Avatar of sunhux
sunhux
 asked on

Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc

A related organization's critical files in 'encrypted shared folder' (not Sharepoint) just
show up with plenty of  *.zepto  

As post-mortem, they will ask for preventive & mitigation measures:

a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
    Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
    but users have to use IE/browser to upload/update/download files?
    But of course the very busy users (who almost constantly have to update
    the files, including Excel) hate to use IE/browsers to do this as it's  much
    slower than using Windows Explorer: got to check out a file & will be
    prompted many times.   Is there something as fast & like Win Explorer (for
    familiar interface)?

b) apparently the AV either did not work or not updated, will AV detect &
     stop zepto ?

c) Will IOC (indicators of Compromise) tools help with this?  Do name
    specific opensource tools

d) Exploring Acronis backup for workstations: is there a 'continuous' backup
    feature that will allow us to restore just a second or a few secs just to
    prior being attacked?
Anti-Virus AppsMicrosoft SharePointSecurityOS SecurityNetwork Security

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
sunhux

ASKER
Issue about backup is even the malware file & the *.zepto will get backed up
as well.

Can IOCs tool help with early detection & prevention
SOLUTION
dbrunton

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sunhux

ASKER
I was checking our Bluecoat hashes updates : looks like they don't have any
has for Zepto or am I mistaken?

https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard

So looks like the above anti-spyware helps?  Anyone know if McAfee AV will help?
sunhux

ASKER
Any concerns (& mitigations) that the continuous backup also backs up the ransomware files as well?
Or we need to build in a scanner for the backup tool?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
rindi

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
dbrunton

Your problem is the shared folder(s) you are using.

One user gets infected then everyone who uses that folder gets infected.  You may have 99 intelligent users of that folder and one dumb one.  That dumb one will infect everyone else.

Possible mitigation methods

Your sources of infection are most likely to come from email attachments and web sites.  If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help.  They will NOT stop everything.  That is impossible.

Browsers.  You can restrict the sites your users go to.  You can use a safer browser such as Chrome.  You can restrict what files a browser can open.  That will help but won't stop everything.

Backups are important.  Realtime backups every time a save is made are possible but that's out of my experience.  And very expensive as well.  Daily backups are a must.
SOLUTION
rindi

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
dbrunton

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
sunhux

ASKER
Though we have restored back from backups the encrypted files,
still a couple of actions we need to take:

a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
    or network shares

b) the root cause, ie how the user(s) got it from in the 1st place

c) then from b, we'll try to work out a preventive measure
sunhux

ASKER
Just learnt that Acronis backup was just deployed in a few trial PCs only,
so we can't do a full bare metal restore of the 'traders PCs'
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
rindi

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

As per explained in the post that the effectiveness is to take preventive measures collectively.