Announcement

Collapse
No announcement yet.

IT Pros - Locky Ransomware

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    IT Pros - Locky Ransomware

    My Administrator/Webmaster inboxes are getting hammered with Ransomware spam on a daily basis. Place of origin is the usually the Federal District of Mexico and Indore India. I made some progress by blocking the airtelbroadband.in domain and IP address blocks (e.g.,182.70.XXX.XXX)

    I set up User Level Filters to block these senders/attachments from people receiving them who wouldn't know any better to not open them up. As the headers are spoofed to appear as legit emails from familiar businesses, and so are the file names of the .zip/docm/.js attachments. It's amazing this day in age how people will still save or open files in an email client without even blinking.

    No problems yet, but this is becoming a headache trying to stay on top of this.

    What's your experience? Any suggestions?
    Tags: None
  • #2
    Man, we've been hit twice already. Fortunately the damage has been minimal and wiping the client machines and restoring the network files from backup fixed the immediate need. I spoke with a rep that works for a security services company but unfortunately they're priced waaaay out of our price range.

    Comment

    • #3
      Originally posted by GeorgeG. View Post
      Man, we've been hit twice already. Fortunately the damage has been minimal and wiping the client machines and restoring the network files from backup fixed the immediate need. I spoke with a rep that works for a security services company but unfortunately they're priced waaaay out of our price range.
      So you can be ransomed by the ransomware, or price gouged by a reputable company.

      Comment

      • #4
        ^Pretty much

        Comment

        • #5
          The only surefire way to keep ransomware off of your systems nowadays seems to be end-user education. That, combined with an Active Directory GPO that keeps things from running from the users' temp folders, frequent backups, and something that will keep a .exe, .bat, etc., whitelist and bars all others from running, seem to be the only way to stop these. But end-users are dumb, and something will always find a way to fuck up your systems, so the frequent back-ups are really the key here.

          Comment

          • #6
            Originally posted by Ratt View Post
            The only surefire way to keep ransomware off of your systems nowadays seems to be end-user education.
            That's how our IT dept. is handling this. First they sent out a memo and instructional video on what to look for, and gave warning that there will be future emails sent (by our IT dept) that simulate a phishing scam. Anyone that opens the email and link will get a warning. Anyone that continues to open these test emails is subject to be disciplinary action and possible termination.

            Of course several people opened the first test email and clicked the link.

            Comment

            • #7
              I honestly think these are the people who want a computer virus or ransomware abound so they don't have to work as much.
              sigpic

              Comment

              • #8
                Originally posted by cool cat View Post
                That's how our IT dept. is handling this. First they sent out a memo and instructional video on what to look for, and gave warning that there will be future emails sent (by our IT dept) that simulate a phishing scam. Anyone that opens the email and link will get a warning. Anyone that continues to open these test emails is subject to be disciplinary action and possible termination.

                Of course several people opened the first test email and clicked the link.
                Looks like there will be some job openings!

                Comment

                • #9
                  Yeah can train all you want...preach preach preach but without some negative reinforcement they won't pay attention or care. Has been proven for years.
                  Originally posted by MR EDD
                  U defend him who use's racial slurs like hes drinking water.

                  Comment

                  • #10
                    Thanks for the feedback.

                    Comment

                    • #11
                      Here's 5 preventative and reactive suggestions : https://securityblog.verizonenterprise.com/?p=7471
                      2013 F150 STX Supercab 5.0L w/3.55 LSD
                      1990 GT Convertible

                      Comment

                      • #12
                        Originally posted by cool cat View Post
                        That's how our IT dept. is handling this. First they sent out a memo and instructional video on what to look for, and gave warning that there will be future emails sent (by our IT dept) that simulate a phishing scam. Anyone that opens the email and link will get a warning. Anyone that continues to open these test emails is subject to be disciplinary action and possible termination.

                        Of course several people opened the first test email and clicked the link.
                        So your IT department will fire someone in the finance department? That seems like a bit of a stretch. I'd be very surprised to see department heads all be on board with that.

                        Negative reinforcement seems like it would be difficult to enforce, or at least get other departments to buy-in. Maybe it happens, I just haven't seen it in my experience. It's always been the user is the "victim", or "we (IT) should have done a better job protecting our users" bull shit.

                        Comment

                        • #13
                          Originally posted by cool cat View Post
                          That's how our IT dept. is handling this. First they sent out a memo and instructional video on what to look for, and gave warning that there will be future emails sent (by our IT dept) that simulate a phishing scam. Anyone that opens the email and link will get a warning. Anyone that continues to open these test emails is subject to be disciplinary action and possible termination.

                          Of course several people opened the first test email and clicked the link.
                          Dis, but saying that we had one user allow the crypto locker in three times. After the first time, our Systems guy sat down with him and pointed out red flags on emails and web pages.

                          Ransomware doesnt always come in by email. One of the recent ones uses a flash player exploit.

                          A decent UTM blocks a lot.

                          Comment

                          • #14
                            Originally posted by GeorgeG. View Post
                            So your IT department will fire someone in the finance department? That seems like a bit of a stretch. I'd be very surprised to see department heads all be on board with that.
                            Possible being the key word... Probably more of an out to rid the company of under performing employees.

                            Comment

                            • #15
                              Originally posted by GeorgeG. View Post
                              So your IT department will fire someone in the finance department? That seems like a bit of a stretch. I'd be very surprised to see department heads all be on board with that.

                              Negative reinforcement seems like it would be difficult to enforce, or at least get other departments to buy-in. Maybe it happens, I just haven't seen it in my experience. It's always been the user is the "victim", or "we (IT) should have done a better job protecting our users" bull shit.
                              General you're spot on. However, in some places (primarily financial/card processing) I see where the CSO type person reports directly to the CEO (Not CIO) and that changes the game from a security point of view and it becomes much more effective.

                              It also introduces a lot of delays...etc since the security group is not under the same dynamics as the server, network...etc groups. All that person has to do is convince the CEO and he has it handled.
                              Originally posted by MR EDD
                              U defend him who use's racial slurs like hes drinking water.

                              Comment

                              Previous template Next
                              Working...
                              X