@scottalanmiller said in Technologies Begging to be Ransomwared:

@dashrender said in Technologies Begging to be Ransomwared:

FYI - my experience in all of this is through the use of shares - so if shares aren't enabled.. then I'm guessing you're probably correct due to configuration.

Shares aren't on by default. But even when they are, nothing is shared out that a local non-admin user could access.

Yeah, and this is ultimately what saves you - OK now we're on the same page.

Thanks

@pete-s said in Kaseya customers ransomware attack:

@obsolesce said in Kaseya customers ransomware attack:

Ransomware is a legacy tech concern, not a modern one.

What do you mean by modern? Are you talking about running kubernetes in the cloud or something else that would not be subject to ransomware?

I'm not talking about any specific product, e.g. K8s... Even with that, you could still implement poor data storage using legacy practices and technologies.

Think about it.

What important company data is being ransomware'd.... where is this data? How is the data presented? How did ransomware effect it? What technologies were used to provide and/or host the data?

Sangoma has relased an updated (and likely final) statement.

https://www.sangoma.com/press-releases/sangoma-technologies-provides-update-on-ransomware-attack-expects-no-material-impact-on-sales/

The second paragraph has the relevant information from an IT point of view.

00a7b475-033f-4db6-8311-b115d6bb0a47-image.png

@scottalanmiller

Whole article is great but the last 2 lines are 👍 👍

Shame that NextCloud + OnlyOffice is not really there, I tried it when I was working with MSFF... definitely interesting but needs some time.

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

7455634e-b366-4cb5-af6e-859115ac1fcd-image.png

And security products straight from O365 admin portal subscriptions page:
560b3413-64e4-4a77-9b6c-27030798a842-image.png

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

And the difference between the two is.....? ATP is really just a marketing phrase at this point. Here are some features from "traditional" av:

malware protection, both behavioral and definition based ransomware protection phishing protection ids/ips device control exploit blocker botnet protection web filtering memory analysis central management, either cloud or local

And a full forensics audit trail?

I'm really curious which ones have this stuff for 15-18 times less the cost of Defender ATP?

I'm having a hard time finding what the real price here is?

I know that Intune is like $4/user/month. aka $48/user/year. this makes it 2-3 times more expensive than typical AV packages - of course, it gives you a lot more features at that price point.

The above posts have a dozen different security things listed.

As @marcinozga says, typical AV with many of the above mentioned features (but not all - and full forensics trails - forget about it) for like $15-20/user/year

ATP is not available if you have just Intune, you need O365 or M365 Enterprise subscriptions, or Windows 10 Enterprise.
O365 E3 is $20/mo plus ATP add-on, I think it's $2/mo. I don't know how much is Win 10 Ent, so I'm guessing O365 E3 is the cheapest route, at $22/mo, that's $264 a year. Depending on number of endpoints you can get AV for $15/year, perhaps even less.

That's an unfair assessment. If you already have O365 E3, then it's only $24/year/user

Also - is O365 E3 the requirement, or can you add ATP onto E1?

Is windows 10 Enterprise a requirement of ATP? Things I was reading last night never mentioned that.

It is fair. What if you don't have O365 because you don't need it or use something else? Other AV don't force you to buy any extra services, you can get AV on a plain vanilla Windows machine.

From the document I got from Microsoft, E3 is minimum. It's O365 E3 or Windows 10 Ent.

If you're not in the O/M365 ecosystem already - then you likely wouldn't even consider this plan, you would likely look at another option... so yeah, it's not a fair comparison.

Now, you could decide, since you are looking at this solution, that you might want to change your other solutions at the same time since MS has these bundled together... but you don't just line item this entire cost all on the ATP project, you split it out.

@Danp said in Windows 10 Defender Won't Start After Malware or Ransomware:

@RojoLoco Click the link and read for yourself. Also this -- https://www.cybereason.com/hubfs/ransomfree-EOL-message.pdf

Well damn...

@stacksofplates said in Researchers use Intel SGX to put malware beyond the reach of antivirus software:

Did you see what Intel said regarding this:

Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Grus for their ongoing research and for working with Intel on coordinated vulnerability disclosure.

Outside of the threat model?.........

Haha, whatever that means.

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

There's always going to be that risk or one absentminded click.

Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

However if your admin machine is owned, you have bigger issues to start with.

Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

There is security leakage between VMs on a client machine for instance over clipboard.

Have a look at Qubes. https://www.qubes-os.org/

It's probably the best implementation of security separation to date.

Using the Hyper-V VM Console without RDS pass-through eliminates any access to the VM beyond console.

Same with KVM or whatever.

Ransomware is not fun.

NotPetya damages were in the 10 billion range. One enterprise I work for at times was down for weeks. Having backup is not enough - you need to be able to access your backup too. When everything is down you don't have any computers to access anything with. Sure you can reinstall but where are your image files? When you do have computers you have no DHCP, no DNS, no AD etc. You have no internet access, no email, no phones. Yeah, backup is not enough. You need an elaborate emergency plan.

It's a great idea.

Amazing they haven't had it up until now.

Makes using OneDrive or ODfB so much easier if you can sync locally.

@dbeato said in City of Atlanta Shuts Down Due to Ransomware:

I don't even understand why Cisco needed to be involved let alone Microsoft... I guess they don't have an IT Team.

Yeah, pretty weird. No wonder these companies get compromised, they don't have any relevant staff. It's like getting robbed and realizing you have no facilities people locking the front door!

Do you have some sort of intrusion detection service running right now? (Wazuh, OSSIM, or one of the paid for solutions?) If you do, between that and the ClamAV, you should be as well protected as you could possibly by.

Edit: I should specify to never skimp on user training! KnowB4 is a great tool.

@stus said in [Heads-up] New Ransomware Strain Encrypts Cloud Email Real-time VIDEO:

@tim_g We do ! Now 15,000 customers. 🙂

I meant "your" figuratively 🙂

@dbeato said in Ransomware Detection Service- Anyone tried this?:

@dashrender said in Ransomware Detection Service- Anyone tried this?:

@scottalanmiller said in Ransomware Detection Service- Anyone tried this?:

@tim_g said in Ransomware Detection Service- Anyone tried this?:

Haven't looked at that.

The best way to prevent ransomware is to keep your systems up to date.

Next is to have decent AV and use good file permissions practices.

Above that is LANless design. Ransonware primarily preys on LAN-based Windows network design for its ability to spread.

Actually, typical ransomware doesn't spread. It simply encrypts everything it can write too. Most of them are not worms.

Just wannacry 🙂

lol, of course, making it one of, if not, the worst ones.

@stuartjordan said in NextCloud Introduces a Ransomware Protection App:

That is Great to hear, they are constantly developing on the project.

They really are. It's very busy.

Here is a batch file for anyone who wants to do this "lazily"

@echo off REM Vaccince for NotPetya/Petya/Petna/SortaPetya. echo Administrative permissions required. Detecting permissions... echo. net session >nul 2>&1 if %errorLevel% == 0 ( if exist C:\Windows\perfc ( echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya. echo. ) else ( echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat attrib +R C:\Windows\perfc attrib +R C:\Windows\perfc.dll attrib +R C:\Windows\perfc.dat echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya. echo. ) ) else ( echo Failure: You must run this batch file as Administrator. ) pause

@stus Thanks. Was just reading about it here.

Never used this but take a look...

http://www.smikar.com/

I mean I know it all sucks and it would be awesome if all the right people got all the right info and took all the right actions. but they don't and won't. So we need to push everyone that we can to do what they can. It's just what we have to work with.