Beating Ransomware Webinar – Q & A Follow Up

Late in August we put on a webinar that was something outside of our normal webinars. Normally we talk about something that is Hyper-V or VMware related, but we felt that the topic of ransomware was equally important as it is a major pervasive issue in the industry today. With that in mind, we felt it important to cover this topic, to help our readers be better protected.

We had a great turn out and a lot of great questions! As per our normal procedure we always like to follow up our webinars with a blog post that:

  1. Contains a recording of the webinar.
  2. Answers any questions that we didn’t get to during the Webinar Q & A, answered by Luke and I.
  3. Provides access to any supporting materials that were discussed during the webinar.

In this post you’ll find all of that information as you read on below! We hope you enjoy, and if you have further follow up questions for Myself or Luke, feel free to use the comments section at the bottom of this post to do so!

NOTE: Luke’s post containing the FSRM howto and script resources, will be posted in the next couple of days, so stay tuned to this spot, as we’ll link it here when ready!

Revisit the Webinar

The eBook

As mentioned in the webinar, we’ve released a new eBook that covers this subject at length and provides some handy tips on how to spot different variants and how to deal with them.

That eBook can be found and downloaded HERE.

The Questions

Q: What can ransomware encrypt? All Local HDs, any network shares? Mapped Drives?

Really this depends on the variant of ransomware in question, but generally assume anything and everything the affected user has access too. In most cases this will include the local workstation files and mapped network drives for the user, but there are variants that are intelligent enough to seek out UNC paths and unmapped (but accessible) network shares.

Q: How would you propose an MSP keep all the FSRM file screens up to date across multiple client environments?

The best route for this would be via PowerShell and you’re RMM utility. Most RMM utilities such as LabTech or Kaseya, have the ability to push scripts to monitored endpoints. Pairing an applicable PowerShell script with your RMM utility in this fashion should do the trick.

Q: Is there a chance for ransomware to lie dormant for a period of time and then execute later on?

There are some variants out there like this, but the techniques shown by Luke in the webinar should still help you catch them when they attempt to execute, despite having been laying dormant for a period of time. Once that happens you should then be able to track down the offending file’s location and remove it.

Q: If disk-based backups are housed on premises is there a risk that the backups are also affected?

Q: Since cloud based backups are basically networked, what is preventing them from getting encrypted as well?

Q: How do you keep your list of FSRM extensions current?

Most AV Websites will post newly discovered extensions so that you can keep your lists up to date. Luke will be posting his own follow up post with this information and links to valid sources for this info in the coming days.

Q: What if attackers start using valid file extensions for their attacks? Wouldn’t that circumvent FSRM?

That would makes things more difficult to be sure. It’s not a 100% effective solution, but it will prevent a large portion of infections. Paring this with other prevention options will be most effective.

Q: Does Ransomware infect the local machine first, then network drives? Is it random based on variant?

This will be dependent on the variant of the infection

Q: Can Ransomware encrypt data stored in a database, or damage application files?

Yes, and Yes. All ransomware has to do to affect data inside of a DB is encrypt the MDF (in the case of MSSQL) file and all the data contained within it is now encrypted. The same is true of application files.

Q: Why don’t email filtering products block the ransomware attachments from executing?

I’ve seen a lot of the attachments made to look like MS word documents or PDFs. If you have a really strict AV policy that blocks those type of documents or restricts opening documents all together then you would be fine, but most SMB sized companies don’t have policies like that in place. Additionally the emails will just contain a link, which is problematic as well.

Q: Have you encountered a real case where ransomware has encrypted a Hyper-V host? If yes, What was done to resolve it.

Q: Dmalock3.0 encrypts local storage and all shares on the network and does not rename file extensions. Additionally the attacker remotes in and deletes backups. Any prevention against this type of attack?

1st line of defense is always user training and then utilizing web and spam filters. Those will help mitigate the risk. If your only backup method is windows backup and shadow copies i can see it being feasible to sniff out and delete backups but if you’re using a 3rd party application to perform the backups, this will certainly be more difficult. Additionally, if the attacker gains the administrative rights needed to sniff out 3rd party backups, assume anything is possible.

Q: Is Ransomware using it’s own cryptography infrastructure or OS-based?

This is dependent on the variant of ransomware in question.

Q: Is it possible for a Network Attached Storage (NAS) to get encrypted?

If the ransomware is executing with an account that has access to that location, it most likely has the ability to do so.

Q: Antivirus and Anti Malware software has been improving every year. Based on your opinions, would you say that ransomware is the biggest challenge that we have as far as viruses and malware is concerned?

I’m not sure I would say it’s the biggest, but it’s perhaps the most unique in it’s execution. With the advent of state-sponsored malware that has the ability to cause physical damage to critical country infrastructure, I would likely rank that higher on the challenge list than ransomware.

Q: How do we protect local data on the workstation in a similar fashion to what you did in the demo with FSRM?

FSRM would not help in this case. You would have to use software restrictions as discussed in the webinar, and it also helps to make sure that you’re using an account that is NOT a local administrator for your day to day work.

Q: Is there any performance impact on the file server when using file screening with FSRM?

Performance impact is quite small and likely negligible.

Q: Is data better protected on say, Office 365 – OneDrive for business, or Dropbox, than on normal storage?

The problem with these types of technologies is that they usually involved some sort of sync operation on the local machine. Hence if the local files are encrypted, they will sync back to the cloud location as the applet has detected a “new version” of the affected file.

Q: We have a fileshare on a linux/unix box – mapped via a network drive. What would you recommend as an alternative to FSRM.

To my knowledge, there is no Linux equivalent to FSRM at this time.   

If you had and Altaro VM Backup specific question…

Please refer to our Product page HERE, and our FAQ HERE.

Wrap-Up

To wrap up, we want to say thank you for attending our webinar and viewing the Q & A, and we hope this was beneficial to you. Like I mentioned in the webinar, if we can help you stop one ransomware infection, I think it was well worth the time!

Again, if you think of any follow up questions that weren’t covered here, feel free to use the comments section below to ask them, and Luke and I will get back with you.

Thanks for reading!

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published.

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.