In part 1 of this post, I discussed how one of our clients recovered from a ransomware attack using Microsoft Volume Shadow Copy Service (VSS) to revert a file server's volumes to an earlier snapshot.
How do you detect and prevent ransomware?
Unfortunately, unlike standard computer viruses from 10 or 20 years ago, contemporary malware doesn't always provide a conveniently scannable file signature. Some variants modify Windows system files. These variants aren't necessarily detectable by a standard antivirus program.
There are a several things you can do proactively.
First, use a malware scanning program such as Malwarebytes to scan every Windows based server and workstation on your network. The free version requires manual execution on each machine. There's a paid version that has a centralized console allowing you to push out the program to all systems. Run this periodically in addition to your regular antivirus software.
Second, look at firewalls that incorporate packet inspection of some kind. For example, both SonicWALL and Fortinet have security features that will scan for viruses and malware in real time internet traffic, preventing users from downloading malware.
If you have such a firewall but haven't activated those services yet--and a lot of people don't activate them out of ignorance or uncertainty--activate those services one at a time, waiting a couple of days between each new service activation to ensure that your network production isn't interrupted by accident.
If your firewall doesn't happen to have anti-malware packet inspection features, consider third party systems from vendors such as Barracuda or FireEye. These are generally network-level appliances that scan all internet traffic in real time, blocking malware and other questionable content. Some vendors even offer cloud based versions of such services.
Finally, if you have any reason to believe that your systems may have been compromised, I strongly recommend that you perform a deep-level offline scan of your systems. By "offline", I mean creating a bootable linux-based CD or USB containing a product such as BitDefender or ClamAV, and booting each Windows system from the CD/USB. This will enable you to scan for malware that hides in the Windows operating system.
Even if you don't think you've been compromised, if you intend to put stricter antimalware controls in place such as I've described above, then it's still a good idea to perform a deep-level offline scan of all systems to make sure that you know you're starting with a clean network.
The final piece of this puzzle is end user education. Train your users to not blindly click on links in email, and to carefully read potential phishing emails. Granted, you should already have an anti-spam system of some kind in place, but no system can catch everything. Assume that a few emails with links to malware sites might still make it through your anti-spam system, and educate your users accordingly.
How do you detect and prevent ransomware?
Unfortunately, unlike standard computer viruses from 10 or 20 years ago, contemporary malware doesn't always provide a conveniently scannable file signature. Some variants modify Windows system files. These variants aren't necessarily detectable by a standard antivirus program.
There are a several things you can do proactively.
First, use a malware scanning program such as Malwarebytes to scan every Windows based server and workstation on your network. The free version requires manual execution on each machine. There's a paid version that has a centralized console allowing you to push out the program to all systems. Run this periodically in addition to your regular antivirus software.
Second, look at firewalls that incorporate packet inspection of some kind. For example, both SonicWALL and Fortinet have security features that will scan for viruses and malware in real time internet traffic, preventing users from downloading malware.
If you have such a firewall but haven't activated those services yet--and a lot of people don't activate them out of ignorance or uncertainty--activate those services one at a time, waiting a couple of days between each new service activation to ensure that your network production isn't interrupted by accident.
If your firewall doesn't happen to have anti-malware packet inspection features, consider third party systems from vendors such as Barracuda or FireEye. These are generally network-level appliances that scan all internet traffic in real time, blocking malware and other questionable content. Some vendors even offer cloud based versions of such services.
Finally, if you have any reason to believe that your systems may have been compromised, I strongly recommend that you perform a deep-level offline scan of your systems. By "offline", I mean creating a bootable linux-based CD or USB containing a product such as BitDefender or ClamAV, and booting each Windows system from the CD/USB. This will enable you to scan for malware that hides in the Windows operating system.
Even if you don't think you've been compromised, if you intend to put stricter antimalware controls in place such as I've described above, then it's still a good idea to perform a deep-level offline scan of all systems to make sure that you know you're starting with a clean network.
The final piece of this puzzle is end user education. Train your users to not blindly click on links in email, and to carefully read potential phishing emails. Granted, you should already have an anti-spam system of some kind in place, but no system can catch everything. Assume that a few emails with links to malware sites might still make it through your anti-spam system, and educate your users accordingly.