sunhux
asked on
Comments needed on ransomware & mitigation methods
VP of Commvault (a backup & data management solution provider) was just interviewed over the
radio 2-3 days ago.
A few questions & answers were aired & I'd like to get comments here & clarify :
a)is backup amongst the most effective mitigation against ransomware (which I presume works
by encrypting file ie locks up file & demand ransom) & cryptolocker? I'm assuming point-in-time
backup/recovery is needed for critical files/data so that we can restore right to the second prior
to being locked/encrypted & after being locked/encrypted, the file (or possibly database) can't
be updated anymore, right?
b)the VP says AV can't detect certain cryptolocker because the cryptolkr encrypts itself & thus AV
cant scan what's been encrypted: I thought crytolkr encrypts files/data, not itself, am I mistaken?
c) on item b above, deejay asked if antimalware/AV is thus rendered obsolete because AV can't
scan/detect them. My guess is crytolker can still be detected/quarantined (for those in the AV
signatures list) but those operate using OS script can't be detected, right?
d)realtime/on-access AV scan upon read/write (ie there's IO operation) on a file. If file is not
created, is there a way to detect/scan based on network/data stream (ie prior to the cryptolker
itself being created ie while the cryptolker travels thru the network)? I seems to hear that
Checkpoint has a certain network blade for such detection or I hear wrongly?
that operate as scripts
e)does endpoint IPS & network IPS detects ransomware?
radio 2-3 days ago.
A few questions & answers were aired & I'd like to get comments here & clarify :
a)is backup amongst the most effective mitigation against ransomware (which I presume works
by encrypting file ie locks up file & demand ransom) & cryptolocker? I'm assuming point-in-time
backup/recovery is needed for critical files/data so that we can restore right to the second prior
to being locked/encrypted & after being locked/encrypted, the file (or possibly database) can't
be updated anymore, right?
b)the VP says AV can't detect certain cryptolocker because the cryptolkr encrypts itself & thus AV
cant scan what's been encrypted: I thought crytolkr encrypts files/data, not itself, am I mistaken?
c) on item b above, deejay asked if antimalware/AV is thus rendered obsolete because AV can't
scan/detect them. My guess is crytolker can still be detected/quarantined (for those in the AV
signatures list) but those operate using OS script can't be detected, right?
d)realtime/on-access AV scan upon read/write (ie there's IO operation) on a file. If file is not
created, is there a way to detect/scan based on network/data stream (ie prior to the cryptolker
itself being created ie while the cryptolker travels thru the network)? I seems to hear that
Checkpoint has a certain network blade for such detection or I hear wrongly?
that operate as scripts
e)does endpoint IPS & network IPS detects ransomware?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also to share one other article on the ransomware.
https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
After reading the attached article, I understand how ransomware operate.
Essentially, it is a client server architecture by old hacking method, phishing and it attacks to the weakest link in security - Human.
Offisite backup are always critical but for SME, there are no funds or human resources allocated to it.
So, ransomware spread like wild fire.
UFI-partner-sophos-cryptowall-crypto.pdf
Essentially, it is a client server architecture by old hacking method, phishing and it attacks to the weakest link in security - Human.
Offisite backup are always critical but for SME, there are no funds or human resources allocated to it.
So, ransomware spread like wild fire.
UFI-partner-sophos-cryptowall-crypto.pdf
ASKER
Last query:
I learnt fr our security vendor tt most AVs in the market can only detect malwares at files level ie after files hv been formed ie not at traffic / data streams level.
Are there products out there tt cud detect ransomwares at traffic level ie prior to files being formed?
I learnt fr our security vendor tt most AVs in the market can only detect malwares at files level ie after files hv been formed ie not at traffic / data streams level.
Are there products out there tt cud detect ransomwares at traffic level ie prior to files being formed?
ATP works on the network traffic level but it is pretty expensive.
Just google for ATP (Advanced Threat Protection) and Ransomware and you will know more.
http://www.symantec.com/connect/events/ransomware-how-leverage-sep-and-symantec-atp
https://digitalguardian.com/solutions/use-case/ransomware-protection
https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/
Just google for ATP (Advanced Threat Protection) and Ransomware and you will know more.
http://www.symantec.com/connect/events/ransomware-how-leverage-sep-and-symantec-atp
https://digitalguardian.com/solutions/use-case/ransomware-protection
https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/
Actually snort rule can cover the detection of known Ransomware
http://seclists.org/snort/2013/q3/900
..and even exploit kit that is threat vector leading to subsequent backddor's Ransomware delivery
https://github.com/andresriancho/w3af/issues/671
Can also check the the Snort SID's (such as 32521 & 31223) by searching using Cisco Defense Center or searching for "Cryptowall 2.0" on snort.org. There will be latest update too since version of ransomware is always evolving.
Likewise if you have network forensic device (and there is no SSL or secured channel), likes of FireEye, Bluecoat has appliance that does this inspection to detect potential threat of ransomware and its callbacks activities .
http://seclists.org/snort/2013/q3/900
..and even exploit kit that is threat vector leading to subsequent backddor's Ransomware delivery
https://github.com/andresriancho/w3af/issues/671
Can also check the the Snort SID's (such as 32521 & 31223) by searching using Cisco Defense Center or searching for "Cryptowall 2.0" on snort.org. There will be latest update too since version of ransomware is always evolving.
Likewise if you have network forensic device (and there is no SSL or secured channel), likes of FireEye, Bluecoat has appliance that does this inspection to detect potential threat of ransomware and its callbacks activities .
ASKER
The radio even said FBI estimated abt $250 million of ransom was paid in North America in 2015 tho ransomware 1st started in Russia n then move on to Europe n then America.
It quoted FireEye estimated there were about 500-600 ransomware attacks in 2015 in the country tt I live: hmm just wondering how FBI n Fireeye got these figures, assuming they are quoted correctly