I work as a project engineer at a company with 201- 500 employees.
I am looking for recommendations for the best way to prevent DoppelPaymer Ransomware. Is there an action plan or solution you would recommend?
Thanks! I appreciate your help.
You need an APT solution integrated with your endpoint solution, firewall, and email security gateways. I recommend Wedge Network and FireEye.
If you want absolute security, for any malware - not just the DoppelPaymer ransomware, I suggest you have a look at ThreatLocker. I do not work for them, but we started implementing this internally and will soon push this out to clients. It is a superb product, that goes about security in a different way - rather than layering antivirus (signature based or nextgen) on top of regular updates (Windows and 3rd party) - it implements application whitelisting and ring fencing. I suggest you have a look at their videos, and reach out to them.
No Firewall can protect you completely, even if it is UTM. Even if you close all ports (please do so for RDP or similar). These will help filtering URL, websites, and in some cases using AV signatures or ATP for attachments, but we noticed this is not very effective (especially with SonicWall). Having a nextgen A/V like Carbon Black, Crowdstrike, Cylance or SentinelOne will help as well. You also need a solid antispam solution that does sandboxing, and URL rewriting. Fortinet can certainly provide a solution there for you.
My old article from the dawn of ransomware outbreak back in 2016 is still good: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/
I’m surprised no one is mentioning the integrated defense you get using a Palo Alto FW together with their Endpoint protection Cortex XDR (formerly named Traps) – and to top it also use Proofpoint mail defense to be able to have all emails scanned by Palos Wildfire before they are released to the recipient.
Out of our more than 400 clients using Palo FW with Cortex XDR/Traps have had any problems with any ransomware. Strongly recommend you to check out https://www.paloaltonetworks.com/cortex/cortex-xdr to learn more and see why this is the only completely integrated solution. And even if you don’t go all the way with Pro versions and big data lakes, just using the Palo FW with Wildfire and Cortex XDR Prevent will result in really good protection.
A lot of great responses but there are a few that stand out (from my POV). Those are the ones that talk about incorporating different technologies. It is best to focus on protection from as many threats (ransomware or other) as possible rather than any single threat such as DoppelPaymer. The only viable protection today is a layered approach. How many layers is dependent on your budget and the value of what you are protecting. The tools mentioned in many responses (UTM Firewall, End point protection, Application protection, segmentation, etc.) are essential and can catch/block many threats. Taking those tools a step further is tying them to a threat exchange and integrating the alerts from the various solution with intelligent rules (using "Advanced" SIEM tools) will yield even tighter protection. Vulnerability scanning and even penetration testing are also very useful in either finding your weak spots or confirming you are as secure as you think you are. The weak link, people, can never be overlooked. Training employs (plenty of video training is available) on the threats and what to look out for. Testing employees by sending phishing emails is also very effective after employees have been trained.
To protect yourself, you have to:
- If the customer has a NGFW (Cisco Firepower), we can activate the signatures Sid 1-52427 and Sid 1-52428 and make a correlation rule (Alert/pxgrid-ISE for remediation)
- The customer must have a content security product such as Cisco Umbrella (DNS Security, SIG, SWG, TI, CBFW)
- Finally, the customer must have a Cisco AMP EndPoint solution that is very effective against this attack. There are even IOC indicators in the console.
DoppelPaymer, structural sanitization cannot detect what’s inside the file, so we can only ensure that the file is encrypted. One needs to build a policy to only allow password-protected documents from trusted senders. This enforcement of policy should take you a long way into mitigating the risk against DoppelPaymer. As a best practice, IT/Email Admin should enforce email encryption as it is much more secure.
The war between creative and destructive IT is already evident and may grow fierce as cybercriminals become more aggressive and ill-talented. It's all about how we scale our technical competencies and approaches to become more sophisticated. Tools from Sophos look to be "A friend in Need" Solution as rightly suggested by Eduardo Pina in the following trail.
Please read this paper about ancestor of DoppelPaymer and how this randsomware work.
- First, review all ports you have open. Is there any way you can eliminate it?
- Second, review the functions your firewall product has. With a company of up to 500 employees, you should have a fairly expensive firewall, like a unified threat management device, UTM. Active packet scanning is a must with the VPNs you must have right now. 256-bit encryption minimum.
- Daily security updates. An extreme measure is to have a white list of approved web sites employees can connect to. The attack vectors of the
ransomware can change at any time.
- Critical company data should go to a backup server that is offline around 14 hours a day.
