topic Re: How to prevent business premises from RedBoot ransomware attack? in Firewall and Security Management

How to prevent business premises from RedBoot ransomware attack?

Arun_R — Fri, 13 Oct 2017 07:41:21 GMT

Hi Team,

Has anyone have any idea about RedBoot ransomware and how to prevent it by using IPS/Anti-bot/Anti-Virus blade's:

Is any specific protection/Signature needs to prevent in order to avoid such issues on business premises?

Regards,

Arun.R (Hari)

Re: How to prevent business premises from RedBoot ransomware attack?

PhoneBoy — Fri, 13 Oct 2017 15:45:55 GMT

First of all, this is probably a better question for the Threat Prevention‌ space.

Second, Ransomware such as RedBoot is really a great example of why you need multiple layers of protection.
While IPS, Anti-Virus, and Anti-Bot are great technologies, they are not enough to stop Ransomware.

Any number of things could potentially deliver the RedBoot payload to a customer--things which could surely be blocked by AV if it's a known variant.

However, it's trivial to make any known variant unknown, reducing the efficacy of AV.

Since there's no "phone home" element to this ransomware/wiper, Anti-Bot or IPS wouldn't see anything.

If the payload is delivered as a Microsoft Office or PDF doc (which is fairly common), then Threat Emulation would surely catch it.

Threat Extraction would strip out these unsafe elements so the end user would never see them.

If on the off chance Threat Emulation/Extraction didn't catch it, then Check Point's AntiRansomware on the endpoint would stop it and quickly undo the damage.

Re: How to prevent business premises from RedBoot ransomware attack?

Pablo_Barriga — Mon, 16 Oct 2017 00:30:38 GMT

Hello Arun there isn't a signature to prevent that infection for now on any of those blades, the next step should be to incorporate the threat emulation technology on the gateway or in the endpoint with Sandblast Agent.

We are recommending our customer to have their computes up to date, to configure the shadow copy on their machines to have several copies of their information or at least have a procedure to have a backups once a day, also to be more stricted on the URL or categories that the users can access, for example block uncategorized sites or block high risk sites, also on the antivirus block unusual file extention using the Files Types feature to block some files.