Formulating a policy on how to best protect against ransomware attacks

jkirman used Ask the Experts™

Unfortunately I recently had to deal with a ransomware attack at a client.  It was the W32 CoinMiner Trojan.  The virus infected a new Windows 2016-based Parallels RAS server I was preparing for rollout, and it used that server as a launch point to attack and encrypt files in every non-hidden share across the network.  A couple of servers were heavily infected beyond repair.  Luckily I employ Veeam backup and replication for the client and was able to restore the infected servers to a clean state from the previous night.  Bi-hourly replication jobs using Veeam of the main data file servers allowed me to recover data to within a 2 hour recovery period.  The network is a VMware Esxi 5.5-based environment that uses 2 physical hosts, a primary host which contains the main operating servers, and a 2nd host which operates as the replication target.  Veeam 9.X is used to regularly replicate the main data servers from the primary host to the replication host.

My question is how to best protect against this type of attack going forward.  I had in place at the client an access control policy implemented via Mcafee anti-virus 8.8 VirusScan Enterprise's Access Protection.  I used Mcafee's Access Protection options to create a number of custom access control rules, by which only legitimate applications, e.g. winword.exe, adobe.exe, iexplore.exe, excel.exe, are allowed to write to the most common types of data files on the network.  This is in place on all PC's and application servers.  The CoinMiner virus apparently blew right past this.  I will be bringing the infected RAS server's VM files back to my location and bringing it up in a quarantined environment shortly to try and figure out how it penetrated the network, and will look to send a copy of the VM to Mcafee support to analyze.

I have been reading recommendations to eliminate use of drive letters mapped to non-hidden shares, e.g. F: mapped to \\server\fdrive, and replace with shortcuts on the desktop that are pointing to hidden shares, e.g. \\server\fdrive$.  Viruses target network shares, and, per what I've been reading, making these shares hidden will shield them from the attacking virus.

I will also be adding Sonicwall's Advanced Security Suite capabilities on all client firewalls, which includes a) Gateway anti-virus scanning, b) Sandboxing to analyze and detect zero-day threats, and c) Intrusion Prevention services.

I am also looking into implementing a Software Restriction Policy / Application Whitelist policy using the Group Policy Editor.  which, from what I can see, will allow only certain applications to run, and should then block unknown / foreign programs from running.

And needless to say - continue to back up, back up, and back up.

So that's my current plans to upgrade defenses.  Any suggestions, pointers and feedback on this are appreciated.


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

Prohibit the use of USB / flash drives except those issued and maintained by the IT department.  This includes IT department staff.  (8 GB drives are about $2.50 in quantity 1000.  Hand them out on request.  IT department staff time costs $100/hour or more.  Prevent just one hour of IT time dealing with a problem and that pays for 40 drives.)  Prohibit taking authorized drives off the premises or inserting them into anything other than a company owned computer.  Log drive checkouts and require at least weekly return and "sterilization" of drives using an isolated, no-network-access system.  Only IT staff may load or carry software on drives.  Load software onto drives using only an isolated, no-network-access system.
The answer key is to perform frequent data backups. I recommend to use good infrastructure and education to deal with it:
  • Make sure no users log on to any PC with an account that has Admin rights.
  • Educate users on how to handle emails.
  • Educate users on how to surf safely.
  • Use application whitelisting.
  • Apply regular backup.
  • Keep backups offline.
  • Test the backup.
  • Try Dropbox, it can automatically backup files (rollback mechanism to recover them to history version)
  • Deactivate unnecessary components/services.
  • Disable unused user accounts.
  • Patching the systems.
  • Restrict host access to USB..etc.
  • Apply Endpoint security.
  • DNS Filtering.
nociSoftware Engineer
Distinguished Expert 2018

I agree with most of madunix,    i beg to differ on the dropbox item.
there are more ways to provide versioned filesystems, where data is not deleted / overwritten, instead old versions are still kept around.
off-site copies under your own control are preferred.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
You should see if you can analyze what went wrong.

You had app whitelisting in place and for sure, the malware did not defeat that, although so far you believe that it did.

Often, some parts of the security Puzzle are simply forgotten. Hard to say what went wrong, but I would first invest time in analysis of this incident.

Some questions:
Do you use accounts like domain admins on endpoints? Or global support accounts? Both should be avoided.

Do clients have open ports, open to anyone? They don't need that and that should be looked into, if applicable.

Local admins should be avoided, shares with loosely applied permissions as well.

Let me know what yor analysis turns up, if possible.
btanExec Consultant
Distinguished Expert 2018
Good if you can identify the root cause and the patient zero. There is need for the after action review. Primarily to re-exam the weakness and address the gap to move on.

