How to prevent Ransomware on corporate network?

Hi All,

In the past couple of months, we have been hit with the ransomeware virus 3 times.  Luck for us we have timely backups that allow us to restore shared network drives; however, I'm looking for a way around this.  Since we are a completely virtual environment, I don't care about a person's individual VM getting blown up- we can always recreate that.  What I do care about is our network shares.  I've been trying to research ways to prevent the encryption of those files.  One idea I had was requiring user authentication to the shared drives, like every 10 minutes if they have to access it.  Then I'm limiting the window whereby I could have an infection.  Has anyone come up with any solutions to prevent this from happening?

Any help would be greatly appreciated.

-Anthony
LVL 1
Anthony6890Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
Before you go looking into some software solution, user education should be your first line of defense. You can put all kinds of stuff into place but if you get somebody who opens every email attachment or pays no mind when browsing online, you're going to keep having problems.

You may want to look into Barracuda's web filtering service, too.
0
McKnifeCommented:
This is no special virus. It's only very effective in money-making.
So the rules for preventing it are always the same: keep people from executing unknown code.
the most effective measure against it would be applocker. Applocker would only allow known executables to run.
0
Anthony6890Author Commented:
I keep reading about everyone saying the same thing about user understanding.  I feel like that can only go so far.  

I've already read about Applocker; however, we use Windows 7 Professional and from my understanding AppLocker doesn't work as effectively with Professional as it would the Enterprise version of Windows...
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

William FulksSystems Analyst & WebmasterCommented:
For example, your idea of requiring authentication every 10 minutes would be incredibly annoying to the end user. I'd get cussed out from one end of this office to the other if I implemented that. You've got to find the right balance between security and usability. But really, the first step is teaching people not to get into the stuff that causes the infection in the first place. Until you do that, you'll never get this fixed. Plus that kind of malware/virus/adware/ransomware morphs and changes constantly so if you do come up with some kind of fix, the next infection could work right around that.
0
Anthony6890Author Commented:
Great points Will.  We already have content filtering for our web traffic and email virus scanning going on as well.  I'll try to get some literature together and send it out to all the employees to understand the impact of this.  

Thanks.
0
William FulksSystems Analyst & WebmasterCommented:
Do you know how the ransomware got in?

I forgot to ask if users have admin rights to their PC's. Locking that down would keep people from installing things.
0
Thomas Zucker-ScharffSolution GuideCommented:
All good points, but if you really want to prevent ransomeware to the fullest extent you are able, try using GPOs to push out policies (see my article on what ransomeware really is and how to deal with it).  There is a link there near the end to one of the bleepingcomputer guides.  also check out cryptoprevent for business (it really just helps you write and push out the GPOs).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rindiCommented:
Don't use mapped drive letters when accessing the shares. Currently those versions of Ransomware I know of can't know of your server's shares if they aren't mapped as a drive letter. Get the users to use the full server\share path when accessing data on the server.
0
McKnifeCommented:
"I've already read about Applocker; however, we use Windows 7 Professional and from my understanding AppLocker doesn't work as effectively with Professional as it would the Enterprise version of Windows..."
Applocker is not present on 7/8.x pro. But Software restriction policies are. Those are the predecessors of Applocker and would defeat it, normally.
0
Thomas Zucker-ScharffSolution GuideCommented:
Rindi is correct don't use mapped drives, that is if you can trust your users not to map your network shares.  Also, as McKnife said, software restriction policies are a way to go.  The GPOs would do this for you or a business version of Cryptolocker.  The bleepingcomputer guide tells you exactly which policies need to be changed.
0
btanExec ConsultantCommented:
Quick thoughts: Prevention is preferred instead of "firefighting" with ransomware when it infected your machine, but if it

a) Does detection and respond (upon infected) - backup is your last resort so do make sure that is readily enabled and remote stored. Ransomware remove backup and version of it, and does mass spread of infection, so we need to contain it. Change your credentials too as it steal online id.

b) Does prevention measure - Deny interface to external storage media, enforce application whitelisting and no administrative rights on client machine. in fact, go minimalist on client built, try out CryptoPrevent which does the whitelisting part of appls. Also recent trends of this family goes through Tor too and make ensure network sensor (Ng-FW, UTM etc) can deter and drop Tor type connection out to internet (to its mothership). As always keep your machine patched (via NAC) before allowing client (esp remote one) connecting back into Enterprise backend
0
Thomas Zucker-ScharffSolution GuideCommented:
The newest variant,  CryptoFortress, will encrypt even unmapped shares (check the update in my article).
0
btanExec ConsultantCommented:
Another noteworthy is the TeslaCrypt that target only on  files used by popular games (so it is not document files which we some think is important, other users has different priorities and interest).

Also like to highlight (and clarify) , ransomware can still work using non-admin accounts to encrypt their target files as long as the it is accessible by the current user as a default. Once they done, they can typically will need admin right (or account with such privileges) to minimally delete the restore pts and backkup (for windows is the shadow copies)...
0
Anthony6890Author Commented:
All great solutions/suggestions on how to combat the malicious software.  Thank you all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.