimpster@reddit (OP)
I might think like a criminal but this is beyond me.
jimmyjohn2018@reddit
Never assume incompetence. But, damn it's common.
deja_geek@reddit
Never attribute to malice, what can be attributed to incompetence.
Incompetence is everywhere
davidbrit2@reddit
I've met enough dangerously stupid people to assume that dangerously stupid is the most likely answer. That doesn't completely rule out nefarious though.
Rakajj@reddit
I suppose swapping stupidity for incompetence makes it technically different than Hanlon's Razor but it's more or less the same.
jcpham@reddit
This is the actual quote
bluescreenfog@reddit
Yeah I was gonna say, always assume incompetence!
Dadarian@reddit
The first thing I always ask myself is, “what would I do?”
It’s the best way to either figure out what some other idiot was thinking when troubleshooting or what not to do when trying to implement something myself.
dark_frog@reddit
If it's not incompetence, it's usually indifference. One time, it was malice. When I raised alarms, I was met with indifference.
mobiplayer@reddit
Always assument incompetence before malice, always.
Bimpster@reddit (OP)
Yeah, incompetence runs rampant. So does indifference.
702Pilgrim@reddit
Just a tier 1 technician here. Can someone please explain what this is all about? I get bits and pieces but I'm not understanding the whole picture. Please and thank you.
CrazyEntertainment86@reddit
Well that conceivably would only work for files created on that PC and encrypted using EFS on that pc. I wouldn’t work outside of that scope.
Bimpster@reddit (OP)
I was able to request a custom cert using the parameters of the suspicious ones. (Admin on box) Lo and behold I now have an EFS cert issued to SYSTEM that I possess the key too. If I choose to deploy said cert (sans key) to a neighboring PC (lateral move) into the Trusted Person store, that cert could be used to Encrypt neighboring HDD. The ramifications are staggering. So, the scope is widened to include any device that cert can be deposited. Methinks the script kiddies who are generating and depositing these certs know “exactly” what they’re doing. Not sure I like it though. Could be benign, or a failed attempt to manage disk encryption from a remote device. Just don’t know enough yet.
CrazyEntertainment86@reddit
Gotcha, I mean there are a few things it would need to as you said be imported to local machine and possibly user store of each device, then data encrypted using the cert etc.. so I’d think it’s a long way around if it’s some type or ransomware. based effort but I’m 100% with you that it’s very concerning.
s3cguru@reddit
Sounds like an EFS DRA cert, they default to 100 years lifetime. Quick googling and reading indicates they aren't issued to SYSTEM by default but you can go out your way to do that to make it so data is decryptable via the DRA when a user account on the machine that has an EFS cert is removed. No private key being on the cert when you export it makes sense because the key information is only accessible by the user that issued the cert because it is tied to the password of the user that issued the EFS cert. If you tried to export the cert using certutil in a SYSTEM context using something like psexec you may get the private key material.
Windows is a weird OS with lots of legacy and stupid defaults, not everything is immediately malicious. That being said, monitoring is important.
Are the certs issued around the same time on all the machines? Do the cert issuing dates align with when the machine was imaged? Are there any GPOs applied that deal with EFS in any way? Do you have backup software on your machines that may manage EFS certs on your behalf?
Bimpster@reddit (OP)
YES!!! That’s what I’m talking about. The only certs dealing directly with efs is the recovery agents. It’s too random to be backup software. What is on a workstation is missing from servers and visa versa. However the certs are showing up on both. Updates are handled by Manage Engine on workstations, Tanium for servers.
foreverinane@reddit
audit all gpos and scheduled tasks, someone may have a script trying to run the cipher command to use EFS to protect a file and if it's executed with system context, it'll generate a self signed system efs cert like this.
Bimpster@reddit (OP)
Can look into inventory management tool to check on scheduled tasks. GPOs are clean.
CrazyEntertainment86@reddit
Sounds like EFS recovery certs created to be able to decrypt any domain based EFS files. Fishy to see so many, did someone create a silly auto enrollment gpo to auto create these?
DSMRick@reddit
This was my first thought.
Bimpster@reddit (OP)
Good thought, where I went first. Blind alley.
Bimpster@reddit (OP)
No CA involved. No open EFS template available to request. I created one on a whim. Didn’t even need a CA. The PC itself approved it and gave me a key. Great, I’m POC’ing a new method of encrypting files. We’re all doomed if it’s this easy.
NewsSpecialist9796@reddit
You are not wrong in that this is extremely strange. It could be (a) some wild misconfiguration (b) past infection (c) present infection. This is too complex for me to resolve, perhaps someone else could chime in.
