question Defense against Ransomware

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
I'm tired of being hectored about not clicking on links in emails that may be fake. It's a reaction to repeated ransomware infestations.

Surely it's possible to lock down an email client (Outlook), a mail server (Exchange) and file shares so that someone can't shut down a company with just an absent-minded twitch of a mouse?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
Proper file permissions and GPOs, particularly those that surround EFS/Bitlocker key distribution, would go a long way. I don't actually think anything is going to stop everything. If you have an up to date security suite plus the normal collection of appliances and proxies between users and anything from the internet, I suppose there's a hope that something along the way stops the bad thing from happening, but there's always a real possibility that something will get through. Maybe there should be a protocol for messages that include links for people to visit so that others can tell they're not being generated by somebody's malicious script?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Outlook appears to be the main vector. Unlike some other email clients, hyperlinks are enabled by default and you can't change that.

Why can't you reconfigure the default helper app for links to something that is not as happy to run scripts?

Why can't you configure Windows or a browser to block exe launching?

Why does Windows have this model of universal access that allows any program to access any file area that the user has access to?
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Because it is really beneficial for workflow if the source material is trusted. Imagine only sending a link to a file to an internal distribution group instead of sending the whole file.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Outlook makes users particularly vulnerable, and I can't imagine the benefits being worth it.

My best (not only) defense against ransomware is a near-real-time backup with versioning that doesn't honor deletes to a share that isn't accessible with any domain user permissions. The username/password to access that share was keyed directly into the primary NAS which also doesn't recognize domain accounts for administrative stuff.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
So gmail doesn't make urls linkable by default? And prevents EXEs and scripts from running?

Gmail absolutely makes URLs linkable. In fact, I don't think you can stop it from doing that even if it's unintended (throw a space in someplace if you don't want it to be).

Gmail won't allow a whole range of file types to be attached directly to a message, including .EXE and script data. I've also run in to problems attaching the content of a .REG as the body of a message. Now, Google will allow URLs, but it will also flag (some) shady URLs and warn you that's what they are. Thunderbird does that as well. I haven't looked at newer-than-2010 Exchange to see if its default processing is any better. It probably isn't.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
So versions age out to keep storage usage down? Cool

I generally tell it to keep the following:

Last 3 changes
One from over an hour ago
One from yesterday
One from last week
One from every month permanently

My theory goes that the further back things need to go, the more understanding the user is about re-keying data.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Outlook makes users particularly vulnerable, and I can't imagine the benefits being worth it.

My best (not only) defense against ransomware is a near-real-time backup with versioning that doesn't honor deletes to a share that isn't accessible with any domain user permissions. The username/password to access that share was keyed directly into the primary NAS which also doesn't recognize domain accounts for administrative stuff.

That's more the sort of thing I was looking for. Windows won't let you add a write access password to a domain share.

Version control, where users can only really ever create new files - rather than modify or delete existing files - is the answer I came up with. This wouldn't work with any file that is frequently updated, such as some kind of database, but I guess they should never be exposed through a share ...
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
This seems to offer the sort of more finessed access control I was envisaging:

WinAntiRansom Plus

Apart from the ability to block ransomware trojans, it lets you use an application whitelist to limit access to file shares. Works out to be about $55 per user for 100 users and they list review links on that page.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
First of 3 parts of a review that tests various anti-ransomware products.

I found this guy's other videos quite illuminating. Particularly enjoyed the Boot Time Protection tests, especially the ones on McAfee and Norton.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
A week back I met the first real, live person who was victimized by ransomware. Real-estate company. They lost 10-11 years worth of data. No backups!

Employee was not even sure what happened; "I clicked on an email attachment and everything got encrypted, I don't know how". I had to tell her.
 
Top