PSA - Again about backups

[rjohnson]

http://www.pcworld.com/article/2600543/ ... files.html

cryptowall_files.jpg (5.56 KiB) Viewed 1346 times

If any of you heard of the CryptoLocker ransomware there is one that one upped it called CryptoWall. It has been out since late last year but only recently really making its presence known. Once a PC is infected it will start encrypting PDF, XLS, DOC, and other common files on the PC then move on to mapped network drives and even Dropbox. It will put the files above in each folder it encrypts. It is piggybacked on other downloads from the web on infected sites and through email attachments that users just can't restrain from opening. So again if you're not backing your stuff up you either pony up the ransom or lose the files. Average ransom is $500. I'm putting this out there because I'm helping someone recover from this infection right now. Fortunately we have multiple levels of backups for them and they are only losing about 30 minutes worth of work today. So be careful what you download, keep your AV up to date, and backup your stuff!!!!

[duckkiller]

Something very similar happened to a lady in our corp office, it got her computer then got on the network drive hacked all of our stuff, HR, accounting, etc... Ransom was $850 and once paid everything was returned but it took 3 weeks of no internet/email to get fixed and back up. Pain in the ass for all the sales team and resort staff, sure am glad I just grow grass lol

[lilwhitelie]

My lord was I wrong on this topic!!! I see PSA and think its a dang prostate information topic. And the backups part was really scary.

[kb7722]

My lord was I wrong on this topic!!! I see PSA and think its a dang prostate information topic. And the backups part was really scary.

I was thinking Palmetto State Armory and backup meaning buy more guns and ammo...

[edub20]

Can't ever have too many backups...

[teul2]

This junk hit us yesterday. It infected about 16,000 network files. The majority of those files were backed up each night, with the exception of a "temp" cifs share of 10gig which will be a complete loss. The poor Symantec sales guy that just called me wanting to sell something got ambushed. Bad timing on his part.

[rjohnson]

This junk hit us yesterday. It infected about 16,000 network files. The majority of those files were backed up each night, with the exception of a "temp" cifs share of 10gig which will be a complete loss. The poor Symantec sales guy that just called me wanting to sell something got ambushed. Bad timing on his part.

No antivirus will work if the user opens the attachment and runs it. Can't take human error out of the equation unfortunately. Poor Symantec sales guy.

[teul2]

No antivirus will work if the user opens the attachment and runs it. Can't take human error out of the equation unfortunately. Poor Symantec sales guy.

The user says she did not download anything nor open any attachments. She was researching her kids science project and got hit. They are calling this one a 'Drive-by-download' attack and Symantec Endpoint Protection missed it. But hey are also telling me we needed an "add-on" to our current product to stop this. The infection only got her profile on the computer and network drives she had access / permission to. This is my number one reason for not giving users admin rights to their computers and restricting file access rights to only job essential needs. If they can't install software, they can't spread viruses as easily.

[edub20]

No antivirus will work if the user opens the attachment and runs it. Can't take human error out of the equation unfortunately. Poor Symantec sales guy.

The user says she did not download anything nor open any attachments. She was researching her kids science project and got hit. They are calling this one a 'Drive-by-download' attack and Symantec Endpoint Protection missed it. But hey are also telling me we needed an "add-on" to our current product to stop this. The infection only got her profile on the computer and network drives she had access / permission to. This is my number one reason for not giving users admin rights to their computers and restricting file access rights to only job essential needs. If they can't install software, they can't spread viruses as easily.

Assuming a client based web/url traffic firewall? We utilize one as an accompaniment to our client AV. It blocks rouge or malicious content/websites before it has a chance to infiltrate the client.

[donia]

me to program mgr when he got a 'vm from microsoft' via email: "did you click on anything?"
him: "no i did not....well, the first time i did, but only the once."
DOH! or rather DUH!

[rjohnson]

No antivirus will work if the user opens the attachment and runs it. Can't take human error out of the equation unfortunately. Poor Symantec sales guy.

The user says she did not download anything nor open any attachments. She was researching her kids science project and got hit. They are calling this one a 'Drive-by-download' attack and Symantec Endpoint Protection missed it. But hey are also telling me we needed an "add-on" to our current product to stop this. The infection only got her profile on the computer and network drives she had access / permission to. This is my number one reason for not giving users admin rights to their computers and restricting file access rights to only job essential needs. If they can't install software, they can't spread viruses as easily.

Same here in now two different instances. Neither received a malicious attachment nor installed any new software. AV appears to have missed it in both locations. Plan to check some clients' firewalls this afternoon that have content filtering enabled to see if it is being blocked successfully with that. Sneaky little devil this one is.

[teul2]

Yes edub, we have a Barracuda webfilter.

Been on the phone with Symantec and they are telling me that we need the "web gateway module" to prevent this infection. Which happens to not be standard on our version of SEP. Have to step up to the SPS Enterprise version.

[JDgator]

Due diligence means you have to buy & implement the safeguards. But I really don't think you can't beat this stuff, all you can do is increase your resilience. System Center Configuration Manager for re-imaging + nightly backup of clients' My Documents folders to network attached storage.

[edub20]

Due diligence means you have to buy & implement the safeguards. But I really don't think you can't beat this stuff, all you can do is increase your resilience. System Center Configuration Manager for re-imaging + nightly backup of clients' My Documents folders to network attached storage.

you left out user rights restrictions

[kb7722]

Due diligence means you have to buy & implement the safeguards. But I really don't think you can't beat this stuff, all you can do is increase your resilience. System Center Configuration Manager for re-imaging + nightly backup of clients' My Documents folders to network attached storage.

you left out user rights restrictions

Computer Nazi!!!