2020-04-13T16:43:00Z

What is the best way to prevent DoppelPaymer Ransomware?

ST
  • 22
  • 72
PeerSpot user
24

24 Answers

TM
Real User
2020-04-15T11:13:38Z
Apr 15, 2020

You need an APT solution integrated with your endpoint solution, firewall, and email security gateways. I recommend Wedge Network and FireEye.

Search for a product comparison in Firewalls
SSL - PeerSpot reviewer
User
2020-04-14T16:21:55Z
Apr 14, 2020

If you want absolute security, for any malware - not just the DoppelPaymer ransomware, I suggest you have a look at ThreatLocker. I do not work for them, but we started implementing this internally and will soon push this out to clients. It is a superb product, that goes about security in a different way - rather than layering antivirus (signature based or nextgen) on top of regular updates (Windows and 3rd party) - it implements application whitelisting and ring fencing. I suggest you have a look at their videos, and reach out to them.
https://www.threatlocker.com/

No Firewall can protect you completely, even if it is UTM. Even if you close all ports (please do so for RDP or similar). These will help filtering URL, websites, and in some cases using AV signatures or ATP for attachments, but we noticed this is not very effective (especially with SonicWall). Having a nextgen A/V like Carbon Black, Crowdstrike, Cylance or SentinelOne will help as well. You also need a solid antispam solution that does sandboxing, and URL rewriting. Fortinet can certainly provide a solution there for you.

Real User
2020-05-05T11:56:05Z
May 5, 2020

My old article from the dawn of ransomware outbreak back in 2016 is still good: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/

PS
User
2020-04-17T08:03:19Z
Apr 17, 2020

I’m surprised no one is mentioning the integrated defense you get using a Palo Alto FW together with their Endpoint protection Cortex XDR (formerly named Traps) – and to top it also use Proofpoint mail defense to be able to have all emails scanned by Palos Wildfire before they are released to the recipient.

Out of our more than 400 clients using Palo FW with Cortex XDR/Traps have had any problems with any ransomware. Strongly recommend you to check out https://www.paloaltonetworks.com/cortex/cortex-xdr to learn more and see why this is the only completely integrated solution. And even if you don’t go all the way with Pro versions and big data lakes, just using the Palo FW with Wildfire and Cortex XDR Prevent will result in really good protection.

PV
Real User
2020-04-17T03:27:51Z
Apr 17, 2020

A lot of great responses but there are a few that stand out (from my POV). Those are the ones that talk about incorporating different technologies. It is best to focus on protection from as many threats (ransomware or other) as possible rather than any single threat such as DoppelPaymer. The only viable protection today is a layered approach. How many layers is dependent on your budget and the value of what you are protecting. The tools mentioned in many responses (UTM Firewall, End point protection, Application protection, segmentation, etc.) are essential and can catch/block many threats. Taking those tools a step further is tying them to a threat exchange and integrating the alerts from the various solution with intelligent rules (using "Advanced" SIEM tools) will yield even tighter protection. Vulnerability scanning and even penetration testing are also very useful in either finding your weak spots or confirming you are as secure as you think you are. The weak link, people, can never be overlooked. Training employs (plenty of video training is available) on the threats and what to look out for. Testing employees by sending phishing emails is also very effective after employees have been trained.

SA
Real User
2020-04-15T10:14:21Z
Apr 15, 2020

To protect yourself, you have to:

- If the customer has a NGFW (Cisco Firepower), we can activate the signatures Sid 1-52427 and Sid 1-52428 and make a correlation rule (Alert/pxgrid-ISE for remediation)
https://snort.org/rule_docs/1-52427
https://snort.org/rule_docs/1-52428

- The customer must have a content security product such as Cisco Umbrella (DNS Security, SIG, SWG, TI, CBFW)
- Finally, the customer must have a Cisco AMP EndPoint solution that is very effective against this attack. There are even IOC indicators in the console.

Find out what your peers are saying about Netgate, Fortinet, OPNsense and others in Firewalls. Updated: February 2024.
763,955 professionals have used our research since 2012.
UD
Real User
2020-04-15T05:18:26Z
Apr 15, 2020

DoppelPaymer, structural sanitization cannot detect what’s inside the file, so we can only ensure that the file is encrypted. One needs to build a policy to only allow password-protected documents from trusted senders. This enforcement of policy should take you a long way into mitigating the risk against DoppelPaymer. As a best practice, IT/Email Admin should enforce email encryption as it is much more secure.

