Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc
A related organization's critical files in 'encrypted shared folder' (not Sharepoint) just
show up with plenty of *.zepto
As post-mortem, they will ask for preventive & mitigation measures:
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
but users have to use IE/browser to upload/update/download files?
But of course the very busy users (who almost constantly have to update
the files, including Excel) hate to use IE/browsers to do this as it's much
slower than using Windows Explorer: got to check out a file & will be
prompted many times. Is there something as fast & like Win Explorer (for
familiar interface)?
b) apparently the AV either did not work or not updated, will AV detect &
stop zepto ?
c) Will IOC (indicators of Compromise) tools help with this? Do name
specific opensource tools
d) Exploring Acronis backup for workstations: is there a 'continuous' backup
feature that will allow us to restore just a second or a few secs just to
prior being attacked?
show up with plenty of *.zepto
As post-mortem, they will ask for preventive & mitigation measures:
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
Will using Sharepoint help (assuming we don't map a drive to the Sharepoint)
but users have to use IE/browser to upload/update/download files?
But of course the very busy users (who almost constantly have to update
the files, including Excel) hate to use IE/browsers to do this as it's much
slower than using Windows Explorer: got to check out a file & will be
prompted many times. Is there something as fast & like Win Explorer (for
familiar interface)?
b) apparently the AV either did not work or not updated, will AV detect &
stop zepto ?
c) Will IOC (indicators of Compromise) tools help with this? Do name
specific opensource tools
d) Exploring Acronis backup for workstations: is there a 'continuous' backup
feature that will allow us to restore just a second or a few secs just to
prior being attacked?
Who is Participating?
Issue about backup is even the malware file & the *.zepto will get backed up
as well.
Can IOCs tool help with early detection & prevention
as well.
Can IOCs tool help with early detection & prevention
a) I suppose mapping a drive to an encrypted shared folder doesn't help at all.
Correct.
b) Apparently the AV either did not work or not updated, will AV detect & stop zepto ?
Stop Zepto or equivalent ransomware attacks? No. There is no AV tool that stops everything. An AV might stop some (or a lot) but not everything.
Correct.
b) Apparently the AV either did not work or not updated, will AV detect & stop zepto ?
Stop Zepto or equivalent ransomware attacks? No. There is no AV tool that stops everything. An AV might stop some (or a lot) but not everything.
I was checking our Bluecoat hashes updates : looks like they don't have any
has for Zepto or am I mistaken?
https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard
So looks like the above anti-spyware helps? Anyone know if McAfee AV will help?
has for Zepto or am I mistaken?
https://www.bugsfighter.com/remove-zepto-ransomware-decrypt-zepto-files/
Link above suggests:
SpyHunter and HitmanPro with Cryptoguard
So looks like the above anti-spyware helps? Anyone know if McAfee AV will help?
Any concerns (& mitigations) that the continuous backup also backs up the ransomware files as well?
Or we need to build in a scanner for the backup tool?
Or we need to build in a scanner for the backup tool?
To prevent infections, you need user education. Teach them to never open any attachments unless they are sure they come from a trusted user and also only if they expect attachments from that user. Teach them to only visit trusted websites, disable macro's on their systems.
Also make sure users never log on to their PC with an account that belongs to the admin group. Turn UAC to it's highest level.
Do application white-listing, so that only applications can be executed that have been authorized to be safe.
Also make sure users never log on to their PC with an account that belongs to the admin group. Turn UAC to it's highest level.
Do application white-listing, so that only applications can be executed that have been authorized to be safe.
Your problem is the shared folder(s) you are using.
One user gets infected then everyone who uses that folder gets infected. You may have 99 intelligent users of that folder and one dumb one. That dumb one will infect everyone else.
Possible mitigation methods
Your sources of infection are most likely to come from email attachments and web sites. If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help. They will NOT stop everything. That is impossible.
Browsers. You can restrict the sites your users go to. You can use a safer browser such as Chrome. You can restrict what files a browser can open. That will help but won't stop everything.
Backups are important. Realtime backups every time a save is made are possible but that's out of my experience. And very expensive as well. Daily backups are a must.
One user gets infected then everyone who uses that folder gets infected. You may have 99 intelligent users of that folder and one dumb one. That dumb one will infect everyone else.
Possible mitigation methods
Your sources of infection are most likely to come from email attachments and web sites. If you've got a centralised mail server then a very good anti-virus solution and any of the other methods you talk about will help. They will NOT stop everything. That is impossible.
