Get the Slide Deck
I've uploaded the slide deck and it can be downloaded HERE.
Webinar Q&A
Q: What can ransomware encrypt? All Local HDs, any network shares? Mapped Drives?
Really this depends on the variant of ransomware in question, but generally assume anything and everything the affected user has access too. In most cases this will include the local workstation files and mapped network drives for the user, but there are variants that are intelligent enough to seek out UNC paths and unmapped (but accessible) network shares.
Q: How would you propose an MSP keep all the FSRM file screens up to date across multiple client environments?
The best route for this would be via PowerShell and you're RMM utility. Most RMM utilities such as LabTech or Kaseya, have the ability to push scripts to monitored endpoints. Pairing an applicable PowerShell script with your RMM utility in this fashion should do the trick.
Q: Is there a chance for ransomware to lie dormant for a period of time and then execute later on?
There are some variants out there like this, but the techniques shown by Luke in the webinar should still help you catch them when they attempt to execute, despite having been laying dormant for a period of time. Once that happens you should then be able to track down the offending file's location and remove it.
Q: If disk-based backups are housed on premises is there a risk that the backups are also affected?
Q: Since cloud based backups are basically networked, what is preventing them from getting encrypted as well?
Q: How do you keep your list of FSRM extensions current?
Most AV Websites will post newly discovered extensions so that you can keep your lists up to date. Luke will be posting his own follow up post with this information and links to valid sources for this info in the coming days.
Q: What if attackers start using valid file extensions for their attacks? Wouldn't that circumvent FSRM?
That would makes things more difficult to be sure. It's not a 100% effective solution, but it will prevent a large portion of infections. Paring this with other prevention options will be most effective.
Q: Does Ransomware infect the local machine first, then network drives? Is it random based on variant?
This will be dependent on the variant of the infection.
Q: Can Ransomware encrypt data stored in a database, or damage application files?
Yes, and Yes. All ransomware has to do to affect data inside of a DB is encrypt the MDF (in the case of MSSQL) file and all the data contained within it is now encrypted. The same is true of application files.
Q: Why don't email filtering products block the ransomware attachments from executing?
I've seen a lot of the attachments made to look like MS word documents or PDFs. If you have a really strict AV policy that blocks those type of documents or restricts opening documents all together then you would be fine, but most SMB sized companies don't have policies like that in place. Additionally the emails will just contain a link, which is problematic as well.
Q: Have you encountered a real case where ransomware has encrypted a Hyper-V host? If yes, What was done to resolve it.
Q: Dmalock3.0 encrypts local storage and all shares on the network and does not rename file extensions. Additionally the attacker remotes in and deletes backups. Any prevention against this type of attack?
1st line of defense is always user training and then utilizing web and spam filters. Those will help mitigate the risk. If your only backup method is windows backup and shadow copies i can see it being feasible to sniff out and delete backups but if you're using a 3rd party application to perform the backups, this will certainly be more difficult. Additionally, if the attacker gains the administrative rights needed to sniff out 3rd party backups, assume anything is possible.
Q: Is Ransomware using it's own cryptography infrastructure or OS-based?
This is dependent on the variant of ransomware in question.
Q: Is it possible for a Network Attached Storage (NAS) to get encrypted?
If the ransomware is executing with an account that has access to that location, it most likely has the ability to do so.
Q: Antivirus and Anti Malware software has been improving every year. Based on your opinions, would you say that ransomware is the biggest challenge that we have as far as viruses and malware is concerned?
I'm not sure I would say it's the biggest, but it's perhaps the most unique in it's execution. With the advent of state-sponsored malware that has the ability to cause physical damage to critical country infrastructure, I would likely rank that higher on the challenge list than ransomware.
Q: How do we protect local data on the workstation in a similar fashion to what you did in the demo with FSRM?
FSRM would not help in this case. You would have to use software restrictions as discussed in the webinar, and it also helps to make sure that you're using an account that is NOT a local administrator for your day to day work.
Q: Is there any performance impact on the file server when using file screening with FSRM?
Performance impact is quite small and likely negligible.
Q: Is data better protected on say, Office 365 - OneDrive for business, or Dropbox, than on normal storage?
The problem with these types of technologies is that they usually involved some sort of sync operation on the local machine. Hence if the local files are encrypted, they will sync back to the cloud location as the applet has detected a "new version" of the affected file.
Q: We have a fileshare on a linux/unix box - mapped via a network drive. What would you recommend as an alternative to FSRM.
To my knowledge, there is no Linux equivalent to FSRM at this time.
If you had an Altaro VM Backup specific question...
Please refer to our Product page HERE, and our FAQ HERE.