Ransomware tips

Hey guys, I had a client hit with ransomware. Luckily we have been able to restore backups and start moving forward. They brought into question if they should involve legal, what is everyone's opinion here?

What is best practice after being hit with Ransom ware?

There has been talk about hiring a forensic team, do you think that is necessary? No reason to believe personal/confidential information was compromised.

Thanks

Find more posts tagged with

Comments

DeezyFF

What Industry or Department was compromised? I would be very careful with anyone in accounting or medical industry.

Currently I work in a manufacturing industry, what we do with hit machines is Disable the user, re-image the machine, force change password, re-enable account, and re-issue re-imaged machine. All data should be backed up to our servers or Sharepoint/OneDrive for Business. That data that is compromised is deleted and replaced with files from the last daily backup. Worst case they lose 24 hours worth of data.

gespenstern

Already posted this here last year. Have nothing to add...

It's easy to deal with. 1-4 is free, 5-6 are pricey depending on solution chosen.

1. First off, a usage policy that prescribes to store personal data in home directories on a file server and common data in public directories on a file server. The file server is of course backed up regularly plus shadow copies if it's windows-based.
2. Second, configure SRP (Software Restriction Policies, built-in since Windows XP) to prohibit executables/scripts from running from anywhere in %userprofile%. Easy to configure via Group Policies. There's a good article on this on bleepingcomputer. For people who buy you a beer on a regular basis you can add an exception and allow them to run executables from "downloads" folder. Also, your major PITA would be three things: 1) Google Chrome 2) Gotomeeting 3) Webex. Vendors of these programs think that they are cocky and violate Microsoft recommendations and best practices (which prescribe to install software into %programfiles%) and put their sh!t right into a %userprofile%. But you can add exceptions, if needed. This will prevent almost any malware from executing even if some dumb person launches an attachment from unsolicited e-mail.
3. UAC! UAC! UAC! User Account Control (since Windows Vista) is your best friend. Easy to configure from Group Policies. Set its bar on at least level 2 (from the bottom). It won't prevent cryptolocker from running and encrypting stuff, but it will prevent it from deleting shadow copies on a local computer, so all the documents could be easily restored. Always restore them on external drive to avoid "shadow copies disappeared during restoration" situation as Windows destroys them on the fly if it thinks that it runs out of space.
4. If someone complained and/or you suspect bad things maybe happening -- launch compmgmt.msc on a file server go to open files and watch for users who have suspiciously too many read+write files opened and files are being renamed to name.ext.crypto or name.ext.vvv or whatever renaming scheme current version of cryptolocker uses. Kick such a user out of network immediately.
5. Filter your e-mail for spam and malware. Pretty hard to tune it by yourself, but there are a lot of cloud services and dedicated solutions such as proofpoint, etc. Also, I can configure it and support it for you if your business pays my rate.
6. Use IDS/breach detection products. Modern products allow you to watch for "bulk rewrite" indicators that get triggered when some dumba$$ uses SMB to read/write too many files at once. Set up an alert so every interested party gets a text message/e-mail/whatever when this indicator gets triggered and kick offender out of the network immediately.
7. Alternative, cryptolocker seems to encrypt only local files and files on mapped drives. Do not map drives, use UNC paths instead and create shortcuts on user's desktops with UNC paths. That way Cryptolocker encrypts only user's stuff, but you don't care (because of policy, see paragraph 1), you just reimage the PC and you are done.
8. Last but not least -- do security patching of 3rd party software on a regular basis. Adobe crap and Java on workstations should be patched in like 3 days after patch is released, same goes for MS Office. Of course I assume that basic things like OS are patched regularly...

http://www.techexams.net/forums/jobs-degrees/115858-dealing-crypto-virus.html#post988699

Trucido

I always thought Ransomware was just a sham. They didn't really have control to do anything, it was just massive amounts of popups and fake virus warnings.. but yeah, you can never be too safe.

NetworkNewb

Trucido wrote: »

I always thought Ransomware was just a sham. They didn't really have control to do anything, it was just massive amounts of popups and fake virus warnings.. but yeah, you can never be too safe.

Yea, I'm pretty sure its all just a sham. I wouldn't worry about it.

(not actually sham, totally real, and it sucks)

dhay13

We were hit with it at my last job. An employee clicked on a link in a Linkedin email. I pulled it from the network and reinstalled the OS. I heard the same employee did the same thing again after I left

the_Grinch

I would error on the side of caution and alert your legal department. They'll come up with relevant questions and work with you to discover if any protected data with a reporting requirement was accessed. As far as bringing in a forensic team I'd advise that it would be over kill. Chances of getting the person will be slim. Internally you should review so that you can be as sure as possible of what was accessed/encrypted and that nothing larger has taken place. Then review policies and procedures to see if anything needs to be adjusted to increase detection/prevention in the future.

markulous

gespenstern has good advice. UAC, good group policies (CIS hardening standards are pretty good), web content filtering, and a good email filter. I use Appriver and that keeps out quite a bit of spam. Education is probably the most important one though. The business should have communications on security and educate all employees on good practices. So you definitely want to review all of that (and more) after the attack to reduce the risk of this happening again.

beads

Healthcare is in particular being targeted because of the very life and limb danger potential risk involved. Get lucky and encrypt active patient files and you've really got a problem. If your belief is at all that this is any kind of sham, your either incredibly lucky not to have seen it (yet); work in some sort of organization that wouldn't be interesting as a target, ie NGO, non-profit, et. al.; or you don't work in IT in the first place as this comes up here in this organization about once a week in a publicly traded mid size organization.

Hey for fun check out the largest HIPAA fine for a record 5.5 Million dollars. This was ultimately the settlement not the overall potential fine. Yikes!

https://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html

- b/eads <-A healthcare security expert