Analysis of Locky ransomware

BRRABill

@Dashrender said:

And for exactly that reason you mention (Excel, yes, Word, no) I don't understand why they didn't do this in Excel instead. lol

Counter-intuitivism.

NO ONE would look in a Word Macro! Ha ha ha.

Dashrender

@BRRABill said:

What is the current thinking for the best practice to protect against this kind of stuff?

At the beginning, simply not mapping drives was enough, but obviously the malware evolves.

I mean, what do we think is the final step that will protect us now, and as far into the future as we can see?

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

Dashrender

@BRRABill said:

@Dashrender said:

And for exactly that reason you mention (Excel, yes, Word, no) I don't understand why they didn't do this in Excel instead. lol

Counter-intuitivism.

NO ONE would look in a Word Macro! Ha ha ha.

eh? by default you still have to tell it to enable macros to run the crap.. that should be a huge red flag.

BRRABill

@Dashrender said:

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

With SharePoint, only with Microsoft files.

BRRABill

@Dashrender said:

eh? by default you still have to tell it to enable macros to run the crap.. that should be a huge red flag.

You don't think people have that security setting turned off because they got tired of seeing it?

hubtechagain

one of my clients who has the WORST ehr on the planet uses macro's in word and have to be enabled by default and it's very insecure. anyway....i've warned them of this disease, and will filter out doc/docx

BRRABill

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

JaredBusch

@BRRABill said:

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

You still need backup. Having files offsite does not resolve that issue.

Dashrender

@BRRABill said:

@Dashrender said:

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

With SharePoint, only with Microsoft files.

eh? you can store anything you want in SharePoint. and versioning should work just fine with those too - it just won't be incremental, it will be whole files.

stacksofplates

Ha maybe this will put an end to recruiting agencies wanting you to send your resume as a Word file.

I spoke with one recently who wanted me to send my resume as a Word file so she could "copy the information out of it." The resume she had was a PDF..... I don't trust them if they want a docx file.

Dashrender

@JaredBusch said:

@BRRABill said:

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

You still need backup. Having files offsite does not resolve that issue.

Just tossing this out there - Scott's suggestion isn't about offsite files, it's just about not being local on the machine.

Dashrender

I'm wondering though - do most people use ownCloud (OK JB I can learn) with synced folders? Does ownCloud have versioning?

Using sync'ed folders like OneDrive or ODfB remove the safety that those solutions otherwise provide.

BRRABill

@Dashrender said:

you can store anything you want in SharePoint. and versioning should work just fine with those too - it just won't be incremental, it will be whole files.

Does SharePoint do versioning of non-Microsoft files?

For example, if you are editing a text file or picture, or any non-Microsoft files?

BRRABill

@JaredBusch said:

You still need backup. Having files offsite does not resolve that issue.

That's where the confusion still lies for me.

How are people backing up their data that is solely in OneDrive or Amazon Drive, etc..

BRRABill

@Dashrender said:

Just tossing this out there - Scott's suggestion isn't about offsite files, it's just about not being local on the machine.

Well then where would these "non local" files be stored?

Dashrender

@BRRABill said:

@JaredBusch said:

You still need backup. Having files offsite does not resolve that issue.

That's where the confusion still lies for me.

How are people backing up their data that is solely in OneDrive or Amazon Drive, etc..

Well those two options specifically don't have promises from the vendor for backups - but you could probably sweat talk them into restores.

ODfB on the other hand is SharePoint, and assuming we're talking about O365, then MS will do restores from the backups they take.

BRRABill

I wonder if there are services out there that do backups of online services. I bet there are.

OFF TO GOOGLE!

I know, for example, that Datto does Office365 (and other cloud services) backups. But I wonder if there is anything for straight OneDrive. Take local totally out of the equation.

Dashrender

@BRRABill said:

@Dashrender said:

Just tossing this out there - Scott's suggestion isn't about offsite files, it's just about not being local on the machine.

Well then where would these "non local" files be stored?

Where ever you want them - on a LAN based SharePoint server or ownCloud server. They wouldn't be offsite, just not local to the machine in question.

BRRABill

@Dashrender said:

Where ever you want them - on a LAN based SharePoint server or ownCloud server. They wouldn't be offsite, just not local to the machine in question.

Ah, I see.

I guess I am thinking more of the individual user.

Dashrender

@BRRABill said:

@Dashrender said:

Where ever you want them - on a LAN based SharePoint server or ownCloud server. They wouldn't be offsite, just not local to the machine in question.

Ah, I see.

I guess I am thinking more of the individual user.

In that case, correct OneDrive for a home user is not a backup - it's simply online storage.

Great question about what people should do for OneDrive/Google Drive, etc free services for actual backup.