Jump to content
RESET Forums (homeservershow.com)
itGeeks

Backups, This is the reason its not an Option but Mandatory.

Recommended Posts

itGeeks

I saw that video before.  I like Linus, but too many times he just builds the most ridiculous servers/workstations.  I guess that happens when you have a lot of good sponsors.  That server should have been just a test platform to demonstrate some ridiculous speeds you can achieve.  But instead he made it a production server.  He was planning on making a backup server, but again he wants to go crazy so he never finished.  How he got all that data back is a miracle.  

 

I always say keep it simple.  

How he got all that data back is a miracle. Agreed. That recovery company is one to put in the books.

Share this post


Link to post
Share on other sites
LoneWolf

Its on auction now, Starting bid 40,000.00 going once going twice, sold to pcdoc :D

What kind of network and endpoint protection do those customers have in place? it sounds to me like those customers need to reevaluate there protection, I could be wrong.

 

Ransomware is rarely detected by virus protection, or when it is, it cleans the original infection, but that infection has already started Windows processes to perform the encryption that don't report as viruses --because they're legitimate Windows processes.  Also note, removing local administrator access from users does not help with ransomware.  Think about the fact that the non-business version of Google Chrome does not require admin permissions to install (it installs in the user profile; IMO, this is very bad development practice).  Ransomware works in a similar way by executing from an area even limited users have permission to execute from.

 

So far, evading cryptoware (not just for the people I manage, but as an industry) is incredibly difficult.  You can mitigate the risks, but not eliminate it.  The best ways:

 

-Use a firewall that has Advanced Persistent Threat (also known as "0-Day") protection.  This requires extra UTM likcensing in most cases, but matches up with MD5 hashes of early threats, and is an add-on to the gateway antivirus feature of corporate firewalls.

-Strip .zip, .js, .jse attachments from e-mail, and any document attachment containing macros, and enable security in Office.  The first three attachments, not so hard.  The remaining bit with the macros isn't always feasible.  Office macros have actually been used to spawn ransomware, but people also need macros in some types of documents (e.g., spreadsheets).

-Use Windows Group Policies along with some add-ons like the CryptoLocker Prevention Kit to  block programs from executing from C:\Users\%USERPROFILE%\Appdata.  This greatly reduces the threat; however, there are still crappy devs that use this far-from-best-practice location to install their software, or even execute pieces of their software from.  This means that after locking things down, you have to wait for a user to scream, then whitelist the app, wash, rinse, repeat.  If this interrupts a business customer, they don't see that you're protecting them; they see that their job is being interfered with.  This also requires a Windows network domain for best results; doing it with individual machines (e.g., workgroup) is messy and difficult to manage.

-Use a set of file monitors like CryptoLocker Canary to monitor for certain types of files (HELP_DECRYPT.TXT) to do advanced reporting for you when these files start to multiply in folders on a server.  The issue with this is, you're playing whack-a-mole.  Every time a new variant of ransomware comes out, you have to manually add new files, and this isn't always effective, as you may not be aware of every variant out there.

-Sadly, the use of adblockers is another final way.  I don't like recommending this due to the number of legitimate sites out there (including this one), but so many sites use an ad-provider for hosting, and ad-providers don't give a care about security; they give a care about fast transactions, and they rarely look at who is bidding/buying their ads.  This can lead to some real problems.  Plenty of ransomware has spread through very legitimate sites who had a crappy ad provider.

 

It isn't getting any easier, and many security folks would tell you (off-the-record, if they work for an AV company) that AV in general does an extremely poor job of catching crypto/ransomware.  The number three things that can help right now are user education about how they spread to promote wise surfing/e-mail habits, early detection and reporting (if you see something, say something), and good backups, including cold backups, because if undetected for several days, the most recent backup sets will have encrypted files in them too.  Note that I've had sites that were very well protected and still got infected.  If you look at the recent headlines of the hospitals that have gotten infected, they weren't exactly falling down on the job either; this is one part of security that's very, very hard and the enemy just keeps getting better and more creative.

 

Note also that variants like Cryptowall 2.0 do a public-IP check.  If the system is in a country where the perpetrators reside, the ransomware deletes itself and does not infect the machine.  These people don't want local law enforcement getting ticked enough to start looking for them; they want to do their dirty work in countries their government could care less about helping, generally ones without extradition treaties.  If ransomware goes long enough, it's also usually smart enough to wipe all the shadow copies/"Previous Versions" on a Windows box too, so you can't roll back to those.  Until law enforcement in the countries of origin start to give a care, this is going to become more problematic, because nobody is trying to trace the source and catch these people, some of whom have their roots in Eastern European organized crime.

