Solved

Is there an application that prevents files in a file server from being encrypted?

Posted on 2015-01-20
11
261 Views
Last Modified: 2015-01-28
A while back, an user got infected by crypto locker and when he went to save a file to the server (he saves everything to the server), it encrypted all the files in the particular directory.  We restored the complete server and there was no harm...  However, we want to prevent similar problems in the future.
Does anyone know if there are any applications that would completely block any encryption tools from running on a file server?

Thanks,

Allie
0
Comment
Question by:TSAdmin8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 13

Accepted Solution

by:
Rizzle earned 125 total points
ID: 40560176
What AV have you got inplace in your environment?

Also even some of the best security systems in the world sometimes cant protect you enough so what we are big on internally is user awareness training when using the web.

We also block .exe or any suspicious looking attachments, we prevent our users going to any malicious or dodgy looking websites by blocking their access to them via a proxy.

Ensure your servers,clients and applications are thoroughly patched.

Look into this utility:
https://www.foolishit.com/vb6-projects/cryptoprevent/
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40560215
Hi Roshan,

Thank you for the quick response!
The user contracted it by visiting a valid site that had been hacked.  The whole problem happened within 5 minutes of the user visiting the site.
We use TrendMicro Office scan and also have 24 X 7 monitoring by alert logic.  We can catch things very quickly if any threats happen to infiltrate our business.  However, malware and viruses are always evolving and 'all' security companies are always scrambling to find solutions.  
We push out all application updates monthly to all clients and servers (and occasionally when important updates are made available, we also push them to clients and servers outside of our 'normal' update schedule).
We block .exe and many other attachments at our spam firewall and recently have removed many privileges for the majority of our users (the user who got the infection did not have administrative privileges either).
I am willing to buy peace of mind though so I am looking at the app you mentioned!  Thanks!

Thanks,

Allie
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40560231
I think it was just pure luck your user was infected from what you've said. But apart from the app I've provided you i would say you're very well protected! Maybe have a word with trendmicro scan to ensure they're monitoring these infections, we spoke to Sophos after the outbreak and they re-assured use they have the correct preventions in place to ensure their clients are fully protected. Maybe worth getting that reassurance!
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 40560248
Sadly, no. but in theory its possible - certain document types (the ones most likely to be encrypted) have very rigid header info; a write monitor could intercept disk writes, inspect the header info, and suspend any process who attempts to write a file with a known extension (such as docx) that doesn't conform to that file format.

However, I am not aware of any product that can do this, so gap in the market there....
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 40560990
Be aware that the encryption does not happen at the server, but at the client: a malware at the client encrypts the files it finds on network shares the user can access.
At the clients, you should use normal best practices: let them only run approved code. Using whitelists together with Applocker or software restriction policies effectively fights crypto viruses.

Please note the difference to Roshan's link: that's black listing not whitelisting. Easier to administer, but not 100% effective like whitelisting is.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points
ID: 40561980
app whitelisting is to be consider if you deem the client machine can be lockdown to only user specific authorised apps - Windows has Applocker as well as restricting administrative privileges, for a start user cannot be admin or have that privileged. We are talking of reducing exposure though these two scheme can be bypassed. In fact, Australian Govt see these two as their top few mitigation measures.
http://www.asd.gov.au/publications/protect/application_whitelisting.htm
http://www.asd.gov.au/publications/protect/restricting_admin_privileges.htm

There are other s/w like Winselect that lockdown browser, and almost having the "kiosk" type for these vulnerable client with high exposure like shared machine...there is also anti-exec to layer another check on top of relying solely on AV only
http://www.faronics.com/en-uk/products/winselect/standard/
http://www.faronics.com/en-uk/products/anti-executable/standard/

Of course, ideally if client machine can revert back (on each reboot) to its native clean slate (s/w like Deepfreeze), the exposure is very much reduced but this use case is likely not palatable for end-user unless they are in a critical working that need high assurance on the machine even before start work...some go for VDI and Thin client ...

Side note, I am not advocating any specific vendor or s/w but relying on AV and FW and the traditional means serves well not against the threat we are seeing, Ransomware variants spawn off speedily, backup data is just the resort if machine gets compromise...we cannot be totally secure 100% or expect to have a silver bullet. We just need to make constantly monitor and sharpen our arsenal tool to stay effective.

Some in order to fend against ransomware, has written script to scan for dropped files to sieve out compromised machine or beef up the call back or beacon e.g. in
 http://www.experts-exchange.com/Security/Vulnerabilities/Q_28590936.html#a40533048  
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28296044.html#a39654430

also a recent is if you see file extensions with .rlspiam from your Windows Explorer, you are highly already infected by new wave of CryptoLocker.
0
 
LVL 1

Author Closing Comment

by:TSAdmin8
ID: 40567025
We are evaluating Cryptoprevent :)
0
 
LVL 64

Expert Comment

by:btan
ID: 40567582
thanks, good to take note of this too as also mentioned in SRP or applocker
Whitelisting:

Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
0
 

Expert Comment

by:sbukovic
ID: 40574570
You will need a multi-layered security approach.  Hardened endpoints against CIS Standards, MS Security Configuration Manager Baseline templates, and etc...  Software Restriction policies are a MUST, I really like https://www.foolishit.com/vb6-projects/cryptoprevent/ as mentioned in a previous response.  Basically, you need to ensure that you restrict executables and etc from running from temporary download space and restrict browsers from being able to execute scripts hosted on compromised websites.  Reputable antivirus with web analytics technology built in is important, not Microsoft Security Essentials or Forefront, stick with vendors like Sophos, Trend, Intel Security, or Symantec.  Implement a good web proxy technology like Websense, Barracuda, Watchguard, or something that utilizes their intelligence feeds.

The best thing you can really do is ensure that the workstations are adequately hardened.  End user security awareness can go pretty far, if they listen, but without a good layered endpoint protection strategy no amount of security awareness will help.
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40575201
Hi Sbukovic,
We do have a multi-layered approach already!  We use Barracuda, Trend, have blacklisted executables, etc.  The best part of our security scheme is AlertLogic!  They monitor your incoming and outgoing traffic and catch anything suspicious within 1 - 5 minutes of the activity starting!  It is an expensive service but definitely worth it!  I just wanted to add as I think that in combination with everything else, Alertlogic is a very valuable tool (too many crooks out there).  In truth, AlertLogic did catch the activity (when the user whose files got locked was infected) but by the time we got and email and phone call, and literally ran to the user's workstation to disconnect it, it was too late and a few files had been encrypted.
Thankfully we also have a good back up scheme so all the files were recovered promptly!
Cryptoprevent had me download the fool version and we are currently testing it against all of our existing software so that we can make exceptions!  I have to add that I enjoyed talking to them and they seem to be spot on regarding their product and possible interference with other valid software!  I will post later to let everyone know more about it!
Thanks everyone for the great responses!
0
 
LVL 64

Expert Comment

by:btan
ID: 40575227
nice folks - no security silver bullet or perfect security, defence in depth is not only about different solution as all have verbalized in this forum clearly, it is to best help the blue team reduce windows of exposure and close the gap timely. Not a "if" incident happened but "when" it does happened, what we going to do about it. You may also want to consider EMET though it may not be ransomware or cryptoware centric.
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question