Ransomware attacks

This past few months we seem to be having a lot of cyber attacks with variants of the @india.com which renames files with an xtbl extension.   The issue initiates from our Remote Desktop server that is visible on the internet but we have Symantec AV on the server as well which is connected to an appliance recommended by Symantec which is geared for monitoring ransomware activity. called ATP.   However, we will still seem to get hit.  This week, 3 days in a row.

I've spoken to Symantec but they are of no help.  I am ready to throw out the ATP appliance and pull the plug on  Symantec but what  can I use as a substitute.  I hope someone can give me some direction.
Noel ArriolaDirector of ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No MoreCommented:
It's interesting that you are talking about symantec, because always when I saw ransomware on computer, symantec was present as well

I was testing Avast against ransomware files like docm, js, wsf when execute it catches instantly and blocks it and this was just free version for personal use
0
*** Hopeleonie ***IT ManagerCommented:
No Antivirus can protect 100% from Ransomware. So you have to do the following:

1) Create a good backup strategy and do recovery tests regularly.
2) Educate your users
3) Keep your Environment up to date
4) Use a good Gateway to block unwanted websites (We are using Barracuda for all our customers)
5) Work with whitelisting apps (Example Windows AppLocker)
6) Block unwanted extensions under Exchange (or other Mail system) and use another Antivirus than the clients have.
1
John TsioumprisSoftware & Systems EngineerCommented:
Can you give more info about your RD setup....how exactly are you getting infected ?
Is VPN an option ?
0
btanExec ConsultantCommented:
You can try IDRansom to identify this ransomware specifically @ https://id-ransomware.malwarehunterteam.com/
there may be slim chance there is a decryptor for it
Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files.
But there are too many variant of the .XTBL ransomware viruses
http://sensorstechforum.com/decrypt-files-encrypted-shade-xtbl-ransomware/

The ransomware can be carried by exploit kit and easily bypass the ring fence checker, even password protect or obfuscated / encoded packet can easily evade the traffic inspection - further SSL traffic cannot be inspected unless it is decrypted. I doubt ATP does that. You cannot inspect what you cannot "see". Ransomware can spread via RDP and most of the time they can get in due to weak password and can be easily brute force. You need to harden the RDP aspect - consider 2FA esp for admin, managed the permission for the login account esp for admin membership @ https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx

You need to employ controls at the endpoints and harden the server and systems to fend off ransomware. You can check out an EE article on the FAQ for ransomware @ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html. There are solution and mitigation action suggested.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.