The war between creative and destructive IT is already evident and may grow fierce as cybercriminals become more aggressive and ill-talented. It's all about how we scale our technical competencies and approaches to become more sophisticated. Tools from Sophos look to be "A friend in Need" Solution as rightly suggested by Eduardo Pina in the following trail.

BO
User
2020-04-15T03:10:37Z
Apr 15, 2020

Please read this paper about ancestor of DoppelPaymer and how this randsomware work.
https://nakedsecurity.sophos.com/2017/09/21/how-bitpaymer-ransomware-covers-its-tracks/.

SH
User
2020-04-14T18:54:11Z
Apr 14, 2020

- First, review all ports you have open. Is there any way you can eliminate it?
- Second, review the functions your firewall product has. With a company of up to 500 employees, you should have a fairly expensive firewall, like a unified threat management device, UTM. Active packet scanning is a must with the VPNs you must have right now. 256-bit encryption minimum.
- Daily security updates. An extreme measure is to have a white list of approved web sites employees can connect to. The attack vectors of the
ransomware can change at any time.
- Critical company data should go to a backup server that is offline around 14 hours a day.

RM
Real User
Top 5
2020-04-14T16:04:38Z
Apr 14, 2020

Immediate Ransomware Prevention Tips

The best ways to prevent ransomware are to maintain good security practices, back up files, and use Antivirus & Anti-ransomware software. For comprehensive ransomware protection, enterprises should deploy next-generation anti-ransomware software, like Emsisoft. Relying on antivirus software alone risks exposure to new strains and polymorphic-variants of ransomware.

Network Security & Segmenting Network. Segregate the network into different segments Using Double Firewall. Server on one segment, Backup servers on another segment, Backup Storage on different Segment.

Implement mail security: to protect from These phony emails are designed to get people to click on a link or open an attachment. Emails often look like they come from a reliable source or attempt to scare people into acting impulsively.

For example, email attachments can appear to be legitimate correspondence from reputable companies such as banks or FedEx. Hackers use subject lines referring order confirmations, complaints, or business communications that entice the victim to open the email.

Implement security to prevent RDP attacks from LAN & WAN. Customize Port Remote Desktop Protocol (RDP)

Implement Firewall-VPN for all access. NO direct access from the Internet.

ST
User
2020-04-14T15:50:37Z
Apr 14, 2020

I would prefer to use the following firewall best practices:

Firewall protection

Firewalls should be able to limit or “block remote desktop protocol (RDP) and other remote management services.” Spam lists should be created and software should be used to detect spam. Proper advanced deletion of spam files can prevent the worker from even seeing a bad attachment. The firewall should also delete or warn if certain types of file extensions are sent. Additional firewall best practices include:

* Considering the use of a sandboxing solution and the right type of firewall engine. Sandboxing should be applied to attachments and web traffic so that the attachments and websites are being
* Properly analyzed for malware before entering your network.
* Understand that every open port is a potential point of entry for ransomware. Non-essential open ports should be eliminated. Rather than using point-forwarding, use VPNs to access remote sources.
* The ports that do stay open should be properly secured.
* Segment Local Area Networks into smaller zones or Virtual LANs that are connected securely by the firewall.
* Apply proper IPS policies governing network traffic so that bots and worms can’t spread between Local Area Network segments.
* Isolate infected systems immediately.

SJ
Real User
2020-04-14T13:16:17Z
Apr 14, 2020

I would not just have a good Firewall like Watchguard but a good endpoint and server protection with https://www.sophos.com/en-us/content/ransomware.aspx

No customer that I had a problem with ransomware with have had any problems after I installed Sophos Intercept X.

it_user1311786 - PeerSpot reviewer
User
2020-04-14T10:25:45Z
Apr 14, 2020

I will suggest the below solution for preventing DoppelPaymer Ransomware. I would suggest an end to end protection layer with central management and visibility.

