Locky?



  • Hi,
    So recently been getting bunch of those document1.zip files. I have already told users not to open any email that contains .zip or emails that they do no recognized. I also implemented squid with squidguard acting like a adblock so they wont shoot themselves. But I was wondering is there anything else I could do to prevent from locky. I also have bitdefender gravity endpoints, and daily backup on a NAS but im afraid when it comes it will infect the NAS. Which therefore also have weekly backups though USB. Have been using snort in a test lab but really havent figured it out from all those false alarms yet. Also Have DNSBL with pfBlocker. Not sure if i covered all the angles. And the email servers are handled by godaddy.

    Thank you



  • The only one I would think about, is to install perhaps a ClamAV on the NAS is this will be able to do and the
    NAS is powerful enough for it and on the other side you may think also about to install the ClamAV on pfSense
    if this might be able to realize and also the appliance will be owning enough performance for it.

    Or go and backup the NAS again, I don´t know about how many GB we both are talking here
    but it could be that this could be done with an external USB 3.0 RDX drive or a RDX / tape library.



  • Hi Thank you for the reply, I guess what im worried if lets say one user by accient opens a zip in theory infects the whole network and not sure if ClamAV will protect it? I was reading about ClamAV on pfSense but many say its better to not run it. I run daily around 600gigs of backup and weekly around 1tb on the external USB. Do the RDX tape drives immune to ransomware?

    Thank you again



  • Do the RDX tape drives immune to ransomware?

    No!



  • Hi,

    I think the more efficient approach here is to restrict your file sharing, e.g. by monitoring for randsomware activities by a monitoring tool or a script and if something goes on, cancel the provision or revoke permissions of the particular user.
    Locky and the others run under the users context, so it only can encryt files for which it has write privilegues.

    Also ensure that the users have no access to the backup on the NAS. You may also take it offline while no backup is running.



  • @killmasta93:

    Hi Thank you for the reply, I guess what im worried if lets say one user by accient opens a zip in theory infects the whole network and not sure if ClamAV will protect it? I was reading about ClamAV on pfSense but many say its better to not run it. I run daily around 600gigs of backup and weekly around 1tb on the external USB. Do the RDX tape drives immune to ransomware?

    Thank you again

    Unfortunately, the nasty premise of much ransomware is: if the user has R/W access to a file then we can encrypt it.

    I had a client fall to one of the classic email phishing excercises a few months ago.
    Mon morn @ 9:03 she opened an email attachment she shouldn't have.
    By 10:45 she noticed she couldn't access some files she needed, and tried a few things to correct the issue.
    11:05 they called me to try and fix their file access problem.
    I remoted in and by 11:09 had them shut down the offending PC.
    By that time it was far too late for much of their data, any folders and or files she had access to, *.PDF, *.xls, *.doc, etc., etc. had been read,encrypted and re-written to the server.

    Luckily for them their server does automatic rotating backups @03:00 every morning to an auxillary drive that is not accessible to the end users at all.  Nothing gets to it except me and the backup process. With good timing, I had them back up and running by 12:45, the only loss being work done from 8:30 - 10:00.

    They definitely learned a lesson from this experience.

    Nothing like real backups for the real world…..



  • Hi,
    Thank you guys for the reply. So quick question so the NAS only has Administration privileges no one else so hopefully im safe there :). All the users have 3 network drives 1) public 2) accounting 3) users personal information I told all the users to not save nothing on the desktop. Lets say a user opens those invoice it will automatic infect those 3 network drives. But lets say I have another shared folder but its not on their network drive will it still infect it? The only way for them to access it would be running \servername\folder

    Thank you



  • As with all things viral (and much in life) - it depends.

    The current ransomware I've seen depends on an infected user to potentially save new copies of the virus (not really likely/effective and prone to blocking by AV/AntiSpy software) as well as act as the encryption engine to corrupt accessible file

    Once a user is infected and starts corrupting accessible files, the spread to what they can access is as fast as their network access allows (usually very fast).

    That said, the chances of the infection spreading wider because of a second user (with overlapping but wider access) accidentally opening something bad the first user saved is very very small.  It's much more likely that the bad guys manage to customize an email hit against the company ("Fedex wishes to pre-verify your address for a custom delivery, click here" or some such) that more than one user will fall for.  The chances that those two users will have a "wider" access across the network is pretty random.
    None of the encryption attacks I've seen or read about even attempt to circumvent internal access security measures, they're about speed more than spread.

    So in short, the encryption attack is definitely nasty, but the age old protections against it still hold.  I haven't seen one yet that is effective against good backups and good user education.

    As always - my $.02, feel free to use Google to its best  ;)



  • Thank you for the detailed response, So true Been reading alot about how crazy its been. A Friend of mine in IT was hit but luckyly he does backup with an external USB and disconnects it so he was saved. But i guess the best Internet security are the users. telling them NOT to click on everything. The worst part is recovering because its always best to start from scratch formatting the servers and the computers.

    Thank you again



  • @killmasta93:

    The worst part is recovering because its always best to start from scratch formatting the servers and the computers.
    Thank you again

    In the scenario I described, the server was "untouched" in that it just saved the files the workstation told it to (encrypted of course).

    From that point of view, their recovery was a complete wipe of their server's data drive and a restore from the previous backup.
    I always set my backups to do a complete copy of the data drive for just this scenario.
    And since they're Linux based servers (I stopped doing Win servers some time ago) it's trivial to segregate the server operating drive from the data drive.
    The net result is I have zero worries about the server being infected.

    As far as the workstation, yup that's a complete wipe and reload from scratch (Win machine and not worth the worries otherwise).
    Some users keep drive images to make it easier to reload the system, but encouraging them to keep all data on the server often simplifies everyone's life.


Log in to reply