Immediate Ransomware Prevention Tips
The best ways to prevent ransomware are to maintain good security practices, back up files, and use Antivirus & Anti-ransomware software. For comprehensive ransomware protection, enterprises should deploy next-generation anti-ransomware software, like Emsisoft. Relying on antivirus software alone risks exposure to new strains and polymorphic-variants of ransomware.
Network Security & Segmenting Network. Segregate the network into different segments Using Double Firewall. Server on one segment, Backup servers on another segment, Backup Storage on different Segment.
Implement mail security: to protect from These phony emails are designed to get people to click on a link or open an attachment. Emails often look like they come from a reliable source or attempt to scare people into acting impulsively.
For example, email attachments can appear to be legitimate correspondence from reputable companies such as banks or FedEx. Hackers use subject lines referring order confirmations, complaints, or business communications that entice the victim to open the email.
Implement security to prevent RDP attacks from LAN & WAN. Customize Port Remote Desktop Protocol (RDP)
Implement Firewall-VPN for all access. NO direct access from the Internet.
I would prefer to use the following firewall best practices:
Firewalls should be able to limit or “block <https://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx> remote desktop protocol (RDP) and other remote management services.” Spam lists should be created and software should be used to detect spam. Proper advanced deletion of spam files can prevent the worker from even seeing a bad attachment. The firewall should also delete or warn if certain types of file extensions are sent. Additional firewall best practices include:
* Considering the use of a sandboxing solution and the right type of firewall engine. Sandboxing should be applied to attachments and web traffic so that the attachments and websites are being
* Properly analyzed for malware before entering your network.
* Understand that every open port is a potential point of entry for ransomware. Non-essential open ports should be eliminated. Rather than using point-forwarding, use VPNs to access remote sources.
* The ports that do stay open should be properly secured.
* Segment Local Area Networks into smaller zones or Virtual LANs that are connected securely by the firewall.
* Apply proper IPS policies governing network traffic so that bots and worms can’t spread between Local Area Network segments.
* Isolate infected systems immediately.
I would not just have a good Firewall like Watchguard but a good endpoint and server protection with https://www.sophos.com/en-us/content/ransomware.aspx
No customer that I had a problem with ransomware with have had any problems after I installed Sophos Intercept X.
I will suggest the below solution for preventing DoppelPaymer Ransomware. I would suggest an end to end protection layer with central management and visibility.
SonicWALL UTM Model NSA4650 :- for Gateway protection.
SonicWALL Hosted Email Security :- for Protect your mails
SonicWALL Capture client (Next Generation Anti-Malware) :- for protect your endpoint layer
SonicWALL Capture Security Center :- central management and visibility.
The best way is to implement the whole office 365 in the organization with Vade Secure predictive Email defense. Here is the link; https://www.vadesecure.com/en/
I would suggest a Firewall and also an advanced level antivirus. Have you tried reading up on Sophos XG and Sophos Intercept X Advanced? Sophos XG is a next-generation firewall with intelligent malware, ransomware, and zero-day attack detection, prevention, and deletion. It engages the sandboxing tendency known as Sophos Sandstorm for advanced malware detection.
Sophos Intercept X Advanced is a modern-day antivirus with ransomware and zero-day attack detection and prevention. It is more than a traditional anti-virus as it functions with intelligent technique for detecting malware, and it has Web control, Application control, Peripheral control, and Data loss prevention ability. It monitors every activity going in each device(end users devices and servers), and in event of a ransomware attack/data encryption, it does a copy of all resources on the device keeps in its own shadow copy-safe, it monitors the process of the ransomware to know if its a positive or negative encryption, if found negative, it stops the process, does a complete deletion of the root code or the attack application and restores the lost resources using its application-aware feature.
Furthermore, synchronized security communication takes place between the antivirus on each device and the Sophos XG firewall, giving you unified protection through your network. Hence I suggest Sophos XG and Sophos Intercept X Advanced.
It's possible intrusion prevention software can help.
I believe that this problem should not be addressed only at the firewall layer, but at the upper layers by applying control on mail servers and end user operating systems such as antivirus and application execution control.
I recommend using Checkpoint SandBlast Agent for Laptops
Norton 360 is excellent.
I recommend using Sophos' Intercept X solution. It is an excellent solution, simple to install, compatible with any endpoint already active. There are plans for annual and also monthly payments.
I don't think there is an easy answer to ransomware. It's really user error. You could implement the latest in endpoint inspection which specialises in this field like Crowdstrike or Cybereason. Both have some integrations, but if you want true firewall integration - Palo Alto or Checkpoint.
You need the basics: protect perimeter (firewall), protect endpoint (good av with IA) and a good antispam with sandbox.
I suggest in the firewall make security zone's and only permit specific traffic, ports, protocols, etc.