Initial Comments on Ransomware

(Dan) #21

Barracuda Backup appliance. Replicated to a 2nd unit in a different branch. Full restore times of 6 hours and still not 100%. Basically, they tole me I need to install the OS first, then any programs (.net, SQl, etc) then I can do the restore. I spent 5 days testing and didn’t have 1 test I could say was 100% successful.

(Weston) #22

Ouch. I am not sure what your infrastructure is like, but I have been using Veeam for a while backing up our VMWare / ESX infrastructure. It is a breeze. I have tested a few of the backups, and a full VM restore usually takes < 1 hour. It will also let you stand up the VMs temporarily on its hardware so you have quite a bit less downtime. Not to mention the compression and dedupe is amazing.

(Greg) #23

We’ve been preparing against malware attacks for years, not just Ransomware. Ransomware is nasty, but it is just the flavor of the day(s). Traditional AVs will not stop it. Taking away admin rights will not stop it - I know from experience. The best thing any organization can do is to run a true whitelisting security platform in high enforcement such as a Carbonblack or Confer (they just merged, though). I am not endorsing them, per se, but using those products as an example of what to look for in whitelisting. The other part, of course, is patching vulnerabilities. Along with these, you need to have a good host based firewall and IDS that can alert you to C2 call backs and a good SIEM to look for file encryption activity and alert you in real time. You also need frequent onsite and offsite backups to recover from. We backup our file systems and production servers every 2 hours and those backups are replicated offsite into secure containers. Security is not a one shot and done thing. If any security software company tells you that they have the one product that does it all, walk away. It is a lie. Training is very important as well. We use KnowBe4 training for employees and our external customers. However, training can’t make someone unlearn a lifetime of bad habits and gullibility. It helps and, if done correctly and frequently, it can help a lot. But, humans are humans. We all fail sometimes. Take a look at the CIS Top 20 Critical Security Controls (used to be SANS Top 20) and try to do at least the top 5 CSCs. That will take you a long way to being secure.


(Dan) #24

Looked at them and a few others for a replacement. I kinda need a solution with storage built in right now. I’ll be demoing Dell Rapid recovery (AppAsure) in the next week or 2.

(Weston) #25

Gotcha. I just put a bunch of large HDDs into the Veeam server, and did a RAID6, which gave me about 18TB usable. We are a smallish school, so that is plenty. I have some 6TB HDDs that I swap out regularly to carry backups offsite, so it is backing up to internal storage, and also external.


In addition to non-definition based AV, email filtering, web filtering, and good backups… My org uses group policy to impose software restrictions (exe’s, bats, vba’s etc) from executing in Windows tmp file locations. I also wrote a script that populates known ransomware file names and populates FSRM on our file server - these file types are blocked. List maintained here:

To second a lot of folks thoughts - education is the foundation of combating ransomware.

We also have a culture where the admin team has an open door policy to all users and we have trained users to approach us any time for questions regarding unusual emails and websites. We give users praise and thanks when they come to use for issues. It encourages open communication and reinforces the team effort it takes to protect the organization.

(David Whipps) #27

Regarding whether ransomware can encrypt dropbox info, the short answer is that it depends on the malware, but generally yes. A good rule of thumb is that if you can edit the files on the device, so can malware.

(Steven DeBlieck) #28

My company purchased a Hyper convergence storage system that has built-in snapshot software where you can restore your data or virtual machines in less than 2 mins. It is a product called SimpliVity, A great defense for malware and ransomware.

(Weston) #29

I just attended a conference that had a ransomware session. One of the scarier stats that they pointed out was that some ransomware will sit dormant on your system for 4 months before activating its payload. How far back do you guys keep backups?

(Brian Steingraber) #30


I’ll parrot what others have said as well. Our firewall’s Web-blocker/Categorization capability has the option to block ‘Newly registered domains’.