I would be checking the security log
Get-WinEvent -LogName Security | Where-Object { $_.Message -like "*SYSTEM*" }
And
I would also be checking
Get-NetTCPConnection or netstat for open ports with processes attached and firing up autoruns to see if something suspicious is on the startup. Use process explorer as well. Then run a full scan and use RKill. With all that said, my wheelhouse is also just sysadmin and I'm three years removed of active duty so this is above my pay grade.
Bimpster@reddit (OP)
It happens shortly after a machine is joined. One and done deal. No policy copying these down (don’t even know how I’d locate that) certs seem to be space a month apart. (Randomly selecting machines on network and remotely accessing stores) Every stinking service in Windows uses System.
NewsSpecialist9796@reddit
use gpresult /h gpo-report.html
look for
Auto-enrollment: Enabled
Auto-enrollment type: Prompt or Automatic
Certificate Services Client - Auto-Enrollment
Policy: Enroll for certificates automatically
Also look for powershell and powershell execution policy changes. Check for scheduled task and any scripts.
Bimpster@reddit (OP)
The certs are not coming from the PKI. Enrollment is enabled and carefully controlled and monitored by yours truly. Templates are secured by group and manager approval is required for any certificate requiring a Subject Alternative Name.
NewsSpecialist9796@reddit
You could also just flat out catch with a honeypot by setting up canary tokens and seeing if the bait is taken (low tech approach but may have utility) set up a document called (backup admin password.doc) or something
Bimpster@reddit (OP)
Am close to catching the culprit with all the suggestions coming down. Going to try the reg and WMI monitoring first. It happens within minutes of being joined. After one or two reboots. Just so many things on the plate it’s hard to focus.
zero0n3@reddit
If it happens when joining, then it’s likely not malicious. Or you’re already fucked hard.
Sounds more like a GPO or startup / login script deploying it.
Also take the cert and this post info and dump it into GPT and see what it says.
Bimpster@reddit (OP)
I honestly think ChatGPT has a scruples setting. “oh, you know… certs are useful to do the things…” No script, no GPO configured To do anything like this. Only have 113 policies.
zero0n3@reddit
In theory - you could probably dump the raw GPO file data and have GPT scan it for issues.
Which reminds me - wonder if GPT could take the CISA hardening PDFS and make the GPO policies for them ;). Save that few grand a year
Bimpster@reddit (OP)
I know everyone says it’s DNS. Or, in this case, a GPO. I’m leaning towards some clandestine experiment by PC Techs that has gone awry. Familiar with Manage Engine? Dangerous in the hands of someone with no valid MS certifications and an idea on how to do something. In this case, Testing in production. My answer is always the same; run gpupdate /force and reboot. Fixes 99% of things they screw up.
NewsSpecialist9796@reddit
Tripwire has a free trial I believe. You could setup a dummy machine. Install tripwire and monitor C:\Windows\System32\CertEnroll and
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeysMonitor changes and modifications. It will generate a report that may reveal what is happening.
WhereRandomThingsAre@reddit
Normally I'd check before posting, but https://stackoverflow.com/questions/24486520/listen-on-changes-in-certificate-store suggests monitoring registry modification might be a way to track when it's added to the computer (and depending on how you monitor it, what/who does it). If that pans out, Sysmon or some other solution could help log the activity.
Seems Windows has some logging of its own for the certificate store, but it also seems to have giant blindspots.
Bimpster@reddit (OP)
Thank you for the link.
usa_reddit@reddit
It's a little late now, but have you met my friend Tripwire?
Bimpster@reddit (OP)
Falcon is the choice since S1 left.
usa_reddit@reddit
Falcon works on endpoints, Tripwire works on configs and systems. Tripwire would be the best choice to detect these certs popping up.
Bimpster@reddit (OP)
Will need to remember that in the morning. Thank you.
Dopeykid666@reddit
Did you remember?
Bimpster@reddit (OP)
Remembered enough to take a look, but… Even freely available tools including scripts have to go through a legal review. Ain’t got no stomach fer dat.
Browncoyote@reddit
This looks like an example of Cunningham's Law.
NETSPLlT@reddit
are you able to monitor systems to see when/if these appear again?
anything in the logs of the system that most recently received the cert?
Seems odd, for sure. Sometimes these really odd looking things are benign or useful but poorly undocumented. Looks like you simply removed them, which is fine. Bit of a scream test. :)
If you find out what's up with them, please update here.
Bimpster@reddit (OP)
I’ve ripped a few out and waited for the screaming.
