?
Solved

Ransomware attacks

Posted on 2016-11-09
5
Medium Priority
?
209 Views
Last Modified: 2016-11-11
This past few months we seem to be having a lot of cyber attacks with variants of the @india.com which renames files with an xtbl extension.   The issue initiates from our Remote Desktop server that is visible on the internet but we have Symantec AV on the server as well which is connected to an appliance recommended by Symantec which is geared for monitoring ransomware activity. called ATP.   However, we will still seem to get hit.  This week, 3 days in a row.

I've spoken to Symantec but they are of no help.  I am ready to throw out the ATP appliance and pull the plug on  Symantec but what  can I use as a substitute.  I hope someone can give me some direction.
0
Comment
Question by:narriola2
5 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41881639
It's interesting that you are talking about symantec, because always when I saw ransomware on computer, symantec was present as well

I was testing Avast against ransomware files like docm, js, wsf when execute it catches instantly and blocks it and this was just free version for personal use
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41881679
No Antivirus can protect 100% from Ransomware. So you have to do the following:

1) Create a good backup strategy and do recovery tests regularly.
2) Educate your users
3) Keep your Environment up to date
4) Use a good Gateway to block unwanted websites (We are using Barracuda for all our customers)
5) Work with whitelisting apps (Example Windows AppLocker)
6) Block unwanted extensions under Exchange (or other Mail system) and use another Antivirus than the clients have.
1
 
LVL 93

Expert Comment

by:nobus
ID: 41881714
0
 
LVL 19

Expert Comment

by:John Tsioumpris
ID: 41881753
Can you give more info about your RD setup....how exactly are you getting infected ?
Is VPN an option ?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41881991
You can try IDRansom to identify this ransomware specifically @ https://id-ransomware.malwarehunterteam.com/
there may be slim chance there is a decryptor for it
Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files.
But there are too many variant of the .XTBL ransomware viruses
http://sensorstechforum.com/decrypt-files-encrypted-shade-xtbl-ransomware/

The ransomware can be carried by exploit kit and easily bypass the ring fence checker, even password protect or obfuscated / encoded packet can easily evade the traffic inspection - further SSL traffic cannot be inspected unless it is decrypted. I doubt ATP does that. You cannot inspect what you cannot "see". Ransomware can spread via RDP and most of the time they can get in due to weak password and can be easily brute force. You need to harden the RDP aspect - consider 2FA esp for admin, managed the permission for the login account esp for admin membership @ https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx

You need to employ controls at the endpoints and harden the server and systems to fend off ransomware. You can check out an EE article on the FAQ for ransomware @ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html. There are solution and mitigation action suggested.
1

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question