Defending Against Ransomware

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    Comments posted to this topic are about the item Defending Against Ransomware

  • Doctor Who 2

    SSCertifiable

    Points: 7870

    Until I read about infrastructure as code in your article today, I'd never heard of it. I have no idea if we use it or not. I'll ask people in operations if we do.

    Thank you!

    Rod

  • roger.plowman

    SSChampion

    Points: 10243

    Until GitHub gets compromised. Don't laugh, it can (and probably will) happen.

    The only solution that's truly effective is offline archiving, but of course the problem with archiving is the enormous space requirement and the time between versions.

    Don't get me wrong, VCS is better than nothing, but what happens when your VCS falls victim? Then you are well and truly screwed.

    The only real solution would be execution of the individuals who create ransomware. Make the crime too risky and the scum will move on to something else.

    After all, it's getting to the point if you compromise the wrong software somebody could *die* and that changes the stakes.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    With Git you still can have local copies of the code. It's unlikely your org and GitHub get compromised at the same time. You can still have offline or other remotes if you're truly paranoid.

  • TUellner

    SSCrazy

    Points: 2582

    I wrote a PowerShell script that uses dbatools to script all the settings of our SQL Servers and stores it along with our backups which get copied off site. It gives me everything I need to rebuild our SQL Servers.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    Good idea, hopefully you've saved it off network and update it periodically.

  • TUellner

    SSCrazy

    Points: 2582

    The script runs every day at 4:00am and saves the previous days configuration as well. The output of the script is saved in the same file share as our full backups which get copied nightly off site.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    That's a good plan and what I'd want. Thanks for sharing. If you want to write an article (for your CV/resume) on the script and process, we'd love to see it. You can use the Write for Us in the upper left for a draft.

  • TUellner

    SSCrazy

    Points: 2582

    Thanks Steve. I've never written an article before so it would be an interesting exercise. It would also feel good to contribute something back to a community I've gotten so much great information from. I'll check out the process.

  • Eric M Russell

    SSC Guru

    Points: 125089

    It seems that modern malware detection / prevention should be more AI. It's highly unusual for an executable to traverse through \My Documents and network folders encrypting files, and that activity could easily be recognized by a client firewall as suspect. Back in the early '90s, when most of us were still primarily using MS-DOS, there were memory resident solutions that would popup a warning dialog whenever an .exe or document file was about to be written to by program that hadn't been white listed. That level of simple detection appears missing 30 years later. Why are the most popular anti-virus / firewall solutions today overlooking ransomware?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    I have no idea how some of this stuff works. Most people run anti-virus, but I think some of these programs work differently. I don't know how they transit a firewall, likely in similar ways to other things as a download coming from what appears to be legitimate. Either email or stream.

    Once it's encrypting files on a system, or even inside a network, likely no firewall is involved.

  • Eric M Russell

    SSC Guru

    Points: 125089

    What I'm talking about is a firewall on the PC that profiles executable for suspicious behaviour and then warns via a dialog - allowing user to whitelist or block the process. If an unknown executable should start encrypting (or writing to in any way) every document file, then that would definately make me suspicious, so a firewall with even basic AI capability should be smart enough to think the same way.

    It's been a decade since I've used ZoneAlarm on my personal PCs, so I don't know what all features it has today, but when I used it a decade ago on my personal PCs, it would do things like whitelist applications, and warn the user then an application attempts to access the internet,  photos, or document files, etc. Looking at their website, it does appear to have this feature called OSFirewall.

    ".. The ZoneAlarm Application Control module also uses OSFirewall to detect any malicious activity against your computer's operating system. When ZoneAlarm cannot validate a program, or discovers a program that tries a suspicious action, it generates an alert .."

    https://www.zonealarm.com/learning-center/application-control/

     

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • TUellner

    SSCrazy

    Points: 2582

    Eric M Russell wrote:

    What I'm talking about is a firewall on the PC that profiles executable for suspicious behaviour and then warns via a dialog - allowing user to whitelist or block the process. If an unknown executable should start encrypting (or writing to in any way) every document file, then that would definately make me suspicious, so a firewall with even basic AI capability should be smart enough to think the same way.

    Bit Defender does something like this. I have Pro Tools (audio recording software) installed on my home PC. There are some vendors that sell plug-ins for PT that modify the actual file installed on your PC with licensing information. The first time I installed a plug-in, Bit Defender immediately popped up and blocked it saying it detected possible ransomware. It saw the act of embedding the licensing information as an attack. Once I whitelisted the vendor application it was fine but I'm glad that it picked up on that.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720094

    A firewall is about access from endpoints, which may or may not help here. Inside->traffic often isn't limited, which is a hassle.

    There are protections built in, but many don't use them. Win10 has ransomware protection and some controls, but it's off by default. I checked when I wrote this and found it there. Turned it on, just in case.

    I think the variety of some apps has led to less secure defaults, often with orgs or people choosing their version of Norton/Symmatec/etc., but not renewing or upgrading.

    2020-05-14 09_53_25-Windows Security

  • roger.plowman

    SSChampion

    Points: 10243

    Steve Jones - SSC Editor wrote:

    A firewall is about access from endpoints, which may or may not help here. Inside->traffic often isn't limited, which is a hassle.

    There are protections built in, but many don't use them. Win10 has ransomware protection and some controls, but it's off by default. I checked when I wrote this and found it there. Turned it on, just in case.

    I think the variety of some apps has led to less secure defaults, often with orgs or people choosing their version of Norton/Symmatec/etc., but not renewing or upgrading.

    2020-05-14 09_53_25-Windows Security

    Actually, Windows does have a built-in firewall on user computers, but Defender is the way to go in version 2004, it isn't user-facing in 1909 and earlier

     

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply