Initial Comments on Ransomware

(Uval Lubarsky) #61

I believe user training is essential but we need to ensure that the amount of malware is diminished, reducing the possibility that a user action may infect the network.

We implemented firewalls with gateway antivirus, intrusion protection, and application control at each site, blocking encrypted key exchange and https proxy, what some ransomware use to fetch the encryption keys.

We also began filtering SMTP traffic using a third party appliance, reducing the amount of email received by close to 80%. All zipped or macro enabled attachments are quarantined on our mail server. Our customers/vendors are made aware of our requirements to limit these type of files, and for the most part, they comply.

The number of infections across the network have reduced dramatically, and all users, including our CEO, now inform the team of suspicious emails rather than opening them.

(Vaidas) #62

To protect MS file sharing servers, I recommend to use freeware "CryptoLocker Tripwire"

To protect users PCs, I recommend to use “ESET Endpoint Protection” antivirus with properly configured HIPS (Host Intrusion Prevention System).
HIPS lets to delete/modify files in “Desktop” and “My Documents” folders only for white-listed programs (winword.exe, excel.exe, explorer.exe, etc.).

(N3tl0kr) #63

I hadn’t heard of these yet but I’ve had a lot of vendors bringing these magic smoke solutions to me too

(Steve) #64

We’ve been blocking zip files for email attachments, as well as a host of other extentions for a while. We’ve just changed to Webroot from Symantec and so far so good.

I issue email updates to all users from time to time with tips and training on things like identifying suspicious emails, what not to do etc.

My only worry is that we have some old systems as we run some science equipment that we can’t update (as the science equipment doesn’t work!) and they’re slightly exposed!

(Scott Martens) #65

We use Malware bytes, crypto prevent,and open did to protect against randomware. We have also deconstructed a nemucod variant and obtained the decryption key.


Yes, we are implementing a layer approached. One of the first technologies implemented was Local Administrator Password Solution by Microsoft. Now this only helps to protect the end point from being compromised. We are still researching and exploring other that will help mitigate user files from being infected. Not sure if this can be completely stopped and as Bruce mentioned training and backup are critical.

(Tom) #67

Has anyone seen any ransomware attacking mobile phones? I’ve heard some rumors but nothing “official.”

(David Whipps) #68

Since upgrading my org to Windows 10, the funny benefit of Edge not supporting any add-ons appears that it’s very resilient to the typical Zero-day vulnerabilities from your usual Java and Flash plugins since it possesses neither and only supports the functionality natively via HTML instead. That’s not to say it cannot still happen, but I have not had a ransomware issue on any machine running Windows in a higher version than 7 as of yet.

Granted, I’ve instituted a no Chrome, no Firefox and IE only for printing from the web for the very few individuals who have the need to do so policy, so that greatly reduces our vulnerability footprint beings Edge is both still pretty new, and does not support add-ons and Plugins. I wish I could say most folks could do what I’ve done to mitigate, but I realize my user base is not very web-centric at all with only half a dozen users having any real need to spend significant amounts of time on the internet at all.

(David Whipps) #69

I started seeing ransomware on Android devices as long as two years ago when I still worked for the Orange and Black in a big blue box ^.^. It’s been around a long time, but you won’t see too very much of it outside certain brand devices, and folks who root their devices.

(Corbett Enders) #70

We utilise a deny all software restriction policy and whitelist known paths or publishers (paths such as c:\windows or c:\program files). Local users are not administrators. Should something be received via email (a crafty macro word doc that retrieves content) I am hoping this measure prevents execution of said crypto software.

(Lisa) #71

HI Robert- we had a demo on Dark Trace a few months back. Looks like a pretty cool tool. I am always leary though when it seems to “good to be true” from a price perspective. How long have you been using Dark Trace?

(Lee Esselstrom) #72

We had a client get some crypto-ware that did encrypt his dropbox,

(Collin) #73

I have yet to see a AV product that stop everything.
As everyone has pointed out already, the layered approach is the best.

Coincidentally, a local business was recently hit with ransomware and they were flummoxed because they believed they had one of those “we stop everything, even X” AV solutions. They were without everything, even phones, for an entire week. Obviously there were some other glaring security issues but never buy the “we can do it all” sales pitch.

(Robert Peterson) #74

We are just in the 3rd week of the POC phase. I have had one report and will get another this Wed.

The product does a good job of what it says it will do. The deciding factor will be price.

In comparing the two products (Dark Trace and Protectwise) – each have their pros and cons. Right now I am leaning towards Protectwise. We do not know what the price of either product will be.

Robert Peterson
Systems Administrator

(Collin) #75

Yes, it can encrypt DropBox files but they can be easily rolled back via DropBox’s versioning feature.

(Eric) #76

Hello. We are an MSP, and been dealing with rise in Ransomware incidents in the last 1-2 years. We find it is best to educate the users since they are on the front lines and if educated will not be as likely to click on malicious links. Also recommend to lock down the PCs so no local admin rights, be sure UAC and Windows firewall is on.

At the Gateway we use managed Sonicwall firewalls with full Security Suite… We use Sonicwall Geo-IP filtering to block countries with highest incidents of attacks, we block Botnet command and control servers, and Malware & Proxy URL categories, along with any other categories not needed by the client. Also very good to block “uncatagorized” URL category since most of the phone home (encryption) occurs to recently registered domain names. Another thing that has helped in a BIG way is doing Application filtering and blocking all Proxy and P2P traffic at the application level. This blocks the UDP encrypted key exchange which is what occurs when the ransomware phones home to do the key exchange and encrypt the files. If you block the key key exchange the files will not be encrypted. This has helped significantly and (knock on wood) we have not had another incident of Ransomware for any of our clients since implementing these changes. Hope this helps…

(Samuel Smith) #77

Is anyone under any impression that social engineering was founded by a hacker (data mining) and marketing major (again big ideas on data mining barrage you with ads and find out what you like to steer the proper products to you)? I still have yet to find a good use to out weigh the bad uses.

Only a few weeks after our firm leaped onto LinkedIn at the behest of the marketing dept our upper management was hit with emails which a few I know were from data on LinkedIn and of course able to match a name to a domain to easily find a proper email to send to.

(Vince Romney) #78

As an SMB, we’re constantly struggling to find funds for even basic tools, so we’re currently using several of the tools incumbent in both Office 365 and in Cloudflare to filter inbound emails that have links or attachments, as well as those coming from bad IPs… and we spend a bunch of time in training. Additionally, we’ve worked out a regular backup process that should allow us to keep the damage minimized should someone “click”.

If you’ve got the funds though, be cautious about anyone claiming immunity with a single tool… they might hit the vast majority of potential entry vectors, but “total immunity” seems like a pretty tall claim in the world of cyber security :wink: Just my .02USD

(Dan MacGregor) #79

Looking to use Cylance. It is a whitelisting capable AV that handles threats much better. So far it is the only one to stop mutating threats that get around regular signature-based AV.

(Dan MacGregor) #80

Can you be more specific about country blocks you actually block? Seen some instances where certain sites are not accessible due to enabling GEO-IP filtering. Would you mind sharing your thoughts on what specific countries are safe to block?