Edited by LoneWolf

Share this post


Link to post
Share on other sites
itGeeks

Ransomware is rarely detected by virus protection, or when it is, it cleans the original infection, but that infection has already started Windows processes to perform the encryption that don't report as viruses --because they're legitimate Windows processes.  Also note, removing local administrator access from users does not help with ransomware.  Think about the fact that the non-business version of Google Chrome does not require admin permissions to install (it installs in the user profile; IMO, this is very bad development practice).  Ransomware works in a similar way by executing from an area even limited users have permission to execute from.

 

So far, evading cryptoware (not just for the people I manage, but as an industry) is incredibly difficult.  You can mitigate the risks, but not eliminate it.  The best ways:

 

-Use a firewall that has Advanced Persistent Threat (also known as "0-Day") protection.  This requires extra UTM likcensing in most cases, but matches up with MD5 hashes of early threats, and is an add-on to the gateway antivirus feature of corporate firewalls.

-Strip .zip, .js, .jse attachments from e-mail, and any document attachment containing macros, and enable security in Office.  The first three attachments, not so hard.  The remaining bit with the macros isn't always feasible.  Office macros have actually been used to spawn ransomware, but people also need macros in some types of documents (e.g., spreadsheets).

-Use Windows Group Policies along with some add-ons like the CryptoLocker Prevention Kit to  block programs from executing from C:\Users\%USERPROFILE%\Appdata.  This greatly reduces the threat; however, there are still crappy devs that use this far-from-best-practice location to install their software, or even execute pieces of their software from.  This means that after locking things down, you have to wait for a user to scream, then whitelist the app, wash, rinse, repeat.  If this interrupts a business customer, they don't see that you're protecting them; they see that their job is being interfered with.  This also requires a Windows network domain for best results; doing it with individual machines (e.g., workgroup) is messy and difficult to manage.

-Use a set of file monitors like CryptoLocker Canary to monitor for certain types of files (HELP_DECRYPT.TXT) to do advanced reporting for you when these files start to multiply in folders on a server.  The issue with this is, you're playing whack-a-mole.  Every time a new variant of ransomware comes out, you have to manually add new files, and this isn't always effective, as you may not be aware of every variant out there.

-Sadly, the use of adblockers is another final way.  I don't like recommending this due to the number of legitimate sites out there (including this one), but so many sites use an ad-provider for hosting, and ad-providers don't give a care about security; they give a care about fast transactions, and they rarely look at who is bidding/buying their ads.  This can lead to some real problems.  Plenty of ransomware has spread through very legitimate sites who had a crappy ad provider.

 

It isn't getting any easier, and many security folks would tell you (off-the-record, if they work for an AV company) that AV in general does an extremely poor job of catching crypto/ransomware.  The number three things that can help right now are user education about how they spread to promote wise surfing/e-mail habits, early detection and reporting (if you see something, say something), and good backups, including cold backups, because if undetected for several days, the most recent backup sets will have encrypted files in them too.  Note that I've had sites that were very well protected and still got infected.  If you look at the recent headlines of the hospitals that have gotten infected, they weren't exactly falling down on the job either; this is one part of security that's very, very hard and the enemy just keeps getting better and more creative.

 

Note also that variants like Cryptowall 2.0 do a public-IP check.  If the system is in a country where the perpetrators reside, the ransomware deletes itself and does not infect the machine.  These people don't want local law enforcement getting ticked enough to start looking for them; they want to do their dirty work in countries their government could care less about helping, generally ones without extradition treaties.  If ransomware goes long enough, it's also usually smart enough to wipe all the shadow copies/"Previous Versions" on a Windows box too, so you can't roll back to those.  Until law enforcement in the countries of origin start to give a care, this is going to become more problematic, because nobody is trying to trace the source and catch these people, some of whom have their roots in Eastern European organized crime.

Some really great info, Thanks. I agree with you education, Surfing habits, Awareness, Is what I tell my family and friends. Just don't click on everything in sight. If it feels wrong it probably is. I also tell everyone don't ever ever click on a link in an email that say you need to change your password, I tell them to open a browser and login like always and see if the site warns you about changing your password, Things like this will help save you.

Share this post


Link to post
Share on other sites
ShadowPeo

It seems like LoneWolf has had a bad time with the ransomware. I have only encountered it a couple of times personally, last week being the most recent and luckily the person had a backup of most of their data, the rest was offered to the backup gods as a sacrifice. I also know several sysadmins at large organisations that have lost their job due to ransomware, well not the ransomware directly but due to the lack of backups.

 

LoneWolf's statement of it being like whack-a-mole is very apt. These things pop up with alarming regularity, with there even being ones that specifically target NAS and other storage devices (SynoLocker for example)

 

Oh and in my experience AV does a poor job of "malware" in general, be they those variants that display adverts and hijack browsers or more malicious such as the afore mentioned ransomware styles.

 

While education is the best bet, if you want to take it that far and understand how it works, application whitelisting can be a very powerful tool but it can and does cause issues and can be akin to using a flamethrower on an anthill

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...