Comments on ransomware from several of our first members.
I’d be curious to know what other SMBs are using as a Ransomware prevention system. I have companies desperately trying to catch my attention that call themselves immune systems and they say that they can catch everything but I’m very suspicious of anything that says they are a 1 stop shop and can prevent everything and anything.
I have the same concerns. Obviously the Prevention providers are rushing to fill the gap(s). As to who the winner will be…At this time the best defense seems to be in training/awareness and having multiple secure backups of critical data.
I agree, Security Awareness Training and having frequent backups seems to be the best prevention at this point in time. Just remember with your backups to make sure your backup catalog and software is available off your network. You could get the ransomware on your backup server and then have no way back.
I’ve heard two stories recently. Both from friends who’s companies were attacked. Both refused to pay and restored data from a back ups. It one back up was easy the other took a while. Which leads to what are the best and safest back up strategies?
Is it true that ransomeware encrypts your dropbox information too?.
Anyone have any experience with Dark Trace or ProtectionWise?
We are beginning tests both.
Dark Trace has been in place for a couple of weeks and alerted us to a potential ransomware attempt, but it is not designed to prevent it.
ProtectionWise, I’m just getting set up.
@JamesHisey: Did you hear how the attack took place? Was it via a phishing/email hack?
@Robert Peterson: Definitely keep us posted on your findings. So far, you are the only one testing systems.
We started using whitelisting mid-2014. Training and phishing trips happen on a continuing basis. The phishing tests keep getting more difficult as time goes by. Traditional next-gen firewalls, etc as well. Multiple layers of protection are required but can’t entirely protect the system from a person who does not control their click finger.
At a recent conference, a presenter on ransomware mentioned that many ransomware applications can be stopped by blocking all domain names that have been registered in the last 90 days or so. The logic being most legitimate domain names are older before widespread use, and ransomware tends to use newer domain names to get their encryption keys. What I am wondering is if anyone knows of a tool that can block traffic to “young” domain names. For example, is there a way to do that with something like OpenDNS?
Our PaloAlto has an option to block uncategorized sites. This goes a long way toward blocking new sites. Not a fail safe obviously, but sites remain blocked until their team has a chance to check the site out, and categorize it.
For web filtering, Bluecoat has the same option, as well as classification of known bad websites.
It’s nearly impossible to stop Ransomware. Training is you best option. We use Knowbe4 training and phishing campaigns. We went from around 35% of our users clicking phishing email before Knowbe4. After Knowbe4 we have about 1.5% of users clicking phishing email.
I am not sure that we can 100% safe from Ransomware. I started end-user training, BYOD policy, multiple backups and more. Just doing all that we can here to be ready for when it does occur.
We have had to deal with a couple of ransomware situations. Both times we restored the files from backup. No loss of data and no bitcoin payments. Will that work every time? Hard to say.
Training is the key. We are just starting with KnowBe4, I am anxious to see how our click prone numbers improve.
End user training is a big part of security, but anything you can do is helpful. I block certain files from coming in on the gateway firewall and email firewall ends. I also have FSRM running on the file server. None of these are 100% foolproof, but anything to help puts you in a better state. And test your backups!
I just got done testing our backups and found out that while yes, I can restore, our current solution is garbage for any type of true DR situation.
If you don’t mind me asking, what are you currently using? [regarding backups]
Anyone have any real-world experience with ThreatSTOP for this kind of thing?