question Defense against Ransomware

[time]

I'm tired of being hectored about not clicking on links in emails that may be fake. It's a reaction to repeated ransomware infestations.

Surely it's possible to lock down an email client (Outlook), a mail server (Exchange) and file shares so that someone can't shut down a company with just an absent-minded twitch of a mouse?

 

[Mercutio]

Proper file permissions and GPOs, particularly those that surround EFS/Bitlocker key distribution, would go a long way. I don't actually think anything is going to stop everything. If you have an up to date security suite plus the normal collection of appliances and proxies between users and anything from the internet, I suppose there's a hope that something along the way stops the bad thing from happening, but there's always a real possibility that something will get through. Maybe there should be a protocol for messages that include links for people to visit so that others can tell they're not being generated by somebody's malicious script?

 

[time]

Outlook appears to be the main vector. Unlike some other email clients, hyperlinks are enabled by default and you can't change that.

Why can't you reconfigure the default helper app for links to something that is not as happy to run scripts?

Why can't you configure Windows or a browser to block exe launching?

Why does Windows have this model of universal access that allows any program to access any file area that the user has access to?

 

[Howell]

Because it is really beneficial for workflow if the source material is trusted. Imagine only sending a link to a file to an internal distribution group instead of sending the whole file.

 

[Chewy509]

Why can't you configure Windows or a browser to block exe launching?

Here is the information to do this: https://technet.microsoft.com/en-us/library/bb457006.aspx

 

[ddrueding]

Outlook makes users particularly vulnerable, and I can't imagine the benefits being worth it.

My best (not only) defense against ransomware is a near-real-time backup with versioning that doesn't honor deletes to a share that isn't accessible with any domain user permissions. The username/password to access that share was keyed directly into the primary NAS which also doesn't recognize domain accounts for administrative stuff.

 

[Howell]

So versions age out to keep storage usage down? Cool

 

[Howell]

Outlook makes users particularly vulnerable, and I can't imagine the benefits being worth it.

So gmail doesn't make urls linkable by default? And prevents EXEs and scripts from running?

 

[Mercutio]

So gmail doesn't make urls linkable by default? And prevents EXEs and scripts from running?

Gmail absolutely makes URLs linkable. In fact, I don't think you can stop it from doing that even if it's unintended (throw a space in someplace if you don't want it to be).

Gmail won't allow a whole range of file types to be attached directly to a message, including .EXE and script data. I've also run in to problems attaching the content of a .REG as the body of a message. Now, Google will allow URLs, but it will also flag (some) shady URLs and warn you that's what they are. Thunderbird does that as well. I haven't looked at newer-than-2010 Exchange to see if its default processing is any better. It probably isn't.

 

[ddrueding]

So versions age out to keep storage usage down? Cool

I generally tell it to keep the following:

Last 3 changes
One from over an hour ago
One from yesterday
One from last week
One from every month permanently

My theory goes that the further back things need to go, the more understanding the user is about re-keying data.

 

[time]

Outlook makes users particularly vulnerable, and I can't imagine the benefits being worth it.

My best (not only) defense against ransomware is a near-real-time backup with versioning that doesn't honor deletes to a share that isn't accessible with any domain user permissions. The username/password to access that share was keyed directly into the primary NAS which also doesn't recognize domain accounts for administrative stuff.

That's more the sort of thing I was looking for. Windows won't let you add a write access password to a domain share.

Version control, where users can only really ever create new files - rather than modify or delete existing files - is the answer I came up with. This wouldn't work with any file that is frequently updated, such as some kind of database, but I guess they should never be exposed through a share ...

 

[time]

This seems to offer the sort of more finessed access control I was envisaging:

WinAntiRansom Plus

Apart from the ability to block ransomware trojans, it lets you use an application whitelist to limit access to file shares. Works out to be about $55 per user for 100 users and they list review links on that page.

 

[time]

First of 3 parts of a review that tests various anti-ransomware products.

I found this guy's other videos quite illuminating. Particularly enjoyed the Boot Time Protection tests, especially the ones on McAfee and Norton.

 

[mubs]

A week back I met the first real, live person who was victimized by ransomware. Real-estate company. They lost 10-11 years worth of data. No backups!

Employee was not even sure what happened; "I clicked on an email attachment and everything got encrypted, I don't know how". I had to tell her.