Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc

A related organization's critical files in 'encrypted shared folder' (not Sharepoint) just
show up with plenty of  *.zepto  

As post-mortem, they will ask for preventive & mitigation measures:

a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
    Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
    but users have to use IE/browser to upload/update/download files?
    But of course the very busy users (who almost constantly have to update
    the files, including Excel) hate to use IE/browsers to do this as it's  much
    slower than using Windows Explorer: got to check out a file & will be
    prompted many times.   Is there something as fast & like Win Explorer (for
    familiar interface)?

b) apparently the AV either did not work or not updated, will AV detect &
     stop zepto ?

c) Will IOC (indicators of Compromise) tools help with this?  Do name
    specific opensource tools

d) Exploring Acronis backup for workstations: is there a 'continuous' backup
    feature that will allow us to restore just a second or a few secs just to
    prior being attacked?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Zepto is from the Locky ransomware family.

a) Ransomware can still access and carry out its task with unmapped network shares. It also target user My document folder and browser default folder where you saved the download. Ransomware tends to scavenge the whole HDD to execute it task to encrypt the targeted files. It doesnt really help once the ransomware is able to run in the infected machine.

b) Av should detect but it is not foolproof esp if the AV signature list is not updated or get a close hit to the new variant Ransomware and its evolved behaviour. But the point is Ransomware is the after effect of an exploited vulnerability or a successful run of some embedded script or email attachment that is initiated by the social engineered victim
We observed through dynamic analysis that it uses the same technique of Locky ransomware to decode the main payload, spawning the process through wScript with the argument ‘321’, otherwise, the decryption routine will produce junk code and the execution flow will jump into that junk code and crash the process.

The encrypted files have the “.zepto” extensions and it targets the same extensions files of Locky taking care of the system files, it uses a lot of code of Locky ransomware to implement its malicious behaviors.
One of the smartest features of the ransomware is the fact they do not encrypt all the files needed for the correct functioning of the OS, otherwise, how can the victims pay?
c) IOC finder from Mandiant may help but only for that snapshot of the Locky found infesting the public and published into AV signature. Otherwise, the minimal check to do is still to scan for the ransom note files (e.g. (_HELP_instructions.jpg) and one html page (_HELP_instructions.html) ), the file extension of .zepto both at file system and registry. See also RansomNoteCleaner for a clean up
When RansomNoteCleaner is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this intitial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.
To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.

d)If the machine is infected, the restoration need to be in separate machine and not restore back to the same infected machine. Check out Acronis Universal Restore that is included free with all, Acronis Backup & Acronis Backup Advanced products. I see it more of recovery of the whole system instead of just files for instant recovery for the victim
Universal Restore is extremely useful in the following scenarios:
1. Instant recovery of a failed system on different hardware.
2. Hardware-independent cloning and deployment of operating systems.
3. Physical-to-physical, physical-to-virtual and virtual-to-physical machine migration.

Or you can explore Acronis  Monitoring Service which is a SaaS-based monitoring tool for cloud and on-premises infrastructures. It combines true ease-of-deployment and a robust feature set for server, network and web services monitoring, alerting, and data presentation.
sunhuxAuthor Commented:
Issue about backup is even the malware file & the *.zepto will get backed up
as well.

Can IOCs tool help with early detection & prevention
dbruntonConnect With a Mentor Commented:
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.


b) Apparently the AV either did not work or not updated, will AV detect & stop zepto ?

Stop Zepto or equivalent ransomware attacks?  No.  There is no AV tool that stops everything.  An AV might stop some (or a lot) but not everything.
sunhuxAuthor Commented:
I was checking our Bluecoat hashes updates : looks like they don't have any
has for Zepto or am I mistaken?
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard

So looks like the above anti-spyware helps?  Anyone know if McAfee AV will help?
sunhuxAuthor Commented:
Any concerns (& mitigations) that the continuous backup also backs up the ransomware files as well?
Or we need to build in a scanner for the backup tool?
rindiConnect With a Mentor Commented:
To prevent infections, you need user education. Teach them to never open any attachments unless they are sure they come from a trusted user and also only if they expect attachments from that user. Teach them to only visit trusted websites, disable macro's on their systems.

Also make sure users never log on to their PC with an account that belongs to the admin group. Turn UAC to it's highest level.

Do application white-listing, so that only applications can be executed that have been authorized to be safe.
Your problem is the shared folder(s) you are using.

One user gets infected then everyone who uses that folder gets infected.  You may have 99 intelligent users of that folder and one dumb one.  That dumb one will infect everyone else.

Possible mitigation methods

Your sources of infection are most likely to come from email attachments and web sites.  If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help.  They will NOT stop everything.  That is impossible.

Browsers.  You can restrict the sites your users go to.  You can use a safer browser such as Chrome.  You can restrict what files a browser can open.  That will help but won't stop everything.

Backups are important.  Realtime backups every time a save is made are possible but that's out of my experience.  And very expensive as well.  Daily backups are a must.
rindiConnect With a Mentor Commented:
Ransomware won't automatically infect everyone, at least not any of the variants known to me at the moment. Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ranswomware itself spreads to the others. To infect a PC you need to run something, like a program or script that contains the virus. The encrypted files don't contain the virus, they are just encrypted so you can't open them anymore.
dbruntonConnect With a Mentor Commented:
>>  Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ransomware itself spreads to the others.


I'm getting a little carried away.
sunhuxAuthor Commented:
Though we have restored back from backups the encrypted files,
still a couple of actions we need to take:

a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
    or network shares

b) the root cause, ie how the user(s) got it from in the 1st place

c) then from b, we'll try to work out a preventive measure
sunhuxAuthor Commented:
Just learnt that Acronis backup was just deployed in a few trial PCs only,
so we can't do a full bare metal restore of the 'traders PCs'
btanConnect With a Mentor Exec ConsultantCommented:
For diligence in housekeeping and clean up still as recovery is just a to make sure business can still continue while the incident handling for containing further damages still has to continue. The investigation has to go on till you can (if possibly) identify the closest or root cause infection vector that leads to the exploit and thereafter the spread.

Those posted link may shared possible tracing technique and preventive lockdown as of now do consider asking user to change password and comms to end user on cyber hygiene and be aware of current situation that the backend support team are doing. That will helps to minimise further recurrence and up the vigilance.
rindiConnect With a Mentor Commented:
You'd have to look on the local drives of the PC's, if there are any encrypted files locally on the PC, it could be running the virus (unless you already cleaned it from that PC, or the user copied an encrypted file from the server to the PC). Network shares aren't infected by the virus, unless you allow users to work on the servers locally, look at their email on it, and browse the web. That would only be the case if you were using remote desktop servers.

The most common reason for the virus getting started, is when users open email attachments, or they browse an infected Web-site.

Preventive measures would be:

User education.
Turn macro's off by default.
Only allow standard user logins, no users with admin rights.
Use an application white-listung software, so that only software can be executed that you have approved.
btanExec ConsultantCommented:
As per explained in the post that the effectiveness is to take preventive measures collectively.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.