Small Business Server

Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.

History

First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.

Description

Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.

Prevention

To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source

 

 

Bitdefender have updated their GravityZone cloud console with some new features over the weekend and here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Anti-Ransomware

The big news is that Bitdefender has now incorporated Anti Ransomware vaccine to all its cloud customers, and will be rolling this out through the on-premise version on Tuesday 27th Sep 2016.  This module is activated through the policy section  Antimalware --> On Access settings

Gravityzone Ransomware Vaccine Policy Setting
Gravityzone Ransomware Vaccine Policy Setting

By activating this module, machines will be protected from all currently known forms of Ransomware.

Other New Features

Update Rings - this feature allows Administrators of the program to  chose when in the validation cycle an update is received.

Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.

Web Access Control Rules - The categories list has been updated with multiple new categories added.

Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

 

The above features are now in place for all current users of Bitdefender Gravityzone in the cloud and will be rolled out to Bitdefender Gravityzone on-premise users from the 27th Sep 2016.

For more details on the above features and a look at the other features included please click here

logo     bs-logo

Small Business Server 2011After many years of faithful service to the channel, Microsoft will be retiring Microsoft Small Business Server 2011 on June 30th 2013 within the Open Licensing Program. Retail and OEM SKUs will continue to be available until December 2013.

Windows Server 2012 Essentials will be the only replacement within the Microsoft portfolio. This can be deployed on a server with up to 2 processors and supports up to 25 users and 50 devices. No CALs are required and there are no virtualisation rights.

Alternatively customers can opt for Windows Server 2012.

With Cloud providers maturing all the time this may now be the time to move to the cloud. Hosted Exchange is a mature technology and with employees demanding access to their data from many devices including mobile devices, a hosted solution may be the correct way forwards. Hosted solutions remove the cost of the hardware along with the ongoing support and maintenance costs. Security and backup are typically bundled for free. Employees will benefit from greater uptime and the ability to access their data and applications from any device, as long as they have access to an Internet connection. Solutions may also provide synching functionality for offline work.

Blue Solutions has just launched a hosted Desktop offering which enables users to have a virtual Windows 7 Desktop with cloud storage, Microsoft Office Applications, along with Exchange mailboxes. There are also upgrade options for dedicated virtual servers to host line of business applications.