Solved

Ransomware attacks

Posted on 2016-11-09
5
94 Views
Last Modified: 2016-11-11
This past few months we seem to be having a lot of cyber attacks with variants of the @india.com which renames files with an xtbl extension.   The issue initiates from our Remote Desktop server that is visible on the internet but we have Symantec AV on the server as well which is connected to an appliance recommended by Symantec which is geared for monitoring ransomware activity. called ATP.   However, we will still seem to get hit.  This week, 3 days in a row.

I've spoken to Symantec but they are of no help.  I am ready to throw out the ATP appliance and pull the plug on  Symantec but what  can I use as a substitute.  I hope someone can give me some direction.
0
Comment
Question by:narriola2
5 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41881639
It's interesting that you are talking about symantec, because always when I saw ransomware on computer, symantec was present as well

I was testing Avast against ransomware files like docm, js, wsf when execute it catches instantly and blocks it and this was just free version for personal use
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41881679
No Antivirus can protect 100% from Ransomware. So you have to do the following:

1) Create a good backup strategy and do recovery tests regularly.
2) Educate your users
3) Keep your Environment up to date
4) Use a good Gateway to block unwanted websites (We are using Barracuda for all our customers)
5) Work with whitelisting apps (Example Windows AppLocker)
6) Block unwanted extensions under Exchange (or other Mail system) and use another Antivirus than the clients have.
1
 
LVL 92

Expert Comment

by:nobus
ID: 41881714
0
 
LVL 13

Expert Comment

by:John Tsioumpris
ID: 41881753
Can you give more info about your RD setup....how exactly are you getting infected ?
Is VPN an option ?
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41881991
You can try IDRansom to identify this ransomware specifically @ https://id-ransomware.malwarehunterteam.com/
there may be slim chance there is a decryptor for it
Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files.
But there are too many variant of the .XTBL ransomware viruses
http://sensorstechforum.com/decrypt-files-encrypted-shade-xtbl-ransomware/

The ransomware can be carried by exploit kit and easily bypass the ring fence checker, even password protect or obfuscated / encoded packet can easily evade the traffic inspection - further SSL traffic cannot be inspected unless it is decrypted. I doubt ATP does that. You cannot inspect what you cannot "see". Ransomware can spread via RDP and most of the time they can get in due to weak password and can be easily brute force. You need to harden the RDP aspect - consider 2FA esp for admin, managed the permission for the login account esp for admin membership @ https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx

You need to employ controls at the endpoints and harden the server and systems to fend off ransomware. You can check out an EE article on the FAQ for ransomware @ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html. There are solution and mitigation action suggested.
1

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how can I resolve popup issues with Microsoft Edge? 9 91
Radius Debug Error 16 91
PDFMate free PDF Merger. Security concern 8 115
SQL Query - Issue with Top Statement 5 45
I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question