Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A Blue Team's reference guide to dealing with Ransomware

Steve Ragan | March 22, 2016
Ransomware is a known threat IT/InfoSec, but sometimes it's good to be reminded of the defenses that can be marshaled against it

"It's a team effort, but don't mistake it for being a 50/50 split of duties, it's something closer to 97/3. So, do everything you can to close the vectors of infection, and have those well-trained users represent your plan F, G, or H in mitigating this threat. Plans A through E are all on you."

Ransomware infections are being reported consistently in the media these days. Anti-Virus can't stop these types of infections, because the vendors have a hard time keeping up with the latest variants. Adding fuel to the fire, because the latest generation of Ransomware payloads are smaller scale and more focused, IDS/IPS protections do little to prohibit their spread as well.

So the key is to use a layered approach like the one Tharp outlined. However, it's the existence of (current) tested backups, paired with a solid BC/DR plan that's going to make a world of difference in most cases.

As part of the interview, Salted Hash asked Tharp to share some Ransomware-based war stories, as they almost always make for a good lesson. His deliver as expected:

"I did see it put a company out of business, we were called for the first time after the damage was done. Their antivirus didn't catch the Ransomware until it had finished encryption, and when it sprang into action, it not only deleted the virus but also the registry keys the virus created that contained the data on how to decrypt when payment was received.

"You know the story, [the company] never tested their backups [and discovered that] backups hadn't run in five years. We had the AV vendor on the phone seeing if there was any way to un-quarantine the registry keys, no solution could be found.

"On the other hand, an organization where users knew that their workstations were treated like disposable goods and put everything on the server, was hit. The file server did backups twice daily just with standard Windows Server Backup going to a $50 external hard drive.

"That was all it took to have them operational again in hours. It doesn't have to be a gigantic expense to work from a reactive-only standpoint. Add on a cloud-backup solution that supports versioning and you at least don't have to worry about how you're going to figure out who you were supposed to bill for that order."

Source: CSO 


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.