For a longer term plan, suggest you can review the current postures and develop (or revisit) your security action plan in accordance to a systematic means to scael up the posture rather than focus solely on the capability aspect. That can come eventually.  You can focus on the

a) People
- Continue the awareness programme (briefing, workshop and messages) to increase the threat alertness
- Start a regular phishing campaign to test user vigilance. Phishing email and USB are main threat carrier
- Include even to dump "manipulated" USB randomly in the office premise to test user
- KnowBe4 has good resources and tools on these and more.

b) Process
- Needed a consistent risk management procedure and make sure the residual risk identified are addressed
- Assessment and risk are mapped and reported regularly to the Senior management for governance oversight
- Prioritise the risk based on severity level and ensure residual risk acceptance workflow is in place with the right approving authority identifed.
- IT and Ops should be cooperating to make sure the detection and response for incident handling is known and sound. Like timely reporting, isolation and recovery are critical and forensic aids and rule of engagement is necessary so that investigation can be done smoothly w/o alerting the hacker and losing the chain of custody e.g. tainted the traces of the infected machine that hinder recovery
- Establish the baseline security measures (IPDRR) and define quick wins for stakeholders.

c) Technology
- Try out RanSimulator to validate the robustness of the AV or Endpoint solution that you have
- Needed a more fit for needs as not all endpoint protection are ready with ransomware preventive measures. You may need to look at alternative like Endpoint Detetc and Response which can be more vigil on threat and anomalous activities (McAfee Advanced Threat Protection)


To all:

Thanks so very much to everyone for the depth and breadth of your responses and suggestions.  Apologies for not responding earlier, as it's been a very hectic and stressful week since the attack.  I have already begun to implement some of the advisories and suggestions you've provided, including:

- making the rounds of all PC's and ensuring that users do not login with local administrator privileges

- looking into application whitelisting - I initially thought I could use Microsoft's SRP / Software Restriction Policy, but SRP only lets you define which folders applications can run from, which gives a virus full cover to launch as long as it  is running from an allowed path.  A true whitelisting system is available from Threatlocker, which I'm currently testing out.  A steep learning curve for that system, but it is designed to first audit and catalog via known manufacturer's hash values every single file related to a given application, and then when in enforcement mode, permit only the app and its related / support files to run.  Granular controls are available to permit or deny apps by groups of workstations or users.

- I don't know how effective long term this step is, but based on some suggestions I've read, I'm in the process of removing mapped drives to main file shares on servers, changing all shares to hidden shares (adding a $ to the name)  and replacing mapped drives with desktop shortcuts.  The idea is to reduce the visible attack surface for an attacking virus, as they usually go for any and all visible shares.  FWIW, the virus did not attack any of the hidden shares on the main file server.  I don't at what point viruses will be able to poll hidden shares from the servers they are looking up, but I figure I can at least not hand the shares to them on a silver platter.

Regarding analyzing the path by which the attack took place, I copied the Vmware VMDK and related files of the infected server to a USB drive and copied the files to one of my VMware hosts.  I added the server to my VCenter inventory, and of course disabled the network connection before I brought the server up.  I later was able to send 2 of the key attack files as password protected ZIP's to Mcafee's Labs.   Mcafee identified a known Trojan and an unknown strain of virus from the 2 samples.  The unknown virus file had the ending .HTA.  They have submitted this to their labs for identification and to generate an Extra DAT to address it.  They also indicated to me that a critical patch, namely MS17-010, needed to be applied to the Windows 2016 server (and other systems incl. Win 2008 server, Win 7, Vista and 8.1, to address a vulnerability that could be exploited to allow a system to be remote controlled.  As best as I can tell, the sequence of attack went as follows:

- the 2016 server was attacked by the virus exploiting the vulnerability mentioned above
- the virus installed itself throughout the server and corrupted the local administrator profile
- it then looked for shares across the network and attacked and encrypted those shares
- it also was able to insinuate itself in a couple of application servers that had Mcafee AV installed, but since apparently it was a new strain, it was not detected.  They may have also been used as launching points for the encryption attacks on the shares, but I can not determine that at this point.

Luckily using Veeam I was able to restore the application servers to a good state from the previous night.  That software, and any type of server replication software, was truly the most invaluable component in the backup infrastructure.

So full security patching is key, as mentioned by madunix.

Btan, thanks for a truly executive level risk management advisory, including some "testing the water" steps to test users response.  Good reminder to constantly communicate existing risks to management to make sure they do not become complacent or assume that what's in place never needs to be improved or upgraded.  BTW I already downloaded RanSim and will test this out.

I'll also be upgrading the MCafee VSE 8.8 to their Endpoint Security 10.6, since VSE is at EOL, and will look to be adding Sonicwall's Gateway AV, Anti-spyware and Content filtering, along with their CATP (Sandboxing) to all client networks.  ThreatLocker will be following at some point with the goal of fully locking down the workstations.  I sense that it would need to be run in audit mode on a server for probably 1 to 2 weeks to ensure it gathers up data on every possible server app and support file being used for both regular operations and weekend / evening maintenance tasks.

Basically a full court press going forwards.

Madunix and McKnife, you commented / inquired regarding endpoint security and endpoints.  I assume you're referring to remote users connecting in via VPN?  Appreciate if you could clarify your thoughts on this section of network security.

Many thanks again for everyone's advice, and I will post the findings of Mcafee's labs here once I get a response back from them.




Points awarded for your advice, truly appreciated.  Best of luck and safety in your own endeavors.
btanExec Consultant
Distinguished Expert 2018

Thanks Jkirman for sharing to benefit the wider community. In fact, when I read that it may be due to MS17-010, it brings back the past wannacry ransomware which spread and exploit on SMB protocol hence network share has been discouraged as much possible to avoid.

Thought I shared the below in case you be interested. Another regular hygiene as part of the process is to have a regular vulnerability management regime to verify the patch compliance and readiness...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial