Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


bjorn

192 posts

Master Geek


#193743 22-Mar-2016 18:57
Send private message

I'm interested how everyone else has been protecting there networks from the CryptoLocker malware/virus. 

 

In the last few months we've been hit 3 times taking out different departments and encrypting the files the user has access to.

 

We have an extensive backup system so we've been able to restore any encrypted files, however the clean up time is extensive and disruptive. 

 

Each time the user has been searching something in Google, clicked on a search result and been infected.

 

We have endpoint virus scanning as well as web scanning through our proxy and of course all our email is scanned, however because the signatures of the viruses/malware change so fast the scanners are not detecting the threat and we're getting infected.

 

Any suggestions? I'm thinking some sort of Advanced Threat Protection?

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
freitasm
BDFL - Memuneh
76809 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1517895 22-Mar-2016 19:03
Send private message

What endpoint protection are you using?





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


 
 
 

You will find anything you want at MightyApe (affiliate link).
achieveit
21 posts

Geek


  #1517906 22-Mar-2016 19:06
Send private message

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!


freitasm
BDFL - Memuneh
76809 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1517909 22-Mar-2016 19:09
Send private message

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 




jnimmo
1079 posts

Uber Geek


  #1517920 22-Mar-2016 19:31
Send private message

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 


Dynamic
3604 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1517941 22-Mar-2016 20:14
Send private message

CryptoPrevent?




“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.


bjorn

192 posts

Master Geek


  #1517962 22-Mar-2016 20:50
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

We already do all of the above.

 

 

 

freitasm:

 

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

 

 

 

 

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

 

 

 

jnimmo:

 

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 

 

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

 

Dynamic: CryptoPrevent?

 

 

 

Is this a corporate tool or is more of a home user thing?


Dynamic
3604 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1517974 22-Mar-2016 21:23
Send private message

We've rolled crypto prevent out to SMB clients, bundling it with AV. Default config needed some tightening though.




“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.




tehgerbil
1005 posts

Uber Geek

ID Verified
Subscriber

  #1517986 22-Mar-2016 21:52
Send private message

We've had luck with trend micro worry free business security. 


jnimmo
1079 posts

Uber Geek


  #1518033 22-Mar-2016 23:31
Send private message

bjorn:

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

What about Flash & Java, more specifically Java web start?

 

Perhaps look at blocking all internet access through IE (only allow internal applications which need it), other browsers for general browsing.

 

Also wonder if AppLocker may not be locked down enough if Cryptolocker is still getting past that?


lxsw20
3231 posts

Uber Geek


  #1518063 23-Mar-2016 00:42
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

This. Although good luck denying zip files in some places. If you can't then hopefully you have a mail gateway that can extract the zip and look for unwanted file extensions. 

 

I would add that you need offline backups too. 

 

One of the more scary aspects of cryptolocker is it is being updated/adapting all the time. Apparently some of the later versions can delete shadow copy data for example. 

 

MalwareBytes has an anti crypto tool in beta which with any luck they will make a enterprise edition. 

 

https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

 

Initial beta testers have said they are quite a few false positives at this stage.

 

 

 

 


lNomNoml
1742 posts

Uber Geek

ID Verified

  #1518071 23-Mar-2016 01:40
Send private message

Decent Anti-virus: ESET Endpoint

 

 

 

 What browser are the users using? Google Chrome?


nathan
5695 posts

Uber Geek
Inactive user


  #1518075 23-Mar-2016 04:15
Send private message

Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Dynamic
3604 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1518134 23-Mar-2016 08:40
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

Legitimate question, Nathan, but because these crims are making pretty decent money they are reinvesting significantly in keeping ahead of the AV companies and exploiting new vulnerabilities pretty quickly.





“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.


bjorn

192 posts

Master Geek


  #1518159 23-Mar-2016 09:12
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

 

 

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.


mentalinc
2850 posts

Uber Geek

Trusted

  #1518160 23-Mar-2016 09:13
Send private message

They're now using excel VBA as well...





CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Synology Introduces BeeStation
Posted 23-Feb-2024 14:14


New One UI 6.1 Update Brings Galaxy AI to More Galaxy Devices
Posted 23-Feb-2024 10:50


Amazon Echo Hub Available in New Zealand
Posted 23-Feb-2024 10:40


InternetNZ Releases Internet Insights 2023
Posted 20-Feb-2024 10:31


Seagate Adds 24TB IronWolf Pro Hard Drives for Multi-user Commercial and Enterprise RAID Storage Solutions
Posted 19-Feb-2024 16:54


Seagate Skyhawk AI 24TB Elevates Edge Security Capacity and Performance
Posted 9-Feb-2024 17:18


GoPro Releases Quik Desktop App for macOS and Introduces Premium+ Subscription Tier
Posted 9-Feb-2024 17:14


Ring Introduces New Ring Battery Video Doorbell Pro
Posted 9-Feb-2024 16:51


Galaxy AI Transforms the new Galaxy S24 Series
Posted 18-Jan-2024 07:00


D-Link launches AI-Powered Aquila Pro M30 Wi-Fi 6 Mesh Systems
Posted 17-Jan-2024 20:02


Newest LG 4K Lifestyle Projector Doubles as Art Objet
Posted 9-Jan-2024 15:50


More LG Smart TV Owners Set To Enjoy the Latest webOS Upgrade
Posted 9-Jan-2024 15:45


Panasonic Announces the Z95A and Z93A With Fire TV Built In
Posted 9-Jan-2024 15:30


Amazon Echo Pop Review
Posted 8-Jan-2024 14:22


Samsung Tab S9 FE Review
Posted 17-Dec-2023 08:26









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup