Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Ransomware attacks

Posted on 2016-11-09
5
108 Views
Last Modified: 2016-11-11
This past few months we seem to be having a lot of cyber attacks with variants of the @india.com which renames files with an xtbl extension.   The issue initiates from our Remote Desktop server that is visible on the internet but we have Symantec AV on the server as well which is connected to an appliance recommended by Symantec which is geared for monitoring ransomware activity. called ATP.   However, we will still seem to get hit.  This week, 3 days in a row.

I've spoken to Symantec but they are of no help.  I am ready to throw out the ATP appliance and pull the plug on  Symantec but what  can I use as a substitute.  I hope someone can give me some direction.
0
Comment
Question by:narriola2
5 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41881639
It's interesting that you are talking about symantec, because always when I saw ransomware on computer, symantec was present as well

I was testing Avast against ransomware files like docm, js, wsf when execute it catches instantly and blocks it and this was just free version for personal use
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41881679
No Antivirus can protect 100% from Ransomware. So you have to do the following:

1) Create a good backup strategy and do recovery tests regularly.
2) Educate your users
3) Keep your Environment up to date
4) Use a good Gateway to block unwanted websites (We are using Barracuda for all our customers)
5) Work with whitelisting apps (Example Windows AppLocker)
6) Block unwanted extensions under Exchange (or other Mail system) and use another Antivirus than the clients have.
1
 
LVL 92

Expert Comment

by:nobus
ID: 41881714
0
 
LVL 15

Expert Comment

by:John Tsioumpris
ID: 41881753
Can you give more info about your RD setup....how exactly are you getting infected ?
Is VPN an option ?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41881991
You can try IDRansom to identify this ransomware specifically @ https://id-ransomware.malwarehunterteam.com/
there may be slim chance there is a decryptor for it
Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files.
But there are too many variant of the .XTBL ransomware viruses
http://sensorstechforum.com/decrypt-files-encrypted-shade-xtbl-ransomware/

The ransomware can be carried by exploit kit and easily bypass the ring fence checker, even password protect or obfuscated / encoded packet can easily evade the traffic inspection - further SSL traffic cannot be inspected unless it is decrypted. I doubt ATP does that. You cannot inspect what you cannot "see". Ransomware can spread via RDP and most of the time they can get in due to weak password and can be easily brute force. You need to harden the RDP aspect - consider 2FA esp for admin, managed the permission for the login account esp for admin membership @ https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx

You need to employ controls at the endpoints and harden the server and systems to fend off ransomware. You can check out an EE article on the FAQ for ransomware @ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html. There are solution and mitigation action suggested.
1

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Mirrored Raid - Failed HD *urgent* 7 82
Software to compare two files and flag if they are different 2 59
Ransomeware 11 135
best imaging disk tool 15 42
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question