Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Securing Network against Ransomware

Posted on 2016-07-25
Medium Priority
Last Modified: 2016-10-27

I want to ask for advice on how to protect the backups and user data from Ransomware.

last week 1 User's personal Laptop in our network was infected by ransomware which he got from yahoo business email, and i have to restore his files and folders using the previous version. All the data was on his laptop was encrypted by ransomware, i don't have backup because it was his personal laptop & also no network mapped drive on his Laptop. but all other desktop users in our network have Mapped network Drive to share data.

We have 2 QNAP's each with 16 TB of space, 1 QNAP is used for keeping the backup and user data and the other QNAP is exact replica of first QNAP.
Each user is given a Mapped network Drive to share the documents between each other. if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP.

We have McAfee Endpoint Protection 10 & acronis for backup on each PC. Mcafee doesn't detect the ransomware. how can we protect our network against Ransomware ? please advise...

Question by:alrashideen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

by:David Atkin
ID: 41728886

Randsomware primarily infects its victims via email.

You're main defence here is education your users to be cautious when reviewing their emails. If it looks strange then ask!  
Many of the emails are comming from the scanner@ email addresses.  If you have a scan to email service on your scanner/copier then change it to something that your users know is right - I.e.

In terms of actual software and things, I would recommend that you setup your email to pass through an email filter of some kind. I tend to use a third party hosted email filter provider, that way the emails are scanned prior to reaching your network.

Alot of the modern encryption virus's are delivered via macros on word attachments etc - Make sure that macros on your users machines have been disabled.

I've never been a fan of McAfee and wouldn't trust it to protect a computer not even on a network.  But thats just my opinion.  Anyways, make sure that your AV is up to date!

On most of our networks we have a GPO setup on the server to stop programs from starting in temp locations (Software Restriction Policies).  We've found this help in the battle against viruses like Cryptolocker.

In terms of backups, make sure that you have a backup off site. Alot of the new modern ransomware infections can search for mapped drives and even UNC paths, meaning that if you're backing up to a NAS share you're at risk.

Author Comment

ID: 41728917
Hi David,

Thanks for the Reply.

All our users who have Yahoo Business email are getting these spam email, we already have told them not to click on any link and not to download any attachment which they will receive in EMAIL, but the problem is some of these are spoof email, it is very hard to know that this is malicious email, the only way is to call the other user, & it is not possible to call each & every user to check whether they have sent the email or not. can you please recommend any good email filter provider.

We don't have Active Directory Environment, all the desktop/Laptops are in Work-group.

we have an offsite backup on QNAP using RTRR but if onsite QNAP will get infected, it will replicate to other offsite QNAP also.

We are taking backup on NAS Share using Acronis, is there any other option we can implement ?

LVL 22

Expert Comment

by:David Atkin
ID: 41728925
For email filtering we currently use Proofpoint and go through a reseller called Spambrella:

Something to note about email filtering is that it take a while to 'learn' how your business emails work.  Some legitimate mail may get captured initially.

Email spoofing can be reduced (but not totally cured) by using an SPF record in your external DNS.

I think QNAPs have a snapshot feature as well.  Do you have that enabled?  
The problem with replication is that if your files get encrypted then it may just replicate over to your other QNAP.

The Acronis solution is OK providing your QNAP can be recovered in the even of an infection.
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

LVL 56

Expert Comment

ID: 41728937
"if 1 PC is infected with ransomware then it can infect the mapped drive and can encrypt all other data & PC backups on QNAP." - why would "all other data" and the pc backups even be accessible? Ransomware can only encrypt what the user may write to, so unless you let anyone write anywhere on your QNAP, that fear you have is not justified :-)
Think about your permission conception.

You should read about software restriction policies or (if you run windows enterprise editions) applocker and whitelisting techniques. That is the most effective and reliable way to stop unknown malware that goes undetected by AV software. All other measures (user education, attachment filtering, black listing) have limits, while whitelisting will only let a defined set of software run, the rest is blocked.

Accepted Solution

Mdlinnett earned 1000 total points
ID: 41729299
Are the addresses that are being spoofed coming from ?

If so, consider implementing SPF / DKIM / DMARC and configuring your mail server to drop (not reject, but drop, so the sender doesn't get an NDR) any traffic that fails an SPF record check.

I second the idea of using something like ProofPoint / Symantec.Cloud to protect your mail.  If you use one of these services it means you can lock down external access to Port 25 on your Firewall to just those IP addresses used by those services, rather than to the entire Internet.

UTM devices which sit at the gateway of your network are available with subscription services for Gateway AV / Web Content Filtering / WebBlocker / Anti-Spam / IPS / Application Control are widely available.    

More and more also have APT (advanced persistant threat) blocking technology, which utilises sandboxing techniques to identify whether suspect files that have no AV signature are monitored in an isolated environment.  WatchGuard devices leverage for this.

You can probably tell I'm a WatchGuard fan, so here is a link to a page on their site for protection against ransomware.  These practices could be applied across multiple UTM devices >
LVL 64

Assisted Solution

btan earned 1000 total points
ID: 41729360
Another means besides backup, we may want to verify the Ransomware variant or family it falls in as there may already be chance there are decryption tools available to get back original file though it may be slim .

Check the Ransomware -
Check for decryptor tools (based on its origin) -

For the preventive measures, the standard host intrusion prevention may not suffice and you may want to consider Anti-Ransomware package from MalwareBytes (Anti-Ransomware ), WinPatrol (WinAntiRansom ) or Kaspersky (System watcher) instead.

Those are at endpoint and at network end, you can review for more proactive breach detection like McAfee ATD
McAfee Advanced Threat Defense is a multilayered malware detection solution that combines multiple inspection engines that apply signature- and reputation-based inspection, real-time emulation, full static-code analysis, and dynamic sandboxing. McAfee Advanced Threat Defense will protect against prevalent ransomware such as CTB-Locker, CryptoWall, and others
Can check with Mcafee support further since you already an existing customer

Layer of detection and protection is way forward since there is always emerging variant and bypasses are common and no silver bullet on 100% detection - anomalous activities tracking and oversight thru the various layer will serves kinda of "tripwire" for early detection and prevention.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question