ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Ransomware

    IT Discussion
    ransonware cryptolocker
    7
    36
    6.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex Sage @scottalanmiller
      last edited by

      @scottalanmiller said:

      Same with backups, but you mentioned them.

      Isn't versioning a type of backup? 😉

      S 1 Reply Last reply Reply Quote 0
      • A
        Alex Sage
        last edited by

        Edited the question to help other understand what I am asking 🙂

        1 Reply Last reply Reply Quote 0
        • T
          travisdh1
          last edited by

          Either whitelisting software and/or blocking things from running in certain folders. I forget what all I block without pulling up the script.

          1 Reply Last reply Reply Quote 0
          • S
            scottalanmiller @Alex Sage
            last edited by

            @aaronstuder said:

            @scottalanmiller said:

            Same with backups, but you mentioned them.

            Isn't versioning a type of backup? 😉

            Not exactly. Sort of. If you do versioning on your backup server then yes. If you do it on the storage itself, then I would not call it that.

            J 1 Reply Last reply Reply Quote 0
            • J
              Jason Banned
              last edited by

              https://www.carbonblack.com/ they are good for executable whitlisting. Though a developer there once had his computer compromised by not having the software installed, and got malware pushed out with the product because he didn't tell anyone. But let's not talk about that haha.

              A 1 Reply Last reply Reply Quote 1
              • J
                Jason Banned @scottalanmiller
                last edited by Jason

                @scottalanmiller said:

                If you do it on the storage itself, then I would not call it that.

                If it's windows it will be pointless. Most any product will leverage system ransomware can attack. (Volume shaddow copies) etc.

                S 1 Reply Last reply Reply Quote 0
                • S
                  scottalanmiller @Jason
                  last edited by

                  @Jason said:

                  If it's windows it will be pointless. Most any product will leverage system ransomware can attack. (Volume shaddow copies) etc.

                  Mostly true. Although there is a bit of ransomware that only goes after the users and if it doesn't breach to the admin user the VSS is intact.

                  1 Reply Last reply Reply Quote 1
                  • B
                    brianlittlejohn
                    last edited by

                    You can also disable VSSAdmin.exe . It is used by alot of ransomware to delete the shadow copies.

                    1 Reply Last reply Reply Quote 2
                    • A
                      Alex Sage @Jason
                      last edited by

                      @Jason said:

                      https://www.carbonblack.com/ they are good for executable whitlisting. Though a developer there once had his computer compromised by not having the software installed, and got malware pushed out with the product because he didn't tell anyone. But let's not talk about that haha.

                      What's something like this cost? Looks to be expensive. No pricing on the website is a bad sign 😉

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        Jason Banned @Alex Sage
                        last edited by

                        @aaronstuder said:

                        @Jason said:

                        https://www.carbonblack.com/ they are good for executable whitlisting. Though a developer there once had his computer compromised by not having the software installed, and got malware pushed out with the product because he didn't tell anyone. But let's not talk about that haha.

                        What's something like this cost? Looks to be expensive. No pricing on the website is a bad sign 😉

                        It's not crazy expensive. Configuring it takes a while. It's not AV. It is a Whitlist only/Default Deny package.

                        A D 2 Replies Last reply Reply Quote 2
                        • A
                          Alex Sage @Jason
                          last edited by

                          @Jason Thanks!

                          1 Reply Last reply Reply Quote 0
                          • D
                            Dashrender @Jason
                            last edited by

                            @Jason said:

                            @aaronstuder said:

                            @Jason said:

                            https://www.carbonblack.com/ they are good for executable whitlisting. Though a developer there once had his computer compromised by not having the software installed, and got malware pushed out with the product because he didn't tell anyone. But let's not talk about that haha.

                            What's something like this cost? Looks to be expensive. No pricing on the website is a bad sign 😉

                            It's not crazy expensive. Configuring it takes a while. It's not AV. It is a Whitlist only/Default Deny package.

