Sign in to follow this  
Mick Maidens

Anti Ransomware settings

Recommended Posts

I have been hit by the latest version of Rapid Ransomware twice now.  Each time we have done a complete restore from cloud backup.  We used Kaspersky and the virus ignored it and encrypted everything around it.  The Backup Management PC had Microsoft Defender running and the Virus ignored it and encrypted everything around it.  In fact at one point i had the Defender screen up with a big tick in the Anti-Ransomware box and the legend "You need do nothing you are protected" with all the icons in the background encrypted (the entire machine was encrypted, again except the antivirus and basic OS).  It also happily encrypted Malwarebytes (it did not ignore them) but i have since learned that their anti ransomware does not work on servers. 

So my question is what is the best configuration for your software to protect my Servers?

I have set it to quarantine and email me and to run full scan twice a day.  But even the full malware scan only seems to take 5 minutes.  I am concerned I am missing something.

My servers are running Windows SBS 2011 Premium.  So 1 exchange and 1 SQL.

Thanks for any advice.

Share this post


Link to post
Share on other sites
On 6/9/2018 at 8:00 AM, Mick Maidens said:

So my question is what is the best configuration for your software to protect my Servers?

The default configuration is intended to provide optimal protection, however I in this case I think what's happening is that someone is brute forcing the administrator password for the computers via RDP and gaining direct access to them. They then either manually shut down the protection on the systems, or they manually run a tool that is capable of terminating the Anti-Virus processes (yes there are ways to do this without it being detectable or preventable) so that they can run their ransomware unimpeded.

I highly recommend securing your systems from remote attacks. I'll post some basic steps for getting started below:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hi Arthur,

Yes I had already read that post on securing any RDP access.  We already require VPN for remote access but it did occur to me that someone cold possibly have brute forced the router password and connected that way so i have also set that to allow remote only from one IP address.  Having said that our suspicion is that a member of staff opened an infected email.  on both occasions the day before the attacks myself and several members of staff received the "from the HMRC" email.  Also only four computers were encrypted, both servers the backup manager PC and one client.  Anyway that is an aside as there is no way to know as everything has been restored from cloud backup.  My concern was just that i had your AV set up the optimum way.  I am also thinking of adding a USB disconnect utility so that the USB backup drive is connected just before the backups and disconnected just after they finish.  My thinking is that the data would be safe if the drive was disconnected (logically not physically).  Also is there any benefit from running a complete scan on a Sunday? 

Any suggestions would be appreciated, thank you for your help.

Share this post


Link to post
Share on other sites
10 hours ago, Mick Maidens said:

I am also thinking of adding a USB disconnect utility so that the USB backup drive is connected just before the backups and disconnected just after they finish.  My thinking is that the data would be safe if the drive was disconnected (logically not physically).

It is always best to keep the backup media disconnected when it is not in use. This will not always prevent backups from being effected by an infection or an attacker, however it will limit their opportunities to do so. Rotating backup media may also help, assuming the infection/attack does not persist long enough to effect each backup media as they are swapped out.

Just keep in mind that a determined attacker may stumble upon a script used to mount/unmount backup media, and use it to gain access to the backups.

If I had to be super-paranoid, I would probably set up a Linux server with plenty of storage space (RAID-10 or something similar), make sure that all ports in the firewall are closed except the ones for Samba (meaning physical access to the server is required to interact with it), set up a Samba share on the server that the Windows server with the backups can connect and write to, and configure it so that once a day the backup server copies all backup data to the Linux server and then the Linux server copies that data to a safe location on its filesystem and deletes everything in the folder shared via Samba. Compromising a Linux server is entirely possible, especially if Samba doesn't get regularly updated, but as long as all of the other ports remain closed in the firewall it will be much harder than compromising a system that needs to have services accessible on the network.

In theory you could easily do that with a Windows server as well, however a Linux server wouldn't need rebooted for updates as often, and scripting updates is as easy as a simple cron job. I have a single line in crontab on my CentOS 7 server to update certain critical services daily and restart them, and then I just manually check for other updates when needed and reboot the server if I think it's necessary.

 

10 hours ago, Mick Maidens said:

Also is there any benefit from running a complete scan on a Sunday?

That depends on how often people save things outside of their profile folders, or other places that the Malware Scan wouldn't check. For instance if you have shared folders on a server that people save downloads and/or documents to, then it might be a good idea to set up a scheduled scan to periodically scan them. Just be sure to set up the scheduled scan on the server the shared folder is stored on.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.