Ransomware Protection

October 20, 2016 | Views: 7573

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I recently wrote a post in the forums regarding ransomware prevention, I’d like to highlight some good practices that can help you out with the prevention of Ransomware being executed against your /clients servers.

After attempting to develop our own in-house solutions to prevent the automatic encryption of files we found that the process was cumbersome due to the MS Windows Operating System and other Software naturally encrypting certain files.

Having investigated third party vendors we found many AV companies open admit they’re unable to detect such Exploits being run as they don’t use traditional signature base viruses.

New products are emerging very day which is behavior based, rather than signature based and boast to be able to detect new variants as they are released – however with the business of ransomware and RaaS being so lucrative I personally suspect that the authors will find ways around any protection systems as they emerge.

Our Solution, which we’ve found most effective is in using FSRM (File Server Resource Manager) and creating file Screening and reporting and blocking of files being renamed by known file extensions of ransomware.

Initially, I came across the following link by Tim Buntrock on Technet:

https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce

This provides the starting point of configuring an effective file blocking and email notification system which will prevent the files being changed and also notify both us and the user who executed the ransomware.

You can modify the options from just blocking and reporting to shutting off shares immediately or rebooting the affected server depending on the specific requirements.

The File extensions list will need to be updated manually as new variants are released but I have seen some people are writing scripts to automate this so that also worth keeping an eye out for.

At the end of the day the most important points are these:

Backup every day!

Monitor the backups daily – know if a backup hasn’t run and then take action!

Offsite Backups! – I had seen a ransomware actively attack an onsite backup repository and destroy it!

Do not depend on Volume Shadow Copies as they generally become worthless in the event of an attack.

 

All due respect and many thanks to Tim Buntrock.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
10 Comments
  1. mysticman2k – nice article! Good job.

  2. and what about this odin ransomware?
    http://bravoteam.it/guide/odin

  3. @marusanchez777 – Thanks for the update and link 🙂

  4. If they are using these lists, add the extension .SHIT as malicious

    You can see the news in:
    https://www.tripwire.com/state-of-security/latest-security-news/shit-file-virus-ransomware/

  5. Well Done. Learnt a lot.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel