We help IT Professionals succeed at work.

How to prevent Ransomware on corporate network?

Hi All,

In the past couple of months, we have been hit with the ransomeware virus 3 times.  Luck for us we have timely backups that allow us to restore shared network drives; however, I'm looking for a way around this.  Since we are a completely virtual environment, I don't care about a person's individual VM getting blown up- we can always recreate that.  What I do care about is our network shares.  I've been trying to research ways to prevent the encryption of those files.  One idea I had was requiring user authentication to the shared drives, like every 10 minutes if they have to access it.  Then I'm limiting the window whereby I could have an infection.  Has anyone come up with any solutions to prevent this from happening?

Any help would be greatly appreciated.

-Anthony
Comment
Watch Question

William FulksIT Services Analyst

Commented:
Before you go looking into some software solution, user education should be your first line of defense. You can put all kinds of stuff into place but if you get somebody who opens every email attachment or pays no mind when browsing online, you're going to keep having problems.

You may want to look into Barracuda's web filtering service, too.
Distinguished Expert 2019

Commented:
This is no special virus. It's only very effective in money-making.
So the rules for preventing it are always the same: keep people from executing unknown code.
the most effective measure against it would be applocker. Applocker would only allow known executables to run.

Author

Commented:
I keep reading about everyone saying the same thing about user understanding.  I feel like that can only go so far.  

I've already read about Applocker; however, we use Windows 7 Professional and from my understanding AppLocker doesn't work as effectively with Professional as it would the Enterprise version of Windows...
William FulksIT Services Analyst

Commented:
For example, your idea of requiring authentication every 10 minutes would be incredibly annoying to the end user. I'd get cussed out from one end of this office to the other if I implemented that. You've got to find the right balance between security and usability. But really, the first step is teaching people not to get into the stuff that causes the infection in the first place. Until you do that, you'll never get this fixed. Plus that kind of malware/virus/adware/ransomware morphs and changes constantly so if you do come up with some kind of fix, the next infection could work right around that.

Author

Commented:
Great points Will.  We already have content filtering for our web traffic and email virus scanning going on as well.  I'll try to get some literature together and send it out to all the employees to understand the impact of this.  

Thanks.
William FulksIT Services Analyst

Commented:
Do you know how the ransomware got in?

I forgot to ask if users have admin rights to their PC's. Locking that down would keep people from installing things.
All good points, but if you really want to prevent ransomeware to the fullest extent you are able, try using GPOs to push out policies (see my article on what ransomeware really is and how to deal with it).  There is a link there near the end to one of the bleepingcomputer guides.  also check out cryptoprevent for business (it really just helps you write and push out the GPOs).
Most Valuable Expert 2015
Commented:
Don't use mapped drive letters when accessing the shares. Currently those versions of Ransomware I know of can't know of your server's shares if they aren't mapped as a drive letter. Get the users to use the full server\share path when accessing data on the server.
Distinguished Expert 2019

Commented:
"I've already read about Applocker; however, we use Windows 7 Professional and from my understanding AppLocker doesn't work as effectively with Professional as it would the Enterprise version of Windows..."
Applocker is not present on 7/8.x pro. But Software restriction policies are. Those are the predecessors of Applocker and would defeat it, normally.
Rindi is correct don't use mapped drives, that is if you can trust your users not to map your network shares.  Also, as McKnife said, software restriction policies are a way to go.  The GPOs would do this for you or a business version of Cryptolocker.  The bleepingcomputer guide tells you exactly which policies need to be changed.
btanExec Consultant
Distinguished Expert 2019

Commented:
Quick thoughts: Prevention is preferred instead of "firefighting" with ransomware when it infected your machine, but if it

a) Does detection and respond (upon infected) - backup is your last resort so do make sure that is readily enabled and remote stored. Ransomware remove backup and version of it, and does mass spread of infection, so we need to contain it. Change your credentials too as it steal online id.

b) Does prevention measure - Deny interface to external storage media, enforce application whitelisting and no administrative rights on client machine. in fact, go minimalist on client built, try out CryptoPrevent which does the whitelisting part of appls. Also recent trends of this family goes through Tor too and make ensure network sensor (Ng-FW, UTM etc) can deter and drop Tor type connection out to internet (to its mothership). As always keep your machine patched (via NAC) before allowing client (esp remote one) connecting back into Enterprise backend
The newest variant,  CryptoFortress, will encrypt even unmapped shares (check the update in my article).
btanExec Consultant
Distinguished Expert 2019

Commented:
Another noteworthy is the TeslaCrypt that target only on  files used by popular games (so it is not document files which we some think is important, other users has different priorities and interest).

Also like to highlight (and clarify) , ransomware can still work using non-admin accounts to encrypt their target files as long as the it is accessible by the current user as a default. Once they done, they can typically will need admin right (or account with such privileges) to minimally delete the restore pts and backkup (for windows is the shadow copies)...

Author

Commented:
All great solutions/suggestions on how to combat the malicious software.  Thank you all.