In February and March, I witnessed the ransomware attack that hit many users in our organization. Suddenly users' files were encrypted and the IT department couldn't tell them when they would be recovered so they could continue their work. It took weeks to recover all files and some were definitely gone as they were created in the day of infection and hasn't been backed up.
If you want to avoid this kind of situation read up some tips driven by own experience how to lower the risk of crypto ransomware.
First, you need to educate users, so they don't open any suspicious emails or web pages. Unfortunately, in big organizations, there will be always someone who will not obey the rules.
To lower down the impact of the crypto ransomware variants you must have a good file backup. Remember that the ransomware first deletes all system Volume Shadow Copies and after that, it encrypts all files to which the user has write access. So there is no fast way to recover those files.
Make sure you have properly configured access rights to folders and maintain them on regular basis. It might happen that some folders have inherited access rights for users which shouldn’t have access. If you have a common folder where domain users have the read/write access you might be sure that this will be the first folder which you need to recover from the backup after the ransomware attack.
Use the most up to date AV solutionwith (if possible) web reputation functionality. This ransomware is usually distributed through websites or infected banners that redirect the victim to the exploit kit. So even if the user clicks the infected banner, it will be stopped.
Stop the web threats on the edge of your network using a content filter in your firewall. Many modern firewalls can use external services like BlueCoator TrendMicro to check the webpage reputation. Also, you should consider using Anomaly Detection and Prevention if possible. This protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans.
One of the sources of the ransomware spread is an email attachment. Better have a good Anti-spam solution with built-in SPAM logic that can learn pretty fast. It will not stop the mail coming from the first minute but it will decrease the number of malicious emails as it learns. Office 365 Exchange Online Protection (EOP) is extremely efficient here and remember you don't need to have your mailbox in Office 365 in order to use the EOP.
Use a secure DNS service. This can prevent your users from access dangerous domain URLs if they are already recognized as dangerous. But this will not prevent against IP based URLs redirection, unfortunately.
When you already have been hit by the ransomware don't panic!
Identify the source of infection. Usually, at this type of infection, the "how_recover…" file is created in all affected folders. If you check who is the owner of the file, this points towards the source of infection. You might be surprised how many folders your users have access to when you search those files across your file servers and application servers. Don't limit yourself. If you found the file on one server search them all even if you have thousands.
Lock the user account in the AD and make sure you force the user to logoff. If you cannot logoff the user, make sure to cut off the user's PC from your network as soon possible.
Delete the user's profile and be careful when you restore the profile from backup. The most common mistake is that you also restore the web browser history and temporary files with the infected banner or webpage. This can be a potential risk of recurrent infection.
Search the user's mailbox for the suspicious mail messages already recognized by your SPAM system. If you find them released to user's mailbox from SPAM - delete them if possible or ask users to delete them.
Who can help when you are helpless?
The last thing you can do is to watch the ransomware encrypts more and more of files on servers and computers across your company. If your AV solution cannot spot the source you might look at the more effective way to find it before it gets really bad.
To identify the source of the infection we used the Cynet 360 solution that can scan your virtual and physical environment impressively quickly and point out files which are potentially dangerous in the first few hours after it has been started. It may use an agent or agent-less option. Because it continuously scans the environment the next few hours bring more and more results that you didn't find using your AV solution. Cynet Support is monitoring alerts coming from your system 24/7 and when the high-security risk is reported, they call your 24/7 IT Support or fix the risk for you if you like. The solution doesn’t provide automatic quarantine functionality yet, but they are working on it. Using the Cynet solution you can manually quarantine, delete or report the file, cut off the computer from the network, shut the server down and do many more. But most important is the report of infection which is valuable for any admin. Knowing the source you know how to stop it.
Is my system ransomware proof?
You cannot rely on one solution to protect your environment, and the sad truth is that even though you are multi-protected you cannot be 100% sure to have a ransomware-proof environment. If you know more tips or tricks that can help many admins to prevent their organizations against this kind of threat share with us your knowledge in comments. I am sure they appreciate it as much as I do.