sunhux
asked on
Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc
A related organization's critical files in 'encrypted shared folder' (not Sharepoint) just
show up with plenty of *.zepto
As post-mortem, they will ask for preventive & mitigation measures:
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
but users have to use IE/browser to upload/update/download files?
But of course the very busy users (who almost constantly have to update
the files, including Excel) hate to use IE/browsers to do this as it's much
slower than using Windows Explorer: got to check out a file & will be
prompted many times. Is there something as fast & like Win Explorer (for
familiar interface)?
b) apparently the AV either did not work or not updated, will AV detect &
stop zepto ?
c) Will IOC (indicators of Compromise) tools help with this? Do name
specific opensource tools
d) Exploring Acronis backup for workstations: is there a 'continuous' backup
feature that will allow us to restore just a second or a few secs just to
prior being attacked?
show up with plenty of *.zepto
As post-mortem, they will ask for preventive & mitigation measures:
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
but users have to use IE/browser to upload/update/download files?
But of course the very busy users (who almost constantly have to update
the files, including Excel) hate to use IE/browsers to do this as it's much
slower than using Windows Explorer: got to check out a file & will be
prompted many times. Is there something as fast & like Win Explorer (for
familiar interface)?
b) apparently the AV either did not work or not updated, will AV detect &
stop zepto ?
c) Will IOC (indicators of Compromise) tools help with this? Do name
specific opensource tools
d) Exploring Acronis backup for workstations: is there a 'continuous' backup
feature that will allow us to restore just a second or a few secs just to
prior being attacked?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was checking our Bluecoat hashes updates : looks like they don't have any
has for Zepto or am I mistaken?
https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard
So looks like the above anti-spyware helps? Anyone know if McAfee AV will help?
has for Zepto or am I mistaken?
https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard
So looks like the above anti-spyware helps? Anyone know if McAfee AV will help?
ASKER
Any concerns (& mitigations) that the continuous backup also backs up the ransomware files as well?
Or we need to build in a scanner for the backup tool?
Or we need to build in a scanner for the backup tool?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your problem is the shared folder(s) you are using.
One user gets infected then everyone who uses that folder gets infected. You may have 99 intelligent users of that folder and one dumb one. That dumb one will infect everyone else.
Possible mitigation methods
Your sources of infection are most likely to come from email attachments and web sites. If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help. They will NOT stop everything. That is impossible.
Browsers. You can restrict the sites your users go to. You can use a safer browser such as Chrome. You can restrict what files a browser can open. That will help but won't stop everything.
Backups are important. Realtime backups every time a save is made are possible but that's out of my experience. And very expensive as well. Daily backups are a must.
One user gets infected then everyone who uses that folder gets infected. You may have 99 intelligent users of that folder and one dumb one. That dumb one will infect everyone else.
Possible mitigation methods
Your sources of infection are most likely to come from email attachments and web sites. If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help. They will NOT stop everything. That is impossible.
Browsers. You can restrict the sites your users go to. You can use a safer browser such as Chrome. You can restrict what files a browser can open. That will help but won't stop everything.
Backups are important. Realtime backups every time a save is made are possible but that's out of my experience. And very expensive as well. Daily backups are a must.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Though we have restored back from backups the encrypted files,
still a couple of actions we need to take:
a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
or network shares
b) the root cause, ie how the user(s) got it from in the 1st place
c) then from b, we'll try to work out a preventive measure
still a couple of actions we need to take:
a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
or network shares
b) the root cause, ie how the user(s) got it from in the 1st place
c) then from b, we'll try to work out a preventive measure
ASKER
Just learnt that Acronis backup was just deployed in a few trial PCs only,
so we can't do a full bare metal restore of the 'traders PCs'
so we can't do a full bare metal restore of the 'traders PCs'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As per explained in the post that the effectiveness is to take preventive measures collectively.
ASKER
as well.
Can IOCs tool help with early detection & prevention