(Kelly Murphy) #31

A layered security approach is the best you can do, and even then…

Start with good endpoint protection that provides anti-malware capabilities that recognize malware based on behavior, not by signature. Signature is OK, but the behavior blocking will stop a lot of zero day attacks.

Keep your endpoints patched.

Of course, Security awareness training and phishing your users. They are the weakest link to breaches.

IPS - stop as much as you can at the perimeter. IP reputation blocking and Geo based blocking can filter out a lot of bad stuff.

Egress filtering for the web prevents a lot of redirected links to bad sites.

Spam and virus blocking for email.

And of course, maintain current backups of critical business information.

None of these protections are sufficient on their own, but multiple layers helps lower the threat risk for your business.


We put our users through the KnowBe4 training, we do periodic phishing tests, we use typical antivirus software, and we use Mimecast for email screening. But probably the best thing we ever did was completely block all .zip attachments. Since the majority of ransomware is still encapsulated in a zip for delivery, this has been huge for us. Surprisingly little user revolt, too.

(Ed Becker) #33

We use Trend Micro AND KnowBe4 user training. TrendMicro Worry Free Antivirus for Business with the Reansomware ability turned on which is good and , when combined with user training, is quite effective. We have had two serious incidents in the last year and none since we started with KnowBe4 in combination with Trend!

(Matthew Robinson) #34

We had a couple of levels of protection, however they were all breached recently when one of our users got a ransomware infection.

We have a UTM firewall with lots of things locked down and all traffic in and out being scanned for intrusion, viruses, email
payloads and also web filtering. We have Webroot secure anywhere on the end points, which did eventually detect, stop and remove the ransomware processes but not until they had been busy encrypting the users files for several hours!

Since then we have implemented a software solution to enable us to keep the endpoint OS and third party software and plugins up to date without the need to give the local users Admin rights to install software. We’ve also installed Barkly behaviour monitoring software onto the endpoints to ‘hopefully’ detect and stop any ransomware/malware behaviour.

We were able to restore the users files with minimal time due to the hourly snapshots that our Nimble storage array takes and we could also have recovered them from either our onsite or offsite daily backups.

Needless to say, we didn’t pay the ransom and have now also engaged the services of Knowbe4 training and testing because when we ran a simulated phishing campaign on our users we had a click rate of over 70% showing the need for staff training and continued testing.

(Ray) #35

Hey @dan, do you mind sharing what solution you have(had?)

(Brian Steingraber) #36


Were you able to determine how the ransomware was able to get past your firewall?

(Dan) #37

I posted this above: Barracuda Backup appliance. Replicated to a 2nd unit in a different
branch. Full restore times of 6 hours and still not 100%. Basically,
they tole me I need to install the OS first, then any programs (.net,
SQl, etc) then I can do the restore. I spent 5 days testing and didn’t
have 1 test I could say was 100% successful.

(Ray) #38

Anybody using AlienVault? Won’t prevent Ransomware from coming in, but can shorten the time for IT Dept. to respond to a potential threat.
I’m still tuning ours to have it report “real” threats, but I also use the Vulnerabilities report to find security holes that we may not have blocked or noticed. I like it.

(Matthew Robinson) #39

We didn’t find out how it got past the firewall, but Webroot looked into how it got past their endpoint protection and they believed that it was a zero day attack that got in through an out of date java or flash plugin.

That did seem possible as it was after the attack that I took a closer look at the endpoints only to find out that the users were basically dismissing java and flash updates and they were quite a few versions out of date. It’s also why we implemented a system for ensuring that I could roll out software patches centrally and not give the users the ability to deny the install or subsequent reboot if needed.

(Quentin Fisher) #40

We use a company called IronCore, they have a system called HCS, Hardware Contingency Service. This service guarantees our servers and connectivity within 24hrs, all the testing I’ve done shows we are up within 2hrs. The HCS service takes a snapshot of our servers every night so it is as up to date as it can be. If we were to get ransomeware we would only loose that days worth of information on our servers. Love it.