In this webinar you’ll learn what Ransomware is and common ways to protect yourself; case study examples of real-world infections and resolutions (and failures!); and the role of backup in protecting against attacks. Whether you’re new to ransomware, or a seasoned veteran, this is essential viewing.
I've uploaded the slide deck and it can be downloaded HERE.
Really this depends on the variant of ransomware in question, but generally assume anything and everything the affected user has access too. In most cases this will include the local workstation files and mapped network drives for the user, but there are variants that are intelligent enough to seek out UNC paths and unmapped (but accessible) network shares.
The best route for this would be via PowerShell and you're RMM utility. Most RMM utilities such as LabTech or Kaseya, have the ability to push scripts to monitored endpoints. Pairing an applicable PowerShell script with your RMM utility in this fashion should do the trick.
There are some variants out there like this, but the techniques shown by Luke in the webinar should still help you catch them when they attempt to execute, despite having been laying dormant for a period of time. Once that happens you should then be able to track down the offending file's location and remove it.
Most AV Websites will post newly discovered extensions so that you can keep your lists up to date. Luke will be posting his own follow up post with this information and links to valid sources for this info in the coming days.
That would makes things more difficult to be sure. It's not a 100% effective solution, but it will prevent a large portion of infections. Paring this with other prevention options will be most effective.
This will be dependent on the variant of the infection.
Yes, and Yes. All ransomware has to do to affect data inside of a DB is encrypt the MDF (in the case of MSSQL) file and all the data contained within it is now encrypted. The same is true of application files.
I've seen a lot of the attachments made to look like MS word documents or PDFs. If you have a really strict AV policy that blocks those type of documents or restricts opening documents all together then you would be fine, but most SMB sized companies don't have policies like that in place. Additionally the emails will just contain a link, which is problematic as well.
1st line of defense is always user training and then utilizing web and spam filters. Those will help mitigate the risk. If your only backup method is windows backup and shadow copies i can see it being feasible to sniff out and delete backups but if you're using a 3rd party application to perform the backups, this will certainly be more difficult. Additionally, if the attacker gains the administrative rights needed to sniff out 3rd party backups, assume anything is possible.
This is dependent on the variant of ransomware in question.
If the ransomware is executing with an account that has access to that location, it most likely has the ability to do so.
I'm not sure I would say it's the biggest, but it's perhaps the most unique in it's execution. With the advent of state-sponsored malware that has the ability to cause physical damage to critical country infrastructure, I would likely rank that higher on the challenge list than ransomware.
FSRM would not help in this case. You would have to use software restrictions as discussed in the webinar, and it also helps to make sure that you're using an account that is NOT a local administrator for your day to day work.
Performance impact is quite small and likely negligible.
The problem with these types of technologies is that they usually involved some sort of sync operation on the local machine. Hence if the local files are encrypted, they will sync back to the cloud location as the applet has detected a "new version" of the affected file.
To my knowledge, there is no Linux equivalent to FSRM at this time.
Cloud Architect at itnetX
Cloud & Datacenter Management MVP
Thomas Maurer works as a Cloud Architect at itnetX, a consulting and engineering company located in Switzerland. Thomas is focused on Microsoft Technologies, especially Microsoft Cloud Solutions based Microsoft Azure, System Center, Office 365, Microsoft Virtualization and Microsoft Datacenter Solutions.
Cloud & Data Management MVP
Technical Evangelist - Altaro
Andy is a 15+ year IT pro specializing in Virtualization, Storage, Cloud, and Infrastructure. By day he’s a Technical Evangelist for Altaro, leading technical content and pre-sales. By night he shares his IT knowledge online or over a cold beer. He holds the Microsoft MVP award in Cloud and Datacenter Management, and one of few who is also a VMware vExpert.