Ransomware Prevention


Blog post originally published (in Dutch) Sunday, February 21, 2016 and can be found here. This is its dedicated page, in English.

Ransomware doesn't need any introduction anymore: we've all come to know (and unfortunately in some cases, experience) what it does and how it works. In short: this specific malware will encrypt your (personal) files and requires you to pay a certain monetary amount (hence the name 'ransom'ware) to regain access to your files. Nowadays, most ransomware will ask you to pay in Bitcoin.

Other names: "CryptoLocker", cryptoware, encrypting ransomware.

This blog post is split up in two parts: 1 for users, 1 for companies/businesses. Most tips however are interchangeable and can be applied on most environments (we're talking Windows here).

Finally, some tools are proposed as well as additional resources.

Translations are available in DutchFrench and Korean. If you'd like to translate in your own language, contact me.


Users

  • Use, depending on the mailclient, a robust anti-spam filter. In all online services (Outlook.com, Gmail, ...) an anti-spam filter is offered by default.
  • Never open attachments from an unknown sender.
  • Disable the execution of macros in Office.
  • Disable Windows Script Host. You can use option D in my tool for example.
  • Disable Powershell. You can do this via Control Panel > Programs > Turn Windows features on or off.
  • Use a robust antivirus/antimalware and firewall solution and keep it up-to-date and running.
  • Always install all relevant Windows updates.
  • Remove all outdated Java versions, or remove Java completely if possible.
  • Remove SilverLight if possible.
  • Remove Flash if possible. If not:
    Activate click-to-play for Flash in your browser. This depends on your browser.
    (see Resources section)
  • Install an adblocker in your browser, for example uBlock Origin.
  • A freeware program called CryptoPrevent is available as well. This will automatically improve protection for ransomware by, for example, monitoring known locations where ransomware will execute from.

    Last but not least, the two most important rules are:
  • Always think twice before clicking on a link or opening an attachment.
  • Create backups on a regular basis! Don't forget to disconnect your external hard drive afterwards. ("offline backups")

    A word of warning: be careful when backing up to the cloud - once you notice you are infected, immediately terminate the network/internet connection or shut down the machine to prevent further encryption of your files.

    Note that in some cases it is better to simply disconnect from the network, as some decryption keys can be salvaged from memory or network traffic.

    Also test if your backup is functional by restoring some (test)files. A backup is always the best option for restoring your files, but you have to know the backup has succeeded and as such is functional.


Organisations

In companies, the same tips as mentioned above are applicable as well. Most of those tips can be applied without too much hassle using Group Policies (GPO).

Additionally:

  • Always use strong passwords for your servers (regardless if it's a domain controller, fileserver, etc...).
  • Always install all relevant Windows updates.
  • If possible, disable RDP. If not possible, use a robust firewall solution (hardware) which has VPN. Use strong passwords/authentication for those as well. Enable 2FA/MFA for VPN access or at least administrator access.
  • Disable administrator-rights for normal users. Most of users with a company laptop shouldn't be able to install programs anyway (at least in theory).
  • Disable, via GPO, the use of macro's in Office if possible. If not possible, only allow digitally signed macro's. Disable Windows Script Host and make the use of antivirus mandatory.
  • Install antivirus on all machines in the network and especially for those users with a company laptop which they can/may take home as well.
  • If present, activate the option to also scan archives (ZIP, RAR, ...) by the antivirus.
  • Install a robust anti-spam solution and prohibit the use of attachments with dangerous extensions such as .exe, .scr, .... However, also block scriptlets, such as JavaScript files (.js).
  • Verify the file sharing permissions of your users. Try to be as efficient as possible - a user belonging to group X is not related to group Y or its share at all? Prohibit or restrict access - use ACLs for example.
  • Inform users about the dangers of opening attachments from unknown senders, or clicking on links randomly everywhere. Education is important as well. Also, have a plan of action ready (procedures) when a malware-infection (ransomware or otherwise) would happen.
  • Consider changing the default action of potentially malicious scripts and their associated extensions, to notepad for example. This is rather trivial to implement with GPO. More information on changing a default action is here and here.
    Example of extensions to change are:
    .js, .jse, .wsc, .wsh.wsf, .sct, .vbe, .cmd and .hta.
    You may additionally add: 
    .ps1.vbs and .bat, granted you don't use these scriptlets.
    Always test on one or several machine first, before deploying on your whole network.
  • Use policies to prohibit executable files running from specific locations. See here.
  • Consider restricting the use of WMI. See here.


    Last but not least, the two most important rules are:
  • 'Failing to prepare is preparing for failure':
    Prevention is more important than removal/disinfection.
  • Create backups on a regular basis! Don't forget to disconnect your external hard drive afterwards. ("offline backups")

    A word of warning: be careful when backing up to the cloud - once you notice you are infected, immediately terminate the network/internet connection or shut down the machine to prevent further encryption of your files.

    Note that in some cases it is better to simply disconnect from the network, as some decryption keys can be salvaged from memory or network traffic.

    Also test if your backup is functional by restoring some (test)files. A backup is always the best option for restoring your files, but you have to know the backup has succeeded and as such is functional.



Tools

Browser:
Avoid using Internet Explorer or Edge - other browser are more 'customazible', which means you can have some extra protection with an add-on or extension. (however, don't forget to keep these up-to-date as well)

Activate click-to-play for plugins (such as Flash or Silverlight)
uBlock Origin (Chrome)
uBlock Origin (Firefox)
NoScript

Block the execution of scripts:
Remediate VBS Worm (option D)
Script Defender

CryptoPrevent Malware Prevention:
https://www.foolishit.com/cryptoprevent-malware-prevention/

Java:
Why should I uninstall older versions of Java from my system?

Disable PowerShell:













Resources

Backups:
Back up and restore: frequently asked questions

Office:
Enable or disable ActiveX controls in Office documents
Block or unblock external content in Office documents
Enable or disable macros in Office files

Using GPO:


Identify ransomware:
ID Ransomware

List of ransomware, both known & unknown:
Ransomware Overview

No More Ransom project (decrypters etc.):
The No More Ransom Project

Ransomware extra information:
Ransomware: a Q&A

Windows File Sharing:
Understanding Windows Server 2008 File and Folder Ownership and Permissions

Windows Script Host (WSH):
Disabling Windows Script Host

WMI permissions and restrictions:
Managing WMI security

3 comments:

  1. Good article, just do not understand that IE is not customizable - you mean just lack of tools? For example I'm running with "Symantec Vulnerability Protection" add-on set up by my AV automatically. Of course, generally the MSIE is a popular attack target and browsing using FF,Chrome can be safer. Also users should know that ultimate disabling of VBS and PowerShell can limit functionality of their computer in many of normal operations.

    ReplyDelete
    Replies
    1. Thank you! Yes, I indeed mean the lack of add-ons or plugins available (such as NoScript for example).

      Yes indeed. While some functionality will be limited, most normal users do not utilise VBS nor PowerShell anyway; or at least as far as I know.

      Thanks for your comment and have a great day!

      Delete