Preventive measures against ransomware
-
We are hardening our environment to reduce the risk of ransomware attack and would like to get some advise from ML
Few of the changes we are enforcing includes:
Backup: All endpoints are being backed up to a remote location. Veeam backup repo now uses Linux NFS instead of windows NTFS for storage.
Servers: Least privilege method and logging/audit enabled on AD and File server. Harden all servers, reference points from https://adsecurity.org
FSRM to be updated for File server screening using https://github.com/nexxai/CryptoBlocker
https://fsrm.experiant.ca/End point protection: Av+ Malwarebytes
Usb/removable drives: I would like to have the usbs scanned on a few dedictaed machines that is disconnected from the network, scan with multiple av engines and would even want to go further by opening all files, may be allow all possible options like auto run and see if there are threats. If clean then allow the user to use that USB for that session only. We disabled usb read and write centrally but can't block that permanently as we get usb from third parties. The scanning station can have something like deep freeze which will bring the machine back to its original state after a reboot.
User education: use something like knowbe4 security awareness programs to train employees to identify common threats like spam phishing mails, suspicious links etc.
Firewall with the usual security settings DPI, IDS, IPS etc.
Patch management: Looking at ivanti or shavlik to enhance our sccm and cover third party patches as well. Currently it's package and update
-
LANless is one of the biggest factors.
-
@ambarishrh said in Preventive measures against ransomware:
Backup: All endpoints are being backed up to a remote location. Veeam backup repo now uses Linux NFS instead of windows NTFS for storage.
What is the retention period? I've seen a few places that only hold 1 x backup for workstations and overwrite that nightly. If a machine is infected, you could overwrite the good backup before finding out...
-
@ambarishrh said in Preventive measures against ransomware:
Usb/removable drives: I would like to have the usbs scanned on a few dedictaed machines that is disconnected from the network, scan with multiple av engines and would even want to go further by opening all files, may be allow all possible options like auto run and see if there are threats. If clean then allow the user to use that USB for that session only. We disabled usb read and write centrally but can't block that permanently as we get usb from third parties. The scanning station can have something like deep freeze which will bring the machine back to its original state after a reboot.
Do you have to allow USB at all?
-
@ambarishrh said in Preventive measures against ransomware:
Firewall with the usual security settings DPI, IDS, IPS etc.
Also look at vulnerability testing on the LAN side, and get audit/Pentesting done to verify external threats that you could be open to.
-
Look at SRP. Default to all denied, and only allow what you approve to run.
-
@jimmy9008 said in Preventive measures against ransomware:
@ambarishrh said in Preventive measures against ransomware:
Backup: All endpoints are being backed up to a remote location. Veeam backup repo now uses Linux NFS instead of windows NTFS for storage.
What is the retention period? I've seen a few places that only hold 1 x backup for workstations and overwrite that nightly. If a machine is infected, you could overwrite the good backup before finding out...
30 days
-
I've installed ransomfree https://ransomfree.cybereason.com/
Good tool, and free, to avoid ransomware.
-
@iroal said in Preventive measures against ransomware:
I've installed ransomfree https://ransomfree.cybereason.com/
Good tool, and free, to avoid ransomware.
Check if that detects when you run ransim https://www.knowbe4.com/ransomware-simulator
-
@ambarishrh said in Preventive measures against ransomware:
@iroal said in Preventive measures against ransomware:
I've installed ransomfree https://ransomfree.cybereason.com/
Good tool, and free, to avoid ransomware.
Check if that detects when you run ransim https://www.knowbe4.com/ransomware-simulator
We have Webroot and RansomFree. Scored 10/10 on ransim, everything blocked.
-
Cool tool Rainsim
-
@ambarishrh said in Preventive measures against ransomware:
@iroal said in Preventive measures against ransomware:
I've installed ransomfree https://ransomfree.cybereason.com/
Good tool, and free, to avoid ransomware.
Check if that detects when you run ransim https://www.knowbe4.com/ransomware-simulator
Ransomfree create a few folders in the system with many dummy files inside (.doc .jpg .xlsx..)
In case one of these files change, Ramonfree block the computer and ask you if you allow these changes.
Ransim just check his installation folder so Rasomfree cannot detect it.
