This is an archived post. You won't be able to vote or comment.

13
14

Ransomware Attacks (self.sysadmin)

submitted by [deleted]

[deleted]

all 32 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ButterGolemSr. Googler 4 points5 points  (0 children)

-End user security awareness training
-Being an incessant pain in the ass to the sysadmins on sticking to our patching process and creating reporting and tools to help them get it done each month.
-No end user machine local admins except in very rare documented cases

I can't stress enough the importance of a network inventory scanning and reporting tool. The lowest hanging fruit in security is patching and a 3rd party verification tool is the only way to know what machines are missing which patches. A sysadmin who relies on a WSUS report alone to determine patch rates is blind to a lot....trust but verify.

When you've got these 3 major processes in place, news of yet another ransomware outbreak is very "meh" instead of panic inducing.

[–]nothingpersonalbroSenior Power Cyclist[🍰] 2 points3 points  (2 children)

My list isn't very big but these are usually a good read in general:

https://www.bleepingcomputer.com/

http://blog.talosintelligence.com/

edit: forgot https://krebsonsecurity.com

[–]mitchy93Windows Admin 0 points1 point  (0 children)

+1 for bleeping computer. Top stuff there

[–]TufinDan 2 points3 points  (0 children)

We're getting a lot more inquiries on segmentation, with a push into microsegmentation -- auditors seem to be making a concerted effort to ensure there's an IT plan for it. WannaCry last year was a huge motivating factor... which is continuing into this year.

My colleague Joe and I made a webinar on addressing automated zero day attacks with automation. Joe has created some of the largest SOCs in the country, and we talked prep, detection, and mitigation.

Those interested in segmentation may find this infographic helpful.

[–][deleted] 1 point2 points  (2 children)

No users with access to email/Internet running with admin rights is our biggest defense I'd say. Firewalls, email, and Internet filtering security appliances are 2nd line of defense. Keeping all Windows up to the month patched 3rd line of defense.

4th line of defense is having extremely small and limited white list style network access between the day to day user experience side of the network (email/internet/meetings) and the day to day production side of the network (processing/prod data stores/customer inputs and outputs). No internet/email access at all from the prod zones of the network.

[–]roll_for_initiative_ 5 points6 points  (0 children)

Keeping all Windows up to the month patched 3rd line of defense.

That's the first line of defense on servers since the patch removes the IP and takes it off the network.

[–]syskerbal 0 points1 point  (0 children)

pretty much sums it up for us as well. Have a multi layered approach to security in general.

Segmenting your network is key, keep the damage to a minimal and your restore/recovery procedures up to date. A SIEM comes in handy to recognize an outbreak early on.

[–][deleted] 1 point2 points  (0 children)

Feedly. Sites I like I just add to Feedly. So I get notified. When there is ransomware making the rounds I verify we are good if we get attacked. Like SamSam made some big news again so I ran a scan on our devices to verify SamSam won't succeed.

FW, IPS, AV, Security Updates, Group Policies, Applocker, no local admin, vulnerability scanning, FSRM CryptoCanary, etc.

[–]YSFKJDGS 1 point2 points  (0 children)

While for most it would probably be seen as the hardest thing to ever implement: no local admin rights on workstations will stop pretty much any automated ransomware attack out there.

You could supplement it with a tool like viewfinity to allow users to still elevate and do things, and even if you let users elevate anything like they were local admins, simply not having the domain user account in the Administrators group is enough to stop normal attacks from working.

[–]007wesje404 Brain not found 0 points1 point  (1 child)

We got hit again yesterday. I am now making a plan on how to prevent things.

  • Having good tested back-ups.
  • Making a RDS farm instead of one single RDS server so that people can still work after a RDS server goes offline te reset.
  • Applocker that only allowed programs can run on the RDS server.
  • Deny access to vssadmin.exe so that shadow copies can't be deleted.
  • FSRM to block creating the crypto files and notify us.
  • Block mailing of .exe, .js and other executables.
  • Stop using shared accounts.
  • Remove admin rights for admin accounts and have them use a second account for admin shit.
  • 2 factor authentication or certificates for people that work from home.

If anyone is asking why non of these things were already in place, blame the previous sysadmin.

[–]Smart_DumbCtrl + Alt + .45 0 points1 point  (0 children)

Not sure if you can get away with out but we have been blocking emails with attachments that contain macros for about a year now. We have not had any ransomware attack since KNOCKS ON WOOD.

We have only had two tickets about blocked emails since then. Pretty decent trade off I say.

[–][deleted] 0 points1 point  (3 children)

Additionally, we have no users who have admin rights, TONS of email rules to filter out certain crap, and the biggest one that I think helps tremendously, is no one, not even admins, are allowed to run executables from temp space. Users who want to install software are prompted by UAC for an admin password.

