I don't have one single link/some of this is coming out the murky depths of IRC plus it is early days but there are variants people are turning up that have rolled in the synolocker stuff, etc. and other more recent attacks on router vulnerabilities and so on.
Workplace hit by cryptolocker virus
- Thread starter Banzai_Joe
- Start date
I don't have one single link/some of this is coming out the murky depths of IRC plus it is early days but there are variants people are turning up that have rolled in the synolocker stuff, etc. and other more recent attacks on router vulnerabilities and so on.
We have the standard AV software in place but that's only as best as the definitions its looking for.
However we also use a program called Varonis which is more of a data security software. It can be used to change permissions, manage ownership etc. But where it comes into its own is auditing file usage. We monitor all of our data servers with it and it logs every file that is created, deleted, renamed etc. So what this then gives you is a way of seeing the files getting cryptolockered and if you have the right add-ons for Varonis it can be setup to disable a users AD account as soon as it notices too many files being modified in turn stopping the cryptolocker virus spreading too far. You can then run reports from it to workout what files then need to be restored.
I'm amazed yours got so far though. How did it reach the backups? Surely it should only touch what the user has rights to network drive wise?!?
However we also use a program called Varonis which is more of a data security software. It can be used to change permissions, manage ownership etc. But where it comes into its own is auditing file usage. We monitor all of our data servers with it and it logs every file that is created, deleted, renamed etc. So what this then gives you is a way of seeing the files getting cryptolockered and if you have the right add-ons for Varonis it can be setup to disable a users AD account as soon as it notices too many files being modified in turn stopping the cryptolocker virus spreading too far. You can then run reports from it to workout what files then need to be restored.
I'm amazed yours got so far though. How did it reach the backups? Surely it should only touch what the user has rights to network drive wise?!?
- Joined
- 30 Sep 2006
- Posts
- 5,289
- Location
- Midlands, UK
Christ, seriously?!?!
All the people getting sent emails pretending to be from their own company need to school themselves on DMARC.
You pay Iron Mountain to do it for you.
You pay Iron Mountain to do it for you.
Soldato
- Joined
- 31 May 2009
- Posts
- 21,471
He took out Steel mountain.
These crypto viruses truly scare me. I'm anal about backups at home - I have a better backup regime at home than at work (I'm working on the work one, wearing down the ones that decide!).
We're a very laid back company, and it's going to bite us one day
We're a very laid back company, and it's going to bite us one day
Tape will have a place for a long time - it's days as first line backup are pretty much gone, but as last line of defence, it's unbeatable. An offsite, not connected to anything tape is much much safer than any cloud backup, NAS or whatever.
The drives are expensive, but the media is peanuts.
The drives are expensive, but the media is peanuts.
Rock solid anti-virus with an aggressive update policy, first of all. Kapersky or TrendMicro usually have the highest success rates. I prefer Kapersky (good enterprise solutions). Also, PCs must be rigorously kept up to date.
That will provide some cover, but is no guarantee of safety. Next and critical step is to control what your end users can do. Software like this piggy-backs on users' permissions. If Joe User in accounts can't overwrite your files, chances are the virus probably can't either. Your end users obviously need to write their files, send their emails etc. but all of this data should be (a) centralized and not on their local machines and (b) you should lock down everything else so that they can't affect backups and that backups are taken frequently. You can even set up file systems where every change is reversible.
Active Directory (assuming Windows) and Server 2012 both have extremely capable controls for permissions and user management. Learn them, use them, don't let one person in your company wreck everything.
Hope that helps.
I'm probably out of date but both of these sucked when I ran the network for a company a few years back, found ESET Endpoint was unbeatable.
Soldato
- Joined
- 14 Feb 2004
- Posts
- 14,315
- Location
- Peoples Republic of Histonia, Cambridge
amen
Very hard - heuristics could be used to detect file access that might be of that nature but even then there are just so many diverse ways programs work with files it would be very difficult to exclude false positives.
Windows can't tell what a program is doing specifically to a file a program doesn't say to Windows it is encrypting a file it just opens a file for read/write access and modifies the data in some way.
Well, yes. It's just changing bits around in files that users have permission to access. There's nothing inherently strange about it other than the way it walks through every user accessible location.
The only defence against this sort of ransomware is well audited file share permissions, user permissions based on leased privilege (e.g. don't do your daily job logged in as a domain admin), AppLocker policies to prevent executables running from locations where executables wouldn't usually be expected to be found, user training in detecting suspicious emails (also useful against spear phishing attacks), and robust regularly tested offline backups.
The only defence against this sort of ransomware is well audited file share permissions, user permissions based on leased privilege (e.g. don't do your daily job logged in as a domain admin), AppLocker policies to prevent executables running from locations where executables wouldn't usually be expected to be found, user training in detecting suspicious emails (also useful against spear phishing attacks), and robust regularly tested offline backups.
The most effective thing is robust offline backups and policy to never attach them with write enabled - even better if they are on a read only medium.
Strong anti-virus is the next line of defence bit but even then you can get hit by a 0day exploit.
Last edited:
if OP's company considered it to be a 60% chance then from a selfish pov that £300 is surely well worth paying vs the cost of all the man hours required to faff about with backups etc...
sure there are wider implications and governments don't deal with kidnappers/terrorists (or at least like to claim to when really the do) so maybe the company genuinely does want to not help fund these 'cyber-criminals' due to wider ethical concerns... but realistically for a reasonable chance of having much less headache £300 is nothing
someone in IT security needs a slap, why does some randomer in accounts have write access to so much.
While I can't say it is the case here - increasingly more recent variants of these crypto malware have increasingly levels of sophistication including sometimes the ability to exploit network devices using firmwares with known vulnerabilities i.e. routers and NAS devices and rather than deploy their main payload immediately some will sniff around the network awhile trying to find ways to infect files at a higher level before starting to encrypt files on the originally infected machine.
Ahhh Cryptolocker, I was the first one to discover it at our place in Sept 2013 (large UK MSP) when it first hit, implemented a software restriction policy across our clients but many still got hit over the last few years with the more sophisticated variants, have seen it over 100 times in all pretty much all variations. Only sure way of protecting against it is a solid backup plan. Don't work with crypto working on 3rd line and don't miss it!
Makes you wonder what changes will need to happen to curb these things. I know running browsers in a sandboxed environment is starting to take off but is a sandbox 100% secure?
Plus where do you think they are coming from, the ransom amount seems too small for it to have originated in the west. Then again maybe its just cheap enough for people to consider paying
This thread has prompted me to updated my offline backups though so thanks for that
Plus where do you think they are coming from, the ransom amount seems too small for it to have originated in the west. Then again maybe its just cheap enough for people to consider paying
This thread has prompted me to updated my offline backups though so thanks for that
Caporegime
- Joined
- 21 Nov 2005
- Posts
- 41,603
- Location
- Cornwall
We're planning to get hit by this soon. My manager wants to empower our users by given them admin rights to install what they want and unrestricted Internet access because something called ITIL told him this would make him popular. I assume ITIL is some sort of reference to bending over and fisting yourself in the anus but haven't Googled it to find out.