Unfortunately I recently had to deal with a ransomware attack at a client. It was the W32 CoinMiner Trojan. The virus infected a new Windows 2016-based Parallels RAS server I was preparing for rollout, and it used that server as a launch point to attack and encrypt files in every non-hidden share across the network. A couple of servers were heavily infected beyond repair. Luckily I employ Veeam backup and replication for the client and was able to restore the infected servers to a clean state from the previous night. Bi-hourly replication jobs using Veeam of the main data file servers allowed me to recover data to within a 2 hour recovery period. The network is a VMware Esxi 5.5-based environment that uses 2 physical hosts, a primary host which contains the main operating servers, and a 2nd host which operates as the replication target. Veeam 9.X is used to regularly replicate the main data servers from the primary host to the replication host.
My question is how to best protect against this type of attack going forward. I had in place at the client an access control policy implemented via Mcafee anti-virus 8.8 VirusScan Enterprise's Access Protection. I used Mcafee's Access Protection options to create a number of custom access control rules, by which only legitimate applications, e.g. winword.exe, adobe.exe, iexplore.exe, excel.exe, are allowed to write to the most common types of data files on the network. This is in place on all PC's and application servers. The CoinMiner virus apparently blew right past this. I will be bringing the infected RAS server's VM files back to my location and bringing it up in a quarantined environment shortly to try and figure out how it penetrated the network, and will look to send a copy of the VM to Mcafee support to analyze.
I have been reading recommendations to eliminate use of drive letters mapped to non-hidden shares, e.g. F: mapped to \\server\fdrive, and replace with shortcuts on the desktop that are pointing to hidden shares, e.g. \\server\fdrive$. Viruses target network shares, and, per what I've been reading, making these shares hidden will shield them from the attacking virus.
I will also be adding Sonicwall's Advanced Security Suite capabilities on all client firewalls, which includes a) Gateway anti-virus scanning, b) Sandboxing to analyze and detect zero-day threats, and c) Intrusion Prevention services.
I am also looking into implementing a Software Restriction Policy / Application Whitelist policy using the Group Policy Editor. which, from what I can see, will allow only certain applications to run, and should then block unknown / foreign programs from running.
And needless to say - continue to back up, back up, and back up.
So that's my current plans to upgrade defenses. Any suggestions, pointers and feedback on this are appreciated.