Karthanon@reddit
This is the way.
This is coming from a former *nix sysadmin of 25 years and now 6 years into a DFIR position. If you can't get clear answers from the owners of those systems or the applications folks as to where the certs came from or who put them in place, and your own security team is washing their hands of it (wtf!?), then that's really all you can do.
Rule 1, though, is make sure you CYA.
Bimpster@reddit (OP)
It hurts me to even type these words. I’m seriously considering collecting all these certs and depositing them in the “untrusted” store. Then the real screaming will start when whoever is dropping them finds out. It’s good to be the king.
coukou76@reddit
No screaming would be very bad news too tbh, it would mean shadow IT or worst. Just hope it's incompetence or something not understood yet. Keep us posted I am curious about the results
Robeleader@reddit
Sometimes it isn't the screams, but the silence that terrifies the most.
zero0n3@reddit
Just keep in mind, if that EFS DRA thing has merit, removing these certs may mean you can no longer restore their encrypted data if the user account with encrypted data is removed from the machine in question.
The way the person described that, it sounds like this cert is essentially acting as a recovery method for the EFS.
I have not dumped any of this into GPT, but if you got a sub, may be a good start (and include some of the potentially useful replies here as more info to feed it - see if you get any more breadcrumbs)
abofh@reddit
You are most likely witnessing incompetence. But the real business game is to find if anyone cares.
Delete it, see who puts it back; black list it, see who complains. Change the private key and reissue on the same subject/signer, and now whatever they were doing is now yours!
If nobody knows, you have permission to delete unknown things. If they just won't tell you, you have permission to ask them to document it.
Make it easy for future you, beat the sunlight into it, and if it won't keep glowing, hit it harder.
Or just do what you're paid for, no idea what your scope is
hornethacker97@reddit
This is my take on the issue as well. Start with scream test by moving the certs to untrusted, then if no screams export certs to offline storage and remove from machines. If still no screams, blacklist and move on. And of course document it all in company KB or ticketing system.
Fwiler@reddit
Show the cert and the details. Also have no idea what other people (address book) stores... means. Where are the certs installed in certmgr? They shouldn't have the private key attached, only the certificate owner should have it. Who is the sysadmin? You? If so, why are you referring to yourself in 3rd person? Why is their bullshit baffling you?
Bimpster@reddit (OP)
https://i.redd.it/2bnwyioel1qe1.gif
Does this help?
Bimpster@reddit (OP)
That’s my argument exactly. If the cert is self signed by the system, there would be a private key attached. But no. Which makes me believe someone is holding on to the key for later use.
Fwiler@reddit
You didn't answer my questions, and what you are saying doesn't make sense. You are claiming all these systems have the same certificate but yet you believe they should all be self signed?
Bimpster@reddit (OP)
Not the same certificate. There are about a dozen different certs distributed to several hundred devices. They share the SYSTEM issued by SYSTEM issued to SYSTEM@NT AUTHORITY subject alternative name. They could have all been generated on one machine exported and redistributed to the general population. That one machine where they were generated has the private key.
Fwiler@reddit
Yes, that's how certificates are supposed to work. Generated on one machine and distributed to other systems. Again you didn't answer any basic questions, so I'm out. Good luck bud.
Bimpster@reddit (OP)
Thank you for your input.
Cormacolinde@reddit
You would only see a private key attached if you were logging in as the user that owns it, i.e. SYSTEM. Did you do that?
Are you sure they are the same on all systems you found them on? Same thumbprint?
As someone else mentioned this looks like self-signed EFS certs that are generated automatically when EFS is interacted with and no internal certs with the EKU is available to the user. If the system is doing it, it usually doesn’t have such a cert available since it’s a domain computer, not a domain user. Is this weird? Yes. It could be some novel malware trying to hide its stuff with EFS. It is likely just a misconfiguration or wayward script.
Bimpster@reddit (OP)
Not the same thumbprint for all. As admin, I was able to create a custom request mimicking the sus certs. looks just like the “real” thing. I have the private key to this test Cert. gonna post a picture at some point.
illarionds@reddit
CYA. Report it formally to security, with your concerns. Create a paper trail. Make sure your boss is aware/sees it.
After that, ultimately, it's not your problem. It's very hard to force other people to do their job properly. You've done your bit in raising the alert, and you're covered if it does turn out to be serious.
unseenspecter@reddit
Did you mean the certs have no public keys attached? Certs don't have private keys attached to them. Honestly the information you provided isn't nearly enough context to make a determination. The security team could be right. Do the certs list an issue? What brought this issue to your attention? Any records of what is used ng these certs?
zero0n3@reddit
Certs can absolutely have the private key exportable flag enabled which means the pkey is stored in the “cert”
(Just not in a plaintext , unprotected format).
