Securing Network against Ransomware


I want to ask for advice on how to protect the backups and user data from Ransomware.

last week 1 User's personal Laptop in our network was infected by ransomware which he got from yahoo business email, and i have to restore his files and folders using the previous version. All the data was on his laptop was encrypted by ransomware, i don't have backup because it was his personal laptop & also no network mapped drive on his Laptop. but all other desktop users in our network have Mapped network Drive to share data.

We have 2 QNAP's each with 16 TB of space, 1 QNAP is used for keeping the backup and user data and the other QNAP is exact replica of first QNAP.
Each user is given a Mapped network Drive to share the documents between each other. if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP.

We have McAfee Endpoint Protection 10 & acronis for backup on each PC. Mcafee doesn't detect the ransomware. how can we protect our network against Ransomware ? please advise...

Who is Participating?
Are the addresses that are being spoofed coming from ?

If so, consider implementing SPF / DKIM / DMARC and configuring your mail server to drop (not reject, but drop, so the sender doesn't get an NDR) any traffic that fails an SPF record check.

I second the idea of using something like ProofPoint / Symantec.Cloud to protect your mail.  If you use one of these services it means you can lock down external access to Port 25 on your Firewall to just those IP addresses used by those services, rather than to the entire Internet.

UTM devices which sit at the gateway of your network are available with subscription services for Gateway AV / Web Content Filtering / WebBlocker / Anti-Spam / IPS / Application Control are widely available.    

More and more also have APT (advanced persistant threat) blocking technology, which utilises sandboxing techniques to identify whether suspect files that have no AV signature are monitored in an isolated environment.  WatchGuard devices leverage for this.

You can probably tell I'm a WatchGuard fan, so here is a link to a page on their site for protection against ransomware.  These practices could be applied across multiple UTM devices >
David AtkinTechnical DirectorCommented:

Randsomware primarily infects its victims via email.

You're main defence here is education your users to be cautious when reviewing their emails. If it looks strange then ask!  
Many of the emails are comming from the scanner@ email addresses.  If you have a scan to email service on your scanner/copier then change it to something that your users know is right - I.e.

In terms of actual software and things, I would recommend that you setup your email to pass through an email filter of some kind. I tend to use a third party hosted email filter provider, that way the emails are scanned prior to reaching your network.

Alot of the modern encryption virus's are delivered via macros on word attachments etc - Make sure that macros on your users machines have been disabled.

I've never been a fan of McAfee and wouldn't trust it to protect a computer not even on a network.  But thats just my opinion.  Anyways, make sure that your AV is up to date!

On most of our networks we have a GPO setup on the server to stop programs from starting in temp locations (Software Restriction Policies).  We've found this help in the battle against viruses like Cryptolocker.

In terms of backups, make sure that you have a backup off site. Alot of the new modern ransomware infections can search for mapped drives and even UNC paths, meaning that if you're backing up to a NAS share you're at risk.
alrashideenAuthor Commented:
Hi David,

Thanks for the Reply.

All our users who have Yahoo Business email are getting these spam email, we already have told them not to click on any link and not to download any attachment which they will receive in EMAIL, but the problem is some of these are spoof email, it is very hard to know that this is malicious email, the only way is to call the other user, & it is not possible to call each & every user to check whether they have sent the email or not. can you please recommend any good email filter provider.

We don't have Active Directory Environment, all the desktop/Laptops are in Work-group.

we have an offsite backup on QNAP using RTRR but if onsite QNAP will get infected, it will replicate to other offsite QNAP also.

We are taking backup on NAS Share using Acronis, is there any other option we can implement ?

David AtkinTechnical DirectorCommented:
For email filtering we currently use Proofpoint and go through a reseller called Spambrella:

Something to note about email filtering is that it take a while to 'learn' how your business emails work.  Some legitimate mail may get captured initially.

Email spoofing can be reduced (but not totally cured) by using an SPF record in your external DNS.

I think QNAPs have a snapshot feature as well.  Do you have that enabled?  
The problem with replication is that if your files get encrypted then it may just replicate over to your other QNAP.

The Acronis solution is OK providing your QNAP can be recovered in the even of an infection.
"if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP." - why would "all other data" and the pc backups even be accessible? Ransomware can only encrypt what the user may write to, so unless you let anyone write anywhere on your QNAP, that fear you have is not justified :-)
Think about your permission conception.

You should read about software restriction policies or (if you run windows enterprise editions) applocker and whitelisting techniques. That is the most effective and reliable way to stop unknown malware that goes undetected by AV software. All other measures (user education, attachment filtering, black listing) have limits, while whitelisting will only let a defined set of software run, the rest is blocked.
btanExec ConsultantCommented:
Another means besides backup, we may want to verify the Ransomware variant or family it falls in as there may already be chance there are decryption tools available to get back original file though it may be slim .

Check the Ransomware -
Check for decryptor tools (based on its origin) -

For the preventive measures, the standard host intrusion prevention may not suffice and you may want to consider Anti-Ransomware package from MalwareBytes (Anti-Ransomware ), WinPatrol (WinAntiRansom ) or Kaspersky (System watcher) instead.

Those are at endpoint and at network end, you can review for more proactive breach detection like McAfee ATD
McAfee Advanced Threat Defense is a multilayered malware detection solution that combines multiple inspection engines that apply signature- and reputation-based inspection, real-time emulation, full static-code analysis, and dynamic sandboxing. McAfee Advanced Threat Defense will protect against prevalent ransomware such as CTB-Locker, CryptoWall, and others
Can check with Mcafee support further since you already an existing customer

Layer of detection and protection is way forward since there is always emerging variant and bypasses are common and no silver bullet on 100% detection - anomalous activities tracking and oversight thru the various layer will serves kinda of "tripwire" for early detection and prevention.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.