Initial Comments on Ransomware

(Eric) #81

If a company does not have an international presence or international access is not needed, we start by blocking the most common countries where hacking originates; outside the US: such as China, India (although this one may be tough with so much tech and software support outsourced to India today), Turkey, Russia, Taiwan, Brazil, Romania, Italy, Hungary. I also usually block Democratic People’s Republic of Korea (North Korea), and Saudi Arabia.

Then if we have any connection issues I monitor the firewall logs and look for any Geo-IP blocks that may be causing issue. can always add more protection and then monitor to see the result.

(Joey Albert) #82

Our firewall has an IPS wherein we restrict Transfer of password-protected ZIP files, restrict Transfer of MS-Office type files containing macros (VBA 5 and above), restrict Transfer of packed executable files (UPX, FSG, etc.) on the HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios. On our domain, I’ve followed the instructions here:

Additionally, our Endpoints are protected by Symantec Endpoint protection with DNS of our routers going through OpenDNS Umbrella.

We are looking at Proofpoint (, FireEye, Darktrace and Cylance as well. They are almost in the same price range (per user/endpoint/per year) although Cylance is less responsive in terms of cost.

While the first and last line of defense is the end user, we implement phishing tests from KnowBe4 to ascertain the enterprise readiness. Training and cognizance is key. After all, the saying goes (and is so true) that “Common sense is not so common at all.”

(Pete Treichler) #83

If you’re interested in Cylance, you’ll have better success working through a vendor. I purchased licenses through CommSolutions out of the Philadelphia area.