If you ever get hit by ransomware...

[Holding Pattern]

All may not be lost. Many ransomware programs were poorly written and people have created decryption programs for them.

Read this spreadsheet for details: https://docs.google.com/spreadsheets/u/1/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#

That being said, this is a good time to check on what sort of backup system you or your company has. A versioning/snapshot backup system that keeps several historical versions of each file on your system such as Crashplan/Backblaze can make the process of recovery as easy as a reinstall of the OS and a restore of the last known good snapshot.

[Майор Хаткевич]

What's a good/was costly snapshot option?

[stillamarine]

Apparently quite a few of our computers got hit by them. Not good for a LE agency lol.


Sent from my iPhone using Tapatalk

[Holding Pattern]

Apparently quite a few of our computers got hit by them. Not good for a LE agency lol.


Sent from my iPhone using Tapatalk

Unacceptable for an LE agency.

Please forward this to their IT team:

https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx

If Applocker whitelists are enabled, system scripts (batch, powershell, etc.) are disallowed, and unsigned MS Office VBA is disabled, you are invulnerable to 99% of these threats. Applocker comes with every enterprise version of windows 7 and above.

[Brad]

What's a good/was costly snapshot option?

Norton Ghost (now part of Symantec System Recovery) and DeepFreeze by Faronics are two that I've used before and they work well.

[EMT-83]

Unacceptable for an LE agency.

Please forward this to their IT team.

I would guess that the vast majority of LE agencies in the country don't have an "IT team" on staff. It's often one of the guys that knows a little about computers, or the same contractor that maintains the other municipal buildings. Either way, their knowledge of security is probably minimal at best.

[Luis R. Ramos]

Or they have an IT team but their knowledge of current practices is limited, 5 years or more behind, or were forced to adopt a non-standard system, incompatible with current technology...

[Brad]

Unacceptable for an LE agency.

Please forward this to their IT team.

I would guess that the vast majority of LE agencies in the country don't have an "IT team" on staff. It's often one of the guys that knows a little about computers, or the same contractor that maintains the other municipal buildings. Either way, their knowledge of security is probably minimal at best.

Ours is actually pretty strong. It's an entire division/office whose head reports to the Director himself, plus there's the Information Security Officer, who is a sworn Trooper, who keeps up with security policies as they relate to IT practices, FBI-CJIS and CALEA certification standards, NCIC/NLETS standards with regards to encryption, etc.

[stillamarine]

We have a pretty good Technology Division. The city itself has a good IT department. But we are large city and a large department. We have probably close to 1500 computers just in the PD with the city having 3 to 4 times that. We just switched computers city wide a couple years ago.  We also just changed our in car programs recently.

[NIN]

Both of my previous two jobs, I worked in IT Managed Services.  We supported many small companies and organizations not large enough to have or afford their own dedicated IT team.

Easily 75% of ransomware avoidance was, in my experience, user training, awareness and behavior. The other 25% is policy, security management and IT best practices, and management enforcement.

"Don't click on random PDF files from people you don't know." (one example)
"Do not use your PC for other than work purposes" (Hey, yeah, great, glad to were 'only' on EPSN.com when you managed to click a virus-laden popup that the AV didn't twig to until it had already deposited its payload.  Glad you weren't surfing pr0n or hacking sites when it happened..)
"Don't give users more privilege on the network than the bare minimum they need to do their jobs."

I had four Crytolocker instances in 2 years, including two in one week.  All four were avoidable had the users followed the best practices we'd outlined, the management had been serious about enforcing the rules about using PCs for work purposes only, and senior management at the organizations supported hadn't been stupid about their security posture.

In one particular egregious case, the first one I had to deal with which was on Tuesday afternoon right before Thanksgiving one year, the Executive Director of a non-profit we supported got one of those emails "UPS attempted delivery" or something, with a PDF attachment that wasn't really a PDF. She couldn't click that (supposed) PDF attachment fast enough to see what it was they couldn't deliver to her. 

