Right off my knowledge of current enterprise sysadmin stuff it quite out of date.
Looking forward to learning :)
What is RW?
--
My understanding it is a form of malware that encrypts your data
and the only way to unlock it is to pay a ransom.
The newer version attempts to extracts sensitive files prior to encryption,
so there will be a double threat.
Not only is your data encrypted and unavailable, it is also in the hands of
nefarious criminals who could publish the files or do something else
evil with the files.
Mitigation
--
I dont know much about the extraction of files, I will leave that alone.
Firewalls, endpoint protection, active analysis of data streams for unusual activities.
I presume this is done and done correctly.
Would backup save you?
..
I am not sure of current practice, so this may be too old.
A company should have a solid, maintained, well funded and staffed backup
strategy that is tested often to ensure it works.
Then they have a backup system of the backup system off site entirely locked down.
All files on fileservers are backup incrementally every 10 mins (or whatever)
as a continuous cycle.
Fileservers databases, mailservers, another data silos are backup up in the same way.
No end users PCs and extremely few in total have any access to the backup system.
All PCs, servers, etc run premade images (is Ghost still a thing?).
When shit hits the fan
---
a)
Destroy all data from the past 30 mins / 1 hour, restore.
b)
Destroy all data from the past 30 mins / 1 hour.
Reformat all computers, via standard images,
restore backup.
c)
Destroy all data from the past 30 mins / 1 hour.
Keep a set of pristine unused brand new computers in easy to reach storage.
Format using images, restore data from before the files got encrypted,
Unplug and junk existing PCs.
-
It seems to me that if a company has a well working backup strategy and executions then downtime for a ransomware attack can be timeboxed.
If it needs done faster, then invest more into the system to make it happen.
Maybe the reserve computers are already imaged as needed, and those images are
updated at the same time as the production PCs (end user for instance).
Perhaps there are many datastores these days that are hard to backup?
If that is the case, it might be a good reason not to use them?
I am sure I am missing a lot and I look forward to learning more
If the company has a solid, maintained, backup of files and data they can shut everything down, reformat the computers and servers, restore
I have seen talk about the issue of your restore image containing unpatched (or even zero day) vulnerabilities. So you need to worry about your restored systems quickly becoming compromised again.
Also that your backups should be pulled to an independent backup system instead of pushed so the compromised machine can't potentially ruin your backups. (Then you would need to wait longer for your off site backup to restore your backup.)
If you can't audit that it was simply a successful phishing attempt and you just need to revoke keys and passwords. I suppose a super expensive solution would be to use multiple operating systems and software platforms so you have a chance to get yourself back up and running on a different environment with different vulnerabilities that aren't being presently being attacked?
I'm excited to hear from someone who sounds like a professional.
I suppose this is really a more general question of how do I prevent remote code execution? Traffic analysis probably has to be done on an independent gateway? I assume that's hard in a large network vs botnet... Block Tor ips from any ports except your application/web ports? Because I'd like to support the good guys on Tor...