Securing Network against Ransomware

Posted on 2016-07-25
Last Modified: 2016-10-27

I want to ask for advice on how to protect the backups and user data from Ransomware.

last week 1 User's personal Laptop in our network was infected by ransomware which he got from yahoo business email, and i have to restore his files and folders using the previous version. All the data was on his laptop was encrypted by ransomware, i don't have backup because it was his personal laptop & also no network mapped drive on his Laptop. but all other desktop users in our network have Mapped network Drive to share data.

We have 2 QNAP's each with 16 TB of space, 1 QNAP is used for keeping the backup and user data and the other QNAP is exact replica of first QNAP.
Each user is given a Mapped network Drive to share the documents between each other. if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP.

We have McAfee Endpoint Protection 10 & acronis for backup on each PC. Mcafee doesn't detect the ransomware. how can we protect our network against Ransomware ? please advise...

Question by:alrashideen
LVL 22

Expert Comment

by:David Atkin
ID: 41728886

Randsomware primarily infects its victims via email.

You're main defence here is education your users to be cautious when reviewing their emails. If it looks strange then ask!  
Many of the emails are comming from the scanner@ email addresses.  If you have a scan to email service on your scanner/copier then change it to something that your users know is right - I.e.

In terms of actual software and things, I would recommend that you setup your email to pass through an email filter of some kind. I tend to use a third party hosted email filter provider, that way the emails are scanned prior to reaching your network.

Alot of the modern encryption virus's are delivered via macros on word attachments etc - Make sure that macros on your users machines have been disabled.

I've never been a fan of McAfee and wouldn't trust it to protect a computer not even on a network.  But thats just my opinion.  Anyways, make sure that your AV is up to date!

On most of our networks we have a GPO setup on the server to stop programs from starting in temp locations (Software Restriction Policies).  We've found this help in the battle against viruses like Cryptolocker.

In terms of backups, make sure that you have a backup off site. Alot of the new modern ransomware infections can search for mapped drives and even UNC paths, meaning that if you're backing up to a NAS share you're at risk.

Author Comment

ID: 41728917
Hi David,

Thanks for the Reply.

All our users who have Yahoo Business email are getting these spam email, we already have told them not to click on any link and not to download any attachment which they will receive in EMAIL, but the problem is some of these are spoof email, it is very hard to know that this is malicious email, the only way is to call the other user, & it is not possible to call each & every user to check whether they have sent the email or not. can you please recommend any good email filter provider.

We don't have Active Directory Environment, all the desktop/Laptops are in Work-group.

we have an offsite backup on QNAP using RTRR but if onsite QNAP will get infected, it will replicate to other offsite QNAP also.

We are taking backup on NAS Share using Acronis, is there any other option we can implement ?

LVL 22

Expert Comment

by:David Atkin
ID: 41728925
For email filtering we currently use Proofpoint and go through a reseller called Spambrella:

Something to note about email filtering is that it take a while to 'learn' how your business emails work.  Some legitimate mail may get captured initially.

Email spoofing can be reduced (but not totally cured) by using an SPF record in your external DNS.

I think QNAPs have a snapshot feature as well.  Do you have that enabled?  
The problem with replication is that if your files get encrypted then it may just replicate over to your other QNAP.

The Acronis solution is OK providing your QNAP can be recovered in the even of an infection.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

LVL 54

Expert Comment

ID: 41728937
"if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP." - why would "all other data" and the pc backups even be accessible? Ransomware can only encrypt what the user may write to, so unless you let anyone write anywhere on your QNAP, that fear you have is not justified :-)
Think about your permission conception.

You should read about software restriction policies or (if you run windows enterprise editions) applocker and whitelisting techniques. That is the most effective and reliable way to stop unknown malware that goes undetected by AV software. All other measures (user education, attachment filtering, black listing) have limits, while whitelisting will only let a defined set of software run, the rest is blocked.

Accepted Solution

Mdlinnett earned 250 total points
ID: 41729299
Are the addresses that are being spoofed coming from ?

If so, consider implementing SPF / DKIM / DMARC and configuring your mail server to drop (not reject, but drop, so the sender doesn't get an NDR) any traffic that fails an SPF record check.

I second the idea of using something like ProofPoint / Symantec.Cloud to protect your mail.  If you use one of these services it means you can lock down external access to Port 25 on your Firewall to just those IP addresses used by those services, rather than to the entire Internet.

UTM devices which sit at the gateway of your network are available with subscription services for Gateway AV / Web Content Filtering / WebBlocker / Anti-Spam / IPS / Application Control are widely available.    

More and more also have APT (advanced persistant threat) blocking technology, which utilises sandboxing techniques to identify whether suspect files that have no AV signature are monitored in an isolated environment.  WatchGuard devices leverage for this.

You can probably tell I'm a WatchGuard fan, so here is a link to a page on their site for protection against ransomware.  These practices could be applied across multiple UTM devices >
LVL 62

Assisted Solution

btan earned 250 total points
ID: 41729360
Another means besides backup, we may want to verify the Ransomware variant or family it falls in as there may already be chance there are decryption tools available to get back original file though it may be slim .

Check the Ransomware -
Check for decryptor tools (based on its origin) -

For the preventive measures, the standard host intrusion prevention may not suffice and you may want to consider Anti-Ransomware package from MalwareBytes (Anti-Ransomware ), WinPatrol (WinAntiRansom ) or Kaspersky (System watcher) instead.

Those are at endpoint and at network end, you can review for more proactive breach detection like McAfee ATD
McAfee Advanced Threat Defense is a multilayered malware detection solution that combines multiple inspection engines that apply signature- and reputation-based inspection, real-time emulation, full static-code analysis, and dynamic sandboxing. McAfee Advanced Threat Defense will protect against prevalent ransomware such as CTB-Locker, CryptoWall, and others
Can check with Mcafee support further since you already an existing customer

Layer of detection and protection is way forward since there is always emerging variant and bypasses are common and no silver bullet on 100% detection - anomalous activities tracking and oversight thru the various layer will serves kinda of "tripwire" for early detection and prevention.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Simple Network: And the Default Gateway is? 5 76
L2 to EIGRP slow migration? 27 105
EIGRP on point-to-point vlan 14 70
slow vpn connection 9 66
Employees depend heavily on their PCs, and new threats like ransomware make it even more critical to protect their important data.
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question