Of course its social engineering. Its in the run up to the holidays, the "UPS missed your delivery" email is _designed_ to get you to click on it.

Two problems immediately:
1) If you're following your company policy that says "Do not use company email for personal purposes" then a "UPS missed delivery email" is going to be OBVIOUSLY bogus.  Of course, if you're the Executive Director, and you have this "the rules don't apply to me" mentality... (more on that later)  We had conducted training on the corp IT policies and user awareness about a month prior to this, so literally *EVERYBODY* else was trying their best to follow the rules.

2) This was as we were getting ready to move from them from Exchange 2003 to Google Apps for Non-Profits. Because they had pushed off the transition three times in 60 days, their gateway AV on the mail server had finally run out and wasn't being updated.  The original move had been scheduled 3 months prior to the gateway AV running out, but they were too cheap to spend $100 to renew it for another year to cover the time period.  We warned them, in writing, that doing so would leave them vulnerable to email-delivered malware and viruses.  "We'll just deal with it."  Uh, OK, but we don't recommend this course of action...

So about mid-day, she calls up and says "I have this funny message on my screen, and people in finance and dispatch are reporting they can't open files"

The Exec Director had managed to infect her entire PC and about 60,000 files on the network shares she had access to with the Cryptolocker attached to an email. 

Two other problems here:
1) The Exec Director had too much access to the network. Totally, and we knew that. We had attempted to educate her and others about best practices regarding access to network shares ("least possible privilege").  She demanded access to the network, stating (loudly) "I am the EXECUTIVE DIRECTOR and I MUST have access to EVERYTHING." (well, she didn't have access to *everything*, but she didn't know that. We still kept her out of things that she didn't ever need unless there was an HR issue, like user "private drives" and the replicated user profile directories on the servers)   Again, like the gateway AV situation, we told them why this was a Bad Idea™, in writing and said "Please confirm you want this specific change, which we believe will leave you open to vulnerabilities and data loss." When she said "I don't care, do it" we shrugged our shoulders and made the change.

2) There were no PC backups going on.  So all the files on her PC that had been "Cryptolocker-encrypted" were lost.  They had been offered PC-level backups during the transition to a new server architecture (Server 2012 Essentials) with the caveat that it would take up a lot of disk space.  They demurred, opting for the "smaller disk" server to save a few hundred dollars.  Again, they had been expressly informed that this course of action would leave them vulnerable in the event of a hardware failure or some kind of infection like this one.  I did a full cost-benefit analysis and their board of directors was like "We don't think thats a very likely thing to happen, so lets go with the cheaper option."

So the first thing I got to say on the phone, once I'd realized the extent of the situation, was "Remember that email about why granting you all this access was a bad idea?"

I thought for sure my Thanksgiving was toast.  I spent all morning Wednesday restoring network files from the shadow copies on the server.  Thankfully, the EX kicked off the Cryptolocker just after 12:30pm. Previous versions in the server OS takes a snapshot a 7am and noon.  I was able in 95% of the cases on the server to just go into each network share and restore the entire share to the noon "previous version" which was non-encrypted. I had 2-3 shares that had some minor problems and I had go to the disk-based backups, but restoring the network files literally took me about 5 or 6 hours, tops.

We grabbed the Exec Director's machine on Tuedsay night (after we had her disconnect it from the network immediately on realizing it was Cryptolocker, just in case it was doing its dirty work still), rebuilt it that morning and had it back on site by 2pm.

Did I mention that per our SLAs and agreements, ALL of that work was billable time?

Yeah.

In the other three cases, user behavior outside of the published IT policy was the catalyst. ("I was just checking my scores on ESPN" "I was just checking out a knitting website for a minute..") Exacerbated by some other issues ("non renewal of the gateway AV") against advice of the experts.

Shadow Copy in the Server OSs is a real lifesaver.  Regular, tested backups are another. PC level backups are a third.

But having users savvy enough to not click on an obviously infected email would keep down the majority of these instances.