Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Cryptowall 3 and cryptolocker Best practice ?

  • 06-11-2015 10:36am
    #1
    Closed Accounts Posts: 1,322 ✭✭✭


    This Q is being put to me more and more recently and I was wondering what everyone else was advsing people around this topic ?

    Where I work the cloud products i specialise in are not that mature at stopping and killing off cryptolocker ? So there are some areas that seem very obvious to me , i usually advise on some of the following :-

    Crypto wall and latest crypto wall 3 will target these services and shut them down or at least try to in order to execute successfull ransome , similarly - these services could be set to be protected or no access through SRP's .


    Service Name Description
    wscsvc Security Center Service
    WinDefend Windows Defender Service
    wuauserv Windows Update Service
    BITS Background Intelligent Transfer Service
    ERSvc Error Reporting Service
    WerSvc Windows Error Reporting Service

    * Block any kind of executable attachments in mails, not just exe's, e.g. .js, .chm, .scr etc. Use tech that actually looks in Zip files too.
    * Block all macros and ActiveX stuff, if you can get away with it, kill Flash too.
    * Java applets should be whitelist only.
    * Monitor any filers/network storage for the 'ransom' file names, e.g. HELP_DECRYPT.txt, HELP_YOUR_FILES.html, DECRYPT_INSTRUCTION.html etc.
    * Put an Adblocker and EMET on all client machines.


    Stopping executes from :- files running from AppData/LocalAppData folders
    Same for the TEMP folders
    Ensure that the System restore service is protected
    Kill Autorun for users via GPO
    Employ SRP's from GPO's to stop users with out domain admin rights from being allowed to install unwarranted apps . ( In cloud this makes sense as all desktop sessions should spin from one master image and this image is customised to suit individual BU's, in other words if app installs are required here then Virt admins are not keeping master image up to date)

    Help desk being annoyed to install something in my eyes is a better idea than having 30 calls to helpdesk for financialy crippling ransomware attacks.

    Kill RDP protocol for all users who do not require it .

    The biggest win in defending against crypto for me has to be the SRP's route as here if the installers are 100% blocked from executing on user sessions then no file can execute to perform installs . IT sounds bad and a bit harsh, but if you want to face palm this type of attack its my only answer for now . I have seen vendors being defeated not just only my own employer as per the zero day aspect and pattern analysis is almost impossible as to how it is delievered in encrypted form and then unencrytped at user execute time ......



    IF anyone has any ideas to peg on here we could build a nice little doc on it ?


Comments

  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Well the first and most obvious thing that will nullify ransomware's effectiveness is having a good backup policy and test it regularly.

    Some simple ones most of which orgs should be doing anyway:

    * Block any kind of executable attachments in mails, not just exe's, e.g. .js, .chm, .scr etc. Use tech that actually looks in Zip files too.
    * Block all macros and ActiveX stuff, if you can get away with it, kill Flash too.
    * Java applets should be whitelist only.
    * Monitor any filers/network storage for the 'ransom' file names, e.g. HELP_DECRYPT.txt, HELP_YOUR_FILES.html, DECRYPT_INSTRUCTION.html etc.
    * Put an Adblocker and EMET on all client machines.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Thanks Blowfish , Hmmm can i add them to the list above ? Sort of imalgimate all the good ideas to the top post ? with your permission ?


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Blowfish wrote: »
    Well the first and most obvious thing that will nullify ransomware's effectiveness is having a good backup policy and test it regularly. .

    You see the problem with crypto is it is taking advantage of one simple fact SMB do not take this stuff seriously until stung , Backups are a rarity in most SMB's and this is a blatant attack on that fact. Most small enterprises call the local tech guys to come and "secure" or "fix" issues and the moment an onsite engineer brings up backups and cost they have already begun to think about the next game of thrones episode ..........


    Crypto gangs know the people they want to target and know the lack of action being taken in practically every small to medium enterprise out there , oooops OUR critical DB files or Excel spread sheets have been encrypted - pay out every time .


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    dbit wrote: »
    Thanks Blowfish , Hmmm can i add them to the list above ? Sort of imalgimate all the good ideas to the top post ? with your permission ?
    Of course :)
    dbit wrote: »
    Crypto gangs know the people they want to target and know the lack of action being taken in practically every small to medium enterprise out there , oooops OUR critical DB files or Excel spread sheets have been encrypted - pay out every time .
    Absolutely agree, though on the plus side, this will likely be improved on over time as newer startups are much more likely to use cloud storage by default where backups etc. are handled for them.


  • Registered Users, Registered Users 2 Posts: 572 ✭✭✭Joe Exotic


    i would second all the above and add on

    Security awareness training - particularly around email attachments
    - Convince staff to report if they do click by mistake
    Active directory folder permissions - if you don't need it you shouldn't have it

    Patching policy - for the love of god patch your fcuking machines
    Anti Virus - ok not going to prevent a lot but no excuse for not having it up to date

    Incident response - Practice for these situations


  • Advertisement
Advertisement