Probably more of a windows PKI thing.
isanameaname@reddit
That's absolutely a Windows thing.
Somebody at Microsoft decided that suysadmins are too dumb to deal with the concept of a keystore, and so they refer to a PKCS12 keystore containing a certificate and private key pair as a "certificate".
About half of the issues we have with people misunderstanding PKI come from this one horrible decision by Microsoft.
Bimpster@reddit (OP)
Public key is there 2048 length. No private key like a Remote Desktop cert generated automatically on a system.
unseenspecter@reddit
It's hard to say. I'm not trying to be difficult but truly it's impossible to determine without seeing all the details. For example, it's entirely possible the private key isn't something to which you have access. Is an issuer listed on the cert? Any evidence of what the cert is used for? I'm by no means an expert on PKI but hopefully with enough details someone can give enough details to set you on the right track. Often times Reddit can jump straight to doomsaying. I find that on this subreddit, specifically, sysadmins don't typically have good perspective on security matters. It's important to not get hung up on false positives. There is a TON of noise in the cybersec world.
Bimpster@reddit (OP)
I appreciate you input. Thank you.
redditduhlikeyeah@reddit
Lazy. No hacker is playing a long game with those kind of certs on a local network.
Euphoric_Neck_657@reddit
Saying the same thing to my team. Sus shit happening all over. Looking like the Malware controls flow from legitimate providers
eatmynasty@reddit
Sounds like you’ve got some incompetent sysadmins doing dumb shit
Bimpster@reddit (OP)
That hurt and yes. I agree.
eatmynasty@reddit
I’m sure you’re great. Some other idiot doesn’t know how to use ADCS
Bimpster@reddit (OP)
I’m not great. Pretty good maybe. Take some getting used to. I blame it on my parents. Anyone with admin access to a PC could be doing this. Create a custom request, sign it, export it… The distribution part is where I can’t figure this out. LAPS installed on all PC’s Administrator renamed and guest renamed to Admin 😏 Ability to retrieve Pwds are limited to a select few. Server pwds changed regularly (as needed due to turnover or yearly) at least 24 characters all types upper lower numbers and special required. Nothing explains why it would be on Servers AND Workstations except CrowdStrike. However, on a select few hardened devices they are not present even though CrowdStrike is installed. ADCS is enough work for one person. Sharing that load is hard because you need a decent grasp on how it works. If the certs came from the Issuing server, I’d know. Thank you for the help. G’night
yParticle@reddit
Hey man, security just slows me down!
Grrl_geek@reddit
Sounds like scream test territory!! 🤣🥰
Bimpster@reddit (OP)
Hoping to generate a howl heard all the way in Prune
Practical-Alarm1763@reddit
You expect CyberSec to know wtf you're talking about?
Have you tried explaining it in CyberSec terms? (Meaning to dumb the shit down for them.)
There are really top notch CyberSec folks out there, but enterprises are filled with useless college grads that don't know what a PKI Infrastructure is or what a self signing cert is. They'll just know what SHA128/256 is, but not understand how it's practically implemented or works in general.
I would in all seriousness dumb it down and give them a very normie explanation of everything. Explain the risk you suspect and that it should be treated as an investigation or beginning stages of an incident.
Bimpster@reddit (OP)
After explaining, (pretty good at dumbing things down) they go back to their desk and ask ChatGPT and vomit the response back to me. Afterwards, I asked; Really, you don’t think I already exhausted my fú in Google and vocabulary in ChatGPT before coming to CyberSec? This is where I get baffled. Using Sumo, Falcon turned all up and on, Teneble, they are loaded for bear and can’t think. So, it’s a nothing burger to them. Our guys are smart, they understand the potential harm something like this can cause if it’s malicious. They don‘t Know what to do either.
Practical-Alarm1763@reddit
You have it in writing, you strongly advised, make one more desperate hail Mary then shrug it off. Advise and move on, you did everything right.
Bimpster@reddit (OP)
I can’t afford to recover from a system meltdown or “pay me bitcoin” screen. Neither can the guys who work with me. Too old fer dis sheit. Early retirement the day it happens.
The_Penguin22@reddit
Seems legit. /s
Bimpster@reddit (OP)
Sound like one of “them”…
NoEntertainment8725@reddit
is your insurance up to date?
Bimpster@reddit (OP)
Yes. Why, Thoughts?