Solved

Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc

Posted on 2016-08-19
  • Anti-Virus Apps
  • MS SharePoint
  • Security
  • OS Security
  • Network Security
  • +1
14
58 Views
Last Modified: 2016-10-27
A related organization's critical files in 'encrypted shared folder' (not Sharepoint) just
show up with plenty of  *.zepto  

As post-mortem, they will ask for preventive & mitigation measures:

a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
    Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
    but users have to use IE/browser to upload/update/download files?
    But of course the very busy users (who almost constantly have to update
    the files, including Excel) hate to use IE/browsers to do this as it's  much
    slower than using Windows Explorer: got to check out a file & will be
    prompted many times.   Is there something as fast & like Win Explorer (for
    familiar interface)?

b) apparently the AV either did not work or not updated, will AV detect &
     stop zepto ?

c) Will IOC (indicators of Compromise) tools help with this?  Do name
    specific opensource tools

d) Exploring Acronis backup for workstations: is there a 'continuous' backup
    feature that will allow us to restore just a second or a few secs just to
    prior being attacked?
0
Comment
Question by:sunhux
  • 5
  • 3
  • 3
  • +1
14 Comments
 

Author Comment

by:sunhux
ID: 41763376
Issue about backup is even the malware file & the *.zepto will get backed up
as well.

Can IOCs tool help with early detection & prevention
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 125 total points (awarded by participants)
ID: 41763379
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.

Correct.


b) Apparently the AV either did not work or not updated, will AV detect & stop zepto ?

Stop Zepto or equivalent ransomware attacks?  No.  There is no AV tool that stops everything.  An AV might stop some (or a lot) but not everything.
0
 

Author Comment

by:sunhux
ID: 41763386
I was checking our Bluecoat hashes updates : looks like they don't have any
has for Zepto or am I mistaken?

https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard

So looks like the above anti-spyware helps?  Anyone know if McAfee AV will help?
0
 

Author Comment

by:sunhux
ID: 41763390
Any concerns (& mitigations) that the continuous backup also backs up the ransomware files as well?
Or we need to build in a scanner for the backup tool?
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points (awarded by participants)
ID: 41763531
To prevent infections, you need user education. Teach them to never open any attachments unless they are sure they come from a trusted user and also only if they expect attachments from that user. Teach them to only visit trusted websites, disable macro's on their systems.

Also make sure users never log on to their PC with an account that belongs to the admin group. Turn UAC to it's highest level.

Do application white-listing, so that only applications can be executed that have been authorized to be safe.
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41763564
Your problem is the shared folder(s) you are using.

One user gets infected then everyone who uses that folder gets infected.  You may have 99 intelligent users of that folder and one dumb one.  That dumb one will infect everyone else.

Possible mitigation methods

Your sources of infection are most likely to come from email attachments and web sites.  If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help.  They will NOT stop everything.  That is impossible.

Browsers.  You can restrict the sites your users go to.  You can use a safer browser such as Chrome.  You can restrict what files a browser can open.  That will help but won't stop everything.

Backups are important.  Realtime backups every time a save is made are possible but that's out of my experience.  And very expensive as well.  Daily backups are a must.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points (awarded by participants)
ID: 41763573
Ransomware won't automatically infect everyone, at least not any of the variants known to me at the moment. Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ranswomware itself spreads to the others. To infect a PC you need to run something, like a program or script that contains the virus. The encrypted files don't contain the virus, they are just encrypted so you can't open them anymore.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 125 total points (awarded by participants)
ID: 41763585
>>  Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ransomware itself spreads to the others.

Correct.