Browsers. You can restrict the sites your users go to. You can use a safer browser such as Chrome. You can restrict what files a browser can open. That will help but won't stop everything.
Backups are important. Realtime backups every time a save is made are possible but that's out of my experience. And very expensive as well. Daily backups are a must.
Ransomware won't automatically infect everyone, at least not any of the variants known to me at the moment. Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ranswomware itself spreads to the others. To infect a PC you need to run something, like a program or script that contains the virus. The encrypted files don't contain the virus, they are just encrypted so you can't open them anymore.
>> Many of them will encrypt files the users has access to locally and on network shares, but that doesn't mean the ransomware itself spreads to the others.
Correct.
I'm getting a little carried away.
Correct.
I'm getting a little carried away.
Though we have restored back from backups the encrypted files,
still a couple of actions we need to take:
a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
or network shares
b) the root cause, ie how the user(s) got it from in the 1st place
c) then from b, we'll try to work out a preventive measure
still a couple of actions we need to take:
a) to trace if the crypto malware is still hidden somewhere around in one of those PCs
or network shares
b) the root cause, ie how the user(s) got it from in the 1st place
c) then from b, we'll try to work out a preventive measure
Just learnt that Acronis backup was just deployed in a few trial PCs only,
so we can't do a full bare metal restore of the 'traders PCs'
so we can't do a full bare metal restore of the 'traders PCs'
For diligence in housekeeping and clean up still as recovery is just a to make sure business can still continue while the incident handling for containing further damages still has to continue. The investigation has to go on till you can (if possibly) identify the closest or root cause infection vector that leads to the exploit and thereafter the spread.
Those posted link may shared possible tracing technique and preventive lockdown as of now do consider asking user to change password and comms to end user on cyber hygiene and be aware of current situation that the backend support team are doing. That will helps to minimise further recurrence and up the vigilance.
Those posted link may shared possible tracing technique and preventive lockdown as of now do consider asking user to change password and comms to end user on cyber hygiene and be aware of current situation that the backend support team are doing. That will helps to minimise further recurrence and up the vigilance.
You'd have to look on the local drives of the PC's, if there are any encrypted files locally on the PC, it could be running the virus (unless you already cleaned it from that PC, or the user copied an encrypted file from the server to the PC). Network shares aren't infected by the virus, unless you allow users to work on the servers locally, look at their email on it, and browse the web. That would only be the case if you were using remote desktop servers.
The most common reason for the virus getting started, is when users open email attachments, or they browse an infected Web-site.
Preventive measures would be:
User education.
Turn macro's off by default.
Only allow standard user logins, no users with admin rights.
Use an application white-listung software, so that only software can be executed that you have approved.
The most common reason for the virus getting started, is when users open email attachments, or they browse an infected Web-site.
Preventive measures would be:
User education.
Turn macro's off by default.
Only allow standard user logins, no users with admin rights.
Use an application white-listung software, so that only software can be executed that you have approved.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
a) Ransomware can still access and carry out its task with unmapped network shares. It also target user My document folder and browser default folder where you saved the download. Ransomware tends to scavenge the whole HDD to execute it task to encrypt the targeted files. It doesnt really help once the ransomware is able to run in the infected machine.
b) Av should detect but it is not foolproof esp if the AV signature list is not updated or get a close hit to the new variant Ransomware and its evolved behaviour. But the point is Ransomware is the after effect of an exploited vulnerability or a successful run of some embedded script or email attachment that is initiated by the social engineered victim c) IOC finder from Mandiant may help but only for that snapshot of the Locky found infesting the public and published into AV signature. Otherwise, the minimal check to do is still to scan for the ransom note files (e.g. (_HELP_instructions.jpg) and one html page (_HELP_instructions.html) ), the file extension of .zepto both at file system and registry. See also RansomNoteCleaner for a clean up http://www.bleepingcomputer.com/download/ransomnotecleaner/
d)If the machine is infected, the restoration need to be in separate machine and not restore back to the same infected machine. Check out Acronis Universal Restore that is included free with all, Acronis Backup & Acronis Backup Advanced products. I see it more of recovery of the whole system instead of just files for instant recovery for the victim (pdf) http://www.acronis.com/en-sg/download/docs/aur/userguide/
Or you can explore Acronis Monitoring Service which is a SaaS-based monitoring tool for cloud and on-premises infrastructures. It combines true ease-of-deployment and a robust feature set for server, network and web services monitoring, alerting, and data presentation. http://www.acronis.com/en-us/business/monitoring-service/