Solved

Securing Network against Ransomware

Posted on 2016-07-25
6
72 Views
Last Modified: 2016-10-27
Hi,

I want to ask for advice on how to protect the backups and user data from Ransomware.

last week 1 User's personal Laptop in our network was infected by ransomware which he got from yahoo business email, and i have to restore his files and folders using the previous version. All the data was on his laptop was encrypted by ransomware, i don't have backup because it was his personal laptop & also no network mapped drive on his Laptop. but all other desktop users in our network have Mapped network Drive to share data.

We have 2 QNAP's each with 16 TB of space, 1 QNAP is used for keeping the backup and user data and the other QNAP is exact replica of first QNAP.
Each user is given a Mapped network Drive to share the documents between each other. if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP.

We have McAfee Endpoint Protection 10 & acronis for backup on each PC. Mcafee doesn't detect the ransomware. how can we protect our network against Ransomware ? please advise...


Thanks
0
Comment
Question by:alrashideen
6 Comments
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
Hello,

Randsomware primarily infects its victims via email.

You're main defence here is education your users to be cautious when reviewing their emails. If it looks strange then ask!  
Many of the emails are comming from the scanner@ email addresses.  If you have a scan to email service on your scanner/copier then change it to something that your users know is right - I.e. TheRealScanner@mydomain.com

In terms of actual software and things, I would recommend that you setup your email to pass through an email filter of some kind. I tend to use a third party hosted email filter provider, that way the emails are scanned prior to reaching your network.

Alot of the modern encryption virus's are delivered via macros on word attachments etc - Make sure that macros on your users machines have been disabled.

I've never been a fan of McAfee and wouldn't trust it to protect a computer not even on a network.  But thats just my opinion.  Anyways, make sure that your AV is up to date!

On most of our networks we have a GPO setup on the server to stop programs from starting in temp locations (Software Restriction Policies).  We've found this help in the battle against viruses like Cryptolocker.

In terms of backups, make sure that you have a backup off site. Alot of the new modern ransomware infections can search for mapped drives and even UNC paths, meaning that if you're backing up to a NAS share you're at risk.
0
 

Author Comment

by:alrashideen
Comment Utility
Hi David,

Thanks for the Reply.

All our users who have Yahoo Business email are getting these spam email, we already have told them not to click on any link and not to download any attachment which they will receive in EMAIL, but the problem is some of these are spoof email, it is very hard to know that this is malicious email, the only way is to call the other user, & it is not possible to call each & every user to check whether they have sent the email or not. can you please recommend any good email filter provider.

We don't have Active Directory Environment, all the desktop/Laptops are in Work-group.

we have an offsite backup on QNAP using RTRR but if onsite QNAP will get infected, it will replicate to other offsite QNAP also.

We are taking backup on NAS Share using Acronis, is there any other option we can implement ?


Thanks
0
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
For email filtering we currently use Proofpoint and go through a reseller called Spambrella:
https://www.spambrella.com/

Something to note about email filtering is that it take a while to 'learn' how your business emails work.  Some legitimate mail may get captured initially.

Email spoofing can be reduced (but not totally cured) by using an SPF record in your external DNS.

I think QNAPs have a snapshot feature as well.  Do you have that enabled?  
The problem with replication is that if your files get encrypted then it may just replicate over to your other QNAP.

The Acronis solution is OK providing your QNAP can be recovered in the even of an infection.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
"if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP." - why would "all other data" and the pc backups even be accessible? Ransomware can only encrypt what the user may write to, so unless you let anyone write anywhere on your QNAP, that fear you have is not justified :-)
Think about your permission conception.

You should read about software restriction policies or (if you run windows enterprise editions) applocker and whitelisting techniques. That is the most effective and reliable way to stop unknown malware that goes undetected by AV software. All other measures (user education, attachment filtering, black listing) have limits, while whitelisting will only let a defined set of software run, the rest is blocked.
0
 
LVL 5

Accepted Solution

by:
Mdlinnett earned 250 total points
Comment Utility
Are the addresses that are being spoofed coming from @yourdomain.com ?

If so, consider implementing SPF / DKIM / DMARC and configuring your mail server to drop (not reject, but drop, so the sender doesn't get an NDR) any traffic that fails an SPF record check.

I second the idea of using something like ProofPoint / Symantec.Cloud to protect your mail.  If you use one of these services it means you can lock down external access to Port 25 on your Firewall to just those IP addresses used by those services, rather than to the entire Internet.

UTM devices which sit at the gateway of your network are available with subscription services for Gateway AV / Web Content Filtering / WebBlocker / Anti-Spam / IPS / Application Control are widely available.    

More and more also have APT (advanced persistant threat) blocking technology, which utilises sandboxing techniques to identify whether suspect files that have no AV signature are monitored in an isolated environment.  WatchGuard devices leverage www.lastline.com for this.

You can probably tell I'm a WatchGuard fan, so here is a link to a page on their site for protection against ransomware.  These practices could be applied across multiple UTM devices > http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000QBnRKAW&lang=en_US
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
Another means besides backup, we may want to verify the Ransomware variant or family it falls in as there may already be chance there are decryption tools available to get back original file though it may be slim .

Check the Ransomware - https://id-ransomware.malwarehunterteam.com/
Check for decryptor tools (based on its origin) - https://www.nomoreransom.org/decryption-tools.html

For the preventive measures, the standard host intrusion prevention may not suffice and you may want to consider Anti-Ransomware package from MalwareBytes (Anti-Ransomware ), WinPatrol (WinAntiRansom ) or Kaspersky (System watcher) instead.
http://www.bleepingcomputer.com/download/malwarebytes-anti-ransomware/
https://www.winpatrol.com/winantiransom/
http://www.kaspersky.com/images/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf

Those are at endpoint and at network end, you can review for more proactive breach detection like McAfee ATD
McAfee Advanced Threat Defense is a multilayered malware detection solution that combines multiple inspection engines that apply signature- and reputation-based inspection, real-time emulation, full static-code analysis, and dynamic sandboxing. McAfee Advanced Threat Defense will protect against prevalent ransomware such as CTB-Locker, CryptoWall, and others
Can check with Mcafee support further since you already an existing customer

Layer of detection and protection is way forward since there is always emerging variant and bypasses are common and no silver bullet on 100% detection - anomalous activities tracking and oversight thru the various layer will serves kinda of "tripwire" for early detection and prevention.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Policy Base Routing Cisco 6500 Switch 10 71
UNIX SCP 5 45
Design of sending events/logs to SIEM/Arcsight 2 54
ransomware virus 21 78
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now