I'm getting a little carried away.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41763619
Zepto is from the Locky ransomware family.

a) Ransomware can still access and carry out its task with unmapped network shares. It also target user My document folder and browser default folder where you saved the download. Ransomware tends to scavenge the whole HDD to execute it task to encrypt the targeted files. It doesnt really help once the ransomware is able to run in the infected machine.

b) Av should detect but it is not foolproof esp if the AV signature list is not updated or get a close hit to the new variant Ransomware and its evolved behaviour. But the point is Ransomware is the after effect of an exploited vulnerability or a successful run of some embedded script or email attachment that is initiated by the social engineered victim
We observed through dynamic analysis that it uses the same technique of Locky ransomware to decode the main payload, spawning the process through wScript with the argument ‘321’, otherwise, the decryption routine will produce junk code and the execution flow will jump into that junk code and crash the process.

The encrypted files have the “.zepto” extensions and it targets the same extensions files of Locky taking care of the system files, it uses a lot of code of Locky ransomware to implement its malicious behaviors.
One of the smartest features of the ransomware is the fact they do not encrypt all the files needed for the correct functioning of the OS, otherwise, how can the victims pay?
c) IOC finder from Mandiant may help but only for that snapshot of the Locky found infesting the public and published into AV signature. Otherwise, the minimal check to do is still to scan for the ransom note files (e.g. (_HELP_instructions.jpg) and one html page (_HELP_instructions.html) ), the file extension of .zepto both at file system and registry. See also RansomNoteCleaner for a clean up
When RansomNoteCleaner is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this intitial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.
 
To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.
http://www.bleepingcomputer.com/download/ransomnotecleaner/

d)If the machine is infected, the restoration need to be in separate machine and not restore back to the same infected machine. Check out Acronis Universal Restore that is included free with all, Acronis Backup & Acronis Backup Advanced products. I see it more of recovery of the whole system instead of just files for instant recovery for the victim
Universal Restore is extremely useful in the following scenarios:
1. Instant recovery of a failed system on different hardware.
2. Hardware-independent cloning and deployment of operating systems.
3. Physical-to-physical, physical-to-virtual and virtual-to-physical machine migration.
(pdf) http://www.acronis.com/en-sg/download/docs/aur/userguide/

Or you can explore Acronis  Monitoring Service which is a SaaS-based monitoring tool for cloud and on-premises infrastructures. It combines true ease-of-deployment and a robust feature set for server, network and web services monitoring, alerting, and data presentation.  http://www.acronis.com/en-us/business/monitoring-service/
0
 

Author Comment

by:sunhux
ID: 41764333
Though we have restored back from backups the encrypted files,
still a couple of actions we need to take:

a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
    or network shares

b) the root cause, ie how the user(s) got it from in the 1st place

c) then from b, we'll try to work out a preventive measure
0
 

Author Comment

by:sunhux
ID: 41764335
Just learnt that Acronis backup was just deployed in a few trial PCs only,
so we can't do a full bare metal restore of the 'traders PCs'
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41764342
For diligence in housekeeping and clean up still as recovery is just a to make sure business can still continue while the incident handling for containing further damages still has to continue. The investigation has to go on till you can (if possibly) identify the closest or root cause infection vector that leads to the exploit and thereafter the spread.

Those posted link may shared possible tracing technique and preventive lockdown as of now do consider asking user to change password and comms to end user on cyber hygiene and be aware of current situation that the backend support team are doing. That will helps to minimise further recurrence and up the vigilance.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points (awarded by participants)
ID: 41764350
You'd have to look on the local drives of the PC's, if there are any encrypted files locally on the PC, it could be running the virus (unless you already cleaned it from that PC, or the user copied an encrypted file from the server to the PC). Network shares aren't infected by the virus, unless you allow users to work on the servers locally, look at their email on it, and browse the web. That would only be the case if you were using remote desktop servers.

The most common reason for the virus getting started, is when users open email attachments, or they browse an infected Web-site.

Preventive measures would be:

User education.
Turn macro's off by default.
Only allow standard user logins, no users with admin rights.
Use an application white-listung software, so that only software can be executed that you have approved.
0
 
LVL 61

Expert Comment

by:btan
ID: 41792481
As per explained in the post that the effectiveness is to take preventive measures collectively.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now