[ALUG] Ransomware: most dangerous cyber threat

Andreas Tauscher ta at geuka.net
Thu Nov 10 12:53:41 EAT 2016 

On 10.11.2016 07:29, James Julius via Linux wrote:
> Hi Haward,
> 
> The threats is not on Linux machines but on Windows machines, as
> most of us in one way or another we are supporting someone  with
> Windows machine, i think we should be aware of this.

This so not correct. TeslaCrypt targets Wordpress and Joomla.

> According to my research it seems there is not way to recover the 
> encrypted files or decrypt it without paying the attacker for 
> decryption keys which also there is not guarantee they will give you 
> the key, the best way is to use the offline backup taken before the 
> virus hit, as the

Offline backup? A "backup" on the physical same machine or even more
worse on the same physical drive is a copy but not a backup.

> very bad this is when the virus hit one machine it scans all the 
> connected drives which means it can affect server also, and this 
> means it can affect all machines connected to that server.

A system of access rights is needed.
No user must have administrative rights.
A user has access only where he needs it. And write access really only
where needed.
No relevant files are saved on a workstation or only as a shadow copy.
A corporate network is split in to subnets e.g. per department and this
maybe also again into subnetworks.
Frequently backups.
The backup system is best not running on the computer backed up. It is
an independent system.
A revision control system is an advantage also. If ransom software
encrypted your documents you still have the last unencrypted revision.
Really critical systems holding sensitive or important documents don't
have a direct internet or even LAN connection at all and files and email
is opened over a remote desktop solution and transferred through a proxy
system.

> It is very bad threat when you came across it, i think we should be 
> aware.

The infection way No. 1 are e-mail attachments.
To see if a mail suspicious needs training.
Most of this mails you really see already on the first view. If you know
what to look for.
Often mails are coming from sender addresses you know.

To prevent that your company mail domain is abused to spread ransomware
a few things are very helpful to prevent this mostly:
DKIM/DMARC with a strict reject policy if DKIM fails.
PGP and S/MIME signatures.
A strict policy how corporate email is used and how a corporate mail has
to look like.
Instead this nonsense disclaimer in the footer about confidential
content and blabla better put there a link to page on your website where
you explain how an authentic mail from you looks like and how it can be
verified. If you mail is confidential then send it encrypted.
For example invoices etc. coming always from the same sender address and
make your clients aware about this.

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20161110/cdd3833d/attachment.pgp>

More information about the Linux mailing list