                            I definitely love the idea of white listing software. How does it handle things like infected Word documents? I think it would have killed Lockie because Lockie downloaded a thirdparty software package and then executed it, so that would be prevented.

                            Next the virus writers will start creating a Turing Complete setup inside the foothold they get, allowing them access to anything they want. - though maybe I'm completely off base on this.

                            J 1 Reply Last reply Reply Quote 0
                            • J
                              Jason Banned @Dashrender
                              last edited by

                              @Dashrender said:

                              I definitely love the idea of white listing software. How does it handle things like infected Word documents? I think it would have killed Lockie because Lockie downloaded a thirdparty software package and then executed it, so that would be prevented.

                              It's not AV. Your AV should be the primary defense on that one. You could block Word.exe, the word/office HASH (so even if word.exe or whatever was me.exe it would still be blocked) or you can block the all .doc/docx files or the hash for one of these.
                              Your AV should really be handling the signatures. You can easily block powershell hash for users though and prevent a lot of those since they tie into powershell or CMD a lot of times.

                              Or you can get more specific with it and say, that if X application (or hash) launches from word (or HASH) to not allow.

                              Here's some info on that:

                              https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/

                              1 Reply Last reply Reply Quote 0
                              • D
                                Dashrender
                                last edited by Dashrender

                                In my previous post, I basically walked through my whole thought process from problem to solution, which I outline again below.


                                being specific is only good after you know about the badness.

                                Whitelisting is good because you only trust things you know are good.

                                Back to lockie - sure, you'd love your AV to kill this - but zero day exploits just slip right by AV. Why would I look at blocking Word.exe? or block all .doc/.docx files? my users need these for their day to day operations.

                                As I mentioned, I think the white list would still completely solve this because, when you open the bad Word document, it goes to the internet, downloads a file, and tries to execute that file.... but execution is prevented by the whitelist.

                                In a zeroday situation, the AV is definitely not going to protect you.

                                J 1 Reply Last reply Reply Quote 0
                                • J
                                  Jason Banned @Dashrender
                                  last edited by Jason

                                  @Dashrender said:

                                  As I mentioned, I think the white list would still completely solve this because, when you open the bad Word document, it goes to the internet, downloads a file, and tries to execute that file.... but execution is prevented by the whitelist.

                                  No it doesn't If they wrote it all in VBScript as a Macro without using external things you can not block it with this solution without blocking office or word.

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    Dashrender @Jason
                                    last edited by

                                    @Jason said:

                                    @Dashrender said:

                                    As I mentioned, I think the white list would still completely solve this because, when you open the bad Word document, it goes to the internet, downloads a file, and tries to execute that file.... but execution is prevented by the whitelist.

                                    No it doesn't If they wrote it all in VBScript as a Macro without using external things you can not block it with this solution without blocking office or word.

                                    Can an entire cryptoware solution be done purely in VBScript? If so, then disabling Macros seems like a requirement as a next step.

                                    J 1 Reply Last reply Reply Quote 0
                                    • J
                                      Jason Banned @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      Can an entire cryptoware solution be done purely in VBScript? If so, then disabling Macros seems like a requirement as a next step.

                                      Good luck with that. Many people write their own macro's in excel to help with their jobs.

                                      1 Reply Last reply Reply Quote 1
                                      • J
                                        Jason Banned
                                        last edited by

                                        How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?

                                        D 1 Reply Last reply Reply Quote 0
                                        • D
                                          Dashrender @Jason
                                          last edited by

                                          @Jason said:

                                          How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?

                                          Pull out things like what? Zeroday exploits?

                                          J 1 Reply Last reply Reply Quote 0
                                          • J
                                            Jason Banned @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            @Jason said:

                                            How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?

                                            Pull out things like what? Zeroday exploits?

                                            Files that have macro's in them. No reason those would be emailed from the outside.

                                            D 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post