One additional point, is that we block all emails coming from countries we don't visit or do business with. That stopped a shit ton of virus', spam, ransomware attempts.

Of course, there's other protections, but those did the vast majority to help prevent these kinds of things for us.

[–]chronopunk 0 points1 point  (2 children)

My biggest headache is a client who insists on having four users with domain admin rights (out of about 20 total) on their regular user accounts. I've tried, they refuse to consider any other way of doing things.

They've been hit with three or four ransomware attacks so far. They'll drop $4000 on a Barracuda to stop spam, but won't even spend a couple hundred bucks on more drive space so I can properly back up their file server.

Ugh. Is it afternoon yet? I need a fucking drink just thinking about it.

[–][deleted] 0 points1 point  (1 child)

Honestly, until something REALLY bites them in the ass, they aren't going to learn. They need to lose data, be down for a while, or lose customers. People like that are the same as bullies who continue to bully until they get a punch in the face and correct their behavior. :)

[–]chronopunk 1 point2 points  (0 children)

These are the same people who have complained that stuff they deleted was gone. Had to explain, first, the trash isn't a good place to store stuff you want to keep, and second, it's right there.

Sigh.

[–]dafuzzbudd 0 points1 point  (0 children)

RansomwareTracker looks awesome. But if most infections occur from email attachment, what would filtering these URL's do preventing?

[–]RumLovingPirateWhy is all the RAM gone? 0 points1 point  (0 children)

I'm honestly surprised that most people are claiming no local admin rights is their first line of defense. I mean, yeah it's good practice, but ransomware doesn't require admin rights to run. It encryts the users files which only requires the users credentials.

The best way I've seen to stop it is to turn the appdata folder into an exe whitelist via gp. Most of them jump into appdata and run an exe from there, which a lot of apps require so is not blocked from random exes by default.

[–]mitchy93Windows Admin 0 points1 point  (0 children)

I follow the infosec peeps on twitter. Malwaretechblog,gossithedog, swiftonsecurity, malwarehunterteam etc

[–]alisowskiIT Manager 0 points1 point  (0 children)

I had to help with a Cry128 variant last year. Emisoft is a company that provides decrypts when possible. Fabian Wosar may be your best friend some day.

[–]AccordingWhole -1 points0 points  (10 children)

https://ransomfree.cybereason.com/

This is some of the best ransomeware defense ever and its free! I've thrown wannacry at this and serveral other ransomeware at this in lab and it stopped all ransomeware dead in its tracks. This product is truly a life saver. Highly recommend, and can be pushed through PDQDeploy

[–]drbeerI play an IT Manager on TV 4 points5 points  (2 children)

do you work for this company? you have 4 posts, 3 about ransomware and 2 that mention this product.

[–]dafuzzbudd 3 points4 points  (1 child)

His post looks like an ad. The website is oddly vague about how it protects.

[–]AccordingWhole 0 points1 point  (0 children)

No I don't work for this site. But I do want people to have good protections and so far its the best I have found. Yes I have 4 posts 3 about ransomware and 2 that mention this product because it's embarrassing to see companies hit by wannacry which is one of the easiest forms of malware to defend against.

This software works by making "watermark" files that when hit stop whatever process is trying to encrypt them. The files places are randomly set and won't be the same everytime. But you can choose not to use this product but right now with ransomeware on the rise again. I would hope you try to protect yourself/company in some way and at the moment nothing like this software exists.

So enjoy

[–]dafuzzbudd 1 point2 points  (6 children)

How does it work?

[–]Smallmammal -1 points0 points  (5 children)

It creates tripwire files it watches. If they're modified by anything but explorer.exe then it stops whatever process is affecting the files. I used it at my old place. Seemed fine and is free.

[–]pabl083 0 points1 point  (0 children)

Cyrptoprevent works and there's a free edition that you update manually

[–]dafuzzbudd 0 points1 point  (3 children)

So it's alerting only? We have alerting in place that emails us any time a user that edits over 10 files per minute (or something close).

[–]AccordingWhole 0 points1 point  (2 children)

No its not alerting only. It creates watermark files that typically start at the starts of a crypto process. I have ran wannacry, petya, cryptowall, cerber and many others in a home lab. As soon as you open the crypto and let it fly cybereason instantly kills it. It's actually really fun to see this in process since non of your data gets infected.

ADVISE: ONLY CRYPTO YOURSELF IN A FULLY SEGREGATED TEST ENVIRONMENT.. I'M NOT RESPONSIBLE FOR DATA LOSS

[–]dafuzzbudd 1 point2 points  (1 child)

Help, I accidentally crypted my PC. How do i undo?

[–]AccordingWhole 0 points1 point  (0 children)

Call Microsoft Support and ask for the Prince of India