Initial Comments on Ransomware


(Ryan) #41

Among other things, this is something that was easy to implement and seems like a logical block to Ransomware on the server. https://fsrm.experiant.ca/


(Ray) #42

Knock on wood So far we haven’t been hit by Ransomware Knock on wood

We use KnowBe4 for end user training which is the weakest link. We have desktop files backed up to file servers and those servers along with other servers are backed up locally and off site.

It would take the longest to rebuild the computers, but we have sufficient backups for everything where we wouldn’t have to pay any bitcoins.


(Raj Thadani) #43

We found that Exablox has a storage/backup solution that helps with a backup strategy that protects the backups from RW. Expensive, but good.


(Matthew Robinson) #44

Hi Ryan,

I imagine that the File Server Resource Manager would need updating on a regular basis, how would this best be done?

Thanks.


(Ryan) #45

@zx81
On the page there is a powershell script. Run as admin and it will import all new extensions. I name my file screen group the date of my last import.


(Will Jeansonne) #46

(Will Jeansonne) #47

(Will Jeansonne) #48

(Dan) #49

I have this implemented. It is great for 2 things:

  1. Blocking “KNOWN” malicious file types
  2. Alerting on other file types.

Anyone can make the encrypted files have any file extension. There is just no way to be 100% prepared for this. I try to update my list regularly, but something is better than nothing. As long as you understand this is not a one-and-done = protected. Nothing is.


#50

Robert - I’d love to hear more about your experience with DarkTrace after you settle in with it. They are hounding me!
Andrew


#51

I used the OSSIM product and really liked it, especially for the price. Any SIEM will need tuning and is only as good as the information you feed in to it.

There are some other tools I like as well, such as Security Onion that do a good job as well on the IDS and can feed in to OSSIM/USM in place of their IDS (Suricata-based I believe) sensors.


(Michael Walters) #52

We also use PA’s uncategorized URL function in addition to another network IPS/IDS and have had great success so far.


(Jeff Henderson) #53

Your post caught my eye because of the percentages. I started out in the 30’s and now I average about 1.4. There always seems to be 1 person that fails the test. Glad they are tests.


(Pete Treichler) #54

I’ve been running a product called Cylance Protect on all client PCs for about 6 months now that I’ve been pretty happy with. In live, sandboxed tests against real threats (including zero day), Cylance has a 99% success rate. Worth looking into… I also regularly train and assess our staff and have a Dell SecureWorks iSensor device for 24x7 threat monitoring on my internet connection. The worst is that I still worry about ransomware threats.


(Frank) #55

I always tell my clients that AV, AM, and Firewalls are after the fact protection. They are behind the atacks that are written daily. The best Anti Virus, Anti Malware, and Anti Ransomware is a good training program in the workplace.


(Chris) #56

We recently got hit with crysis ransom ware, luckily we had good backups. Obviously we train the staff to be aware of opening email attachments and to be careful what web sites they use but the users are always the weakest link.
Any suggestions of what else can be done to protect our server and shared folders?


#57

I think that the blend of application whitelisting, next gen firewalls like Palo Alto, user education, and proper user credentials is good as a starting point for reducing the potential impact and occurrence of ransomware. I’m relatively new to the field, are there any other new suggestions for prevention or reducing the potential of ransomware? Love the community here!


(Dave Wilson) #58

We protect the end points with patching and software policies. Perimeter protection with full traffic shaping and ssl decrypt. We’re developing security awareness training and testing users and also building an air gap between our prod and backup networks to avoid having our backups get encrypted. We have also been evaluating software that monitors file activity and alerts on strange behavior.


(Justin Cowling) #59

Just had the same issue with a client’s system… we restored from backup and didn’t lose anything. We are using the built-in Windows server backups here, running once per day. Thankfully the virus hit first thing in the morning.

I did put the pressure to get client workstation backups working though… there is a chance of losing a small number of personal files even with these backups in place.

I use Veeam backups elsewhere and prefer that because it can easily run hourly (or more) to minimize data loss.


(Varinder) #60

Ransomware is an emerging threat and the most obvious fact is it is used for extortion. However in near future I see it evolving into a spyware as well. Or probably it already has and researchers are not yet aware of its spying capabilities. While the affected organization would grapple to recover and take hold of its computers and data; ransomware masters would be busy sifting through the mined data to ascertain the value of catch. So far I had seen two incidents of Ransomware infections at one of our clients and here is what I can share with you -
One of the user from IT team got a phishing mail with attachment “Pan card.pdf” from accounts department. Being a privileged user he had turned off his spam filter. Without looking at the sender details , he double clicked to open it. He never knew why the file didn’t display anything until after two hours the file server went down and about 50 users complained that file extensions have changed. Most of the affected systems were either thin-clients without antivirus or were running Trend Micro with less than one month old definitions. Since client had a tie up with Trend Micro , their vendor rushed in the middle of night and hardened servers - to ensure all executable’s are blocked from running in %Appdata%\ or default install directions. Network was shutdown and Trend Micro was upgraded to latest definitions manually and scan run for all systems. About 50 systems are found infected with all encrypted files properties showing owner as “one person”. It took about 18 hours of time to recover to business as usual. Client suffered a loss of about 2hrs of live production data as backups happen after ever 2 hours combined with 18 hours of production loss for a unit of about 100 people. No payments were made for encryption keys.
Learnings:

  1. Thin-clients need to be switched off at-least once in very 12 hours during shift changes to ensure any live virus gets killed after shutdown.
  2. Anti-spam solutions and Anti-virus solutions work great only if they are not managed by fools. the old adage “a fool with a tool is still a fool” holds true for all computer administrators who deploy it to control “other users only”.
  3. Audit audit audit - An in-depth audit of IT and IT services is necessary. It should be conducted by an team independent of IT. The focus areas could be - firewall policies, filters, Anti-virus log reviews, Anti-virus update failure reviews, Admin/privilege rights, Anti-spam rules validation, system hardening, patching etc.
  4. Incident Management and response team: No controls can guarantee 100% protection. Every and each company must constitute an incident management and response team. The team needs to have a strong training and should be empowered to take emergency actions without authorization.

Further I would recommend following links for references:

  1. https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
  2. http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/

Another security site Thirdtier provides a Ransomware Prevention Kit however I have not used the same though have heard some positive feedback about their tools and tips.

Cheers