Solved

Ransomware attacks

Posted on 2016-11-09
5
122 Views
Last Modified: 2016-11-11
This past few months we seem to be having a lot of cyber attacks with variants of the @india.com which renames files with an xtbl extension.   The issue initiates from our Remote Desktop server that is visible on the internet but we have Symantec AV on the server as well which is connected to an appliance recommended by Symantec which is geared for monitoring ransomware activity. called ATP.   However, we will still seem to get hit.  This week, 3 days in a row.

I've spoken to Symantec but they are of no help.  I am ready to throw out the ATP appliance and pull the plug on  Symantec but what  can I use as a substitute.  I hope someone can give me some direction.
0
Comment
Question by:narriola2
5 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41881639
It's interesting that you are talking about symantec, because always when I saw ransomware on computer, symantec was present as well

I was testing Avast against ransomware files like docm, js, wsf when execute it catches instantly and blocks it and this was just free version for personal use
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41881679
No Antivirus can protect 100% from Ransomware. So you have to do the following:

1) Create a good backup strategy and do recovery tests regularly.
2) Educate your users
3) Keep your Environment up to date
4) Use a good Gateway to block unwanted websites (We are using Barracuda for all our customers)
5) Work with whitelisting apps (Example Windows AppLocker)
6) Block unwanted extensions under Exchange (or other Mail system) and use another Antivirus than the clients have.
1
 
LVL 92

Expert Comment

by:nobus
ID: 41881714
0
 
LVL 16

Expert Comment

by:John Tsioumpris
ID: 41881753
Can you give more info about your RD setup....how exactly are you getting infected ?
Is VPN an option ?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41881991
You can try IDRansom to identify this ransomware specifically @ https://id-ransomware.malwarehunterteam.com/
there may be slim chance there is a decryptor for it
Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files.
But there are too many variant of the .XTBL ransomware viruses
http://sensorstechforum.com/decrypt-files-encrypted-shade-xtbl-ransomware/

The ransomware can be carried by exploit kit and easily bypass the ring fence checker, even password protect or obfuscated / encoded packet can easily evade the traffic inspection - further SSL traffic cannot be inspected unless it is decrypted. I doubt ATP does that. You cannot inspect what you cannot "see". Ransomware can spread via RDP and most of the time they can get in due to weak password and can be easily brute force. You need to harden the RDP aspect - consider 2FA esp for admin, managed the permission for the login account esp for admin membership @ https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx

You need to employ controls at the endpoints and harden the server and systems to fend off ransomware. You can check out an EE article on the FAQ for ransomware @ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html. There are solution and mitigation action suggested.
1

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today companies are subjected to more-and-more data, and it won't stop any time soon.  But there are obvious opportunities for reducing data, particularly data duplicated among companies.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question