SonicWALL UTM Model NSA4650 :- for Gateway protection.
SonicWALL Hosted Email Security :- for Protect your mails
SonicWALL Capture client (Next Generation Anti-Malware) :- for protect your endpoint layer
SonicWALL Capture Security Center :- central management and visibility.

AV
Real User
2021-04-24T08:01:25Z
Apr 24, 2021

I would suggest applying the Zero Trust approach. In addition, it is great to train workers on how to deal with phishing.

SA
Real User
2020-04-16T17:34:56Z
Apr 16, 2020

The best way is to implement the whole office 365 in the organization with Vade Secure predictive Email defense. Here is the link; https://www.vadesecure.com/en/

KO
Real User
2020-04-16T09:16:03Z
Apr 16, 2020

I would suggest a Firewall and also an advanced level antivirus. Have you tried reading up on Sophos XG and Sophos Intercept X Advanced? Sophos XG is a next-generation firewall with intelligent malware, ransomware, and zero-day attack detection, prevention, and deletion. It engages the sandboxing tendency known as Sophos Sandstorm for advanced malware detection.

Sophos Intercept X Advanced is a modern-day antivirus with ransomware and zero-day attack detection and prevention. It is more than a traditional anti-virus as it functions with intelligent technique for detecting malware, and it has Web control, Application control, Peripheral control, and Data loss prevention ability. It monitors every activity going in each device(end users devices and servers), and in event of a ransomware attack/data encryption, it does a copy of all resources on the device keeps in its own shadow copy-safe, it monitors the process of the ransomware to know if its a positive or negative encryption, if found negative, it stops the process, does a complete deletion of the root code or the attack application and restores the lost resources using its application-aware feature.

Furthermore, synchronized security communication takes place between the antivirus on each device and the Sophos XG firewall, giving you unified protection through your network. Hence I suggest Sophos XG and Sophos Intercept X Advanced.

TM
User
2020-04-15T13:52:06Z
Apr 15, 2020

It's possible intrusion prevention software can help.

NO
User
2020-04-15T11:25:16Z
Apr 15, 2020

I believe that this problem should not be addressed only at the firewall layer, but at the upper layers by applying control on mail servers and end user operating systems such as antivirus and application execution control.

SM
Real User
2020-04-15T07:02:07Z
Apr 15, 2020

I recommend using Checkpoint SandBlast Agent for Laptops

AS
Reseller
2020-04-14T20:14:35Z
Apr 14, 2020

Norton 360 is excellent.

EM
Real User
2020-04-14T18:58:24Z
Apr 14, 2020

I recommend using Sophos' Intercept X solution. It is an excellent solution, simple to install, compatible with any endpoint already active. There are plans for annual and also monthly payments.

HaroldPalmer - PeerSpot reviewer
Real User
Top 10
2020-04-14T15:04:04Z
Apr 14, 2020

I don't think there is an easy answer to ransomware. It's really user error. You could implement the latest in endpoint inspection which specialises in this field like Crowdstrike or Cybereason. Both have some integrations, but if you want true firewall integration - Palo Alto or Checkpoint.

AC
Real User
2020-04-14T14:34:30Z
Apr 14, 2020

You need the basics: protect perimeter (firewall), protect endpoint (good av with IA) and a good antispam with sandbox.
I suggest in the firewall make security zone's and only permit specific traffic, ports, protocols, etc.

LauriLaanenurm - PeerSpot reviewer
Real User
Top 5
2020-04-14T10:37:12Z
Apr 14, 2020

https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en
https://www.sophos.com/en-us/content/ransomware.aspx

Firewalls
A firewall is a device used for network security. It monitors network traffic (both incoming and outgoing) and then, based on a set of security rules, either permits or blocks data packets.
Download Firewalls ReportRead more

Related Q&As

Firewalls experts

Adrian Cambronero - PeerSpot reviewer
Prateek Agarwal - PeerSpot reviewer
Diana Alvarado - PeerSpot reviewer
Jonathan Ramos G. - PeerSpot reviewer
Nagendra Nekkala - PeerSpot reviewer
Sachin Vinay - PeerSpot reviewer
Hugo Alexis Espinoza Naranjo - PeerSpot reviewer
Edwin Solano Salmeron - PeerSpot reviewer