Layers of defence
We were hit once. It was a convincing looking mail to our goods receiving department. There was no file attached, but a link to an external site. It got past our existing firewall setup, mail filter, web filter and endpoint antivirus.
We spotted the attack fairly quickly and just had to re-image that one PC and roll back some files the user had access to on the file servers using shadow copies. We already had very granular permissions in place, so the attack was limited.
In response we have put in several more mitigations. We have applocker policies that restrict executables from running from profiles and other locations they shouldn't be running from. We have changed the firewall to block access to websites that are not categorised by the firewall vendor (this occasionally means we have to click past a warning to get to an uncategorised site, but is no great hardship). We also have FSRM rules which look for filename changes made by all known variants of crypto malware. If these are detected, alarms go off and file server shares are switched to read only.
Finally, if this isn't enough we have time lagged replicas to our DR site and multiple levels of independent backup to disk and tape.
Biting the hand that feeds IT
