Best Ransomware Prevention

[Prorootect]

Ransomware Prevention
- BEST Ransomware Prevention

Blaze's Security Blog: bartblaze.blogspot.fr: Blaze's Security Blog: Ransomware Prevention

Ransomware doesn't need any introduction anymore: we've all come to know (and unfortunately in some cases, experience) what it does and how it works. In short: this specific malware will encrypt your (personal) files and requires you to pay a certain monetary amount (hence the name 'ransom'ware) to regain access to your files. Nowadays, most ransomware will ask you to pay in Bitcoin.

Other names: CryptoLocker, cryptoware, encrypting ransomware.

This blog post is split up in two parts: 1 for users, 1 for companies/businesses. Most tips however are interchangeable and can be applied on most environments (we're talking Windows here).

Finally, some tools are proposed as well as additional resources.

Translations are available in Dutch, French and Korean. If you'd like to translate in your own language, contact me.


Users

• Use, depending on the mailclient, a robust anti-spam filter. In all online services (Outlook.com, Gmail, ...) an anti-spam filter is offered by default.
• Never open attachments from an unknown sender.
• Disable the execution of macros in Office.
• Disable Windows Script Host. You can use option D in my tool for example.
• Disable Powershell. You can do this via Control Panel > Programs > Turn Windows features on or off.
• Use a robust antivirus/antimalware and firewall solution and keep it up-to-date and running.
• Always install all relevant Windows updates.
• Remove all outdated Java versions, or remove Java completely if possible.
• Remove SilverLight if possible.
• Remove Flash if possible. If not:
  Activate click-to-play for Flash in your browser. This depends on your browser.
  (see Resources section)
• Install an adblocker in your browser, for example uBlock Origin.
• A freeware program called CryptoPrevent is available as well. This will automatically improve protection for ransomware by, for example, monitoring known locations where ransomware will execute from.
  
  Last but not least, the two most important rules are:
• Always think twice before clicking on a link or opening an attachment.
• Create backups on a regular basis! Don't forget to disconnect your external hard drive afterwards. A word of warning: be careful when backing up to the cloud - once you notice you are infected, immediately terminate the network/internet connection or shut down the machine to prevent further encryption of your files.
  
  Also test if your backup is functional by restoring some (test)files. A backup is always the best option for restoring your files, but you have to know the backup has succeeded and as such is functional.

Companies

In companies, the same tips as mentioned above are applicable as well. Most of those tips can be applied without too much hassle using Group Policies (GPO).

Additionally:

• Always use strong passwords for your servers (regardless if it's a domain controller, fileserver, etc...).
• Always install all relevant Windows updates.
• If possible, disable RDP. If not possible, use a robust firewall solution (hardware) which has VPN. Use strong passwords/authentication for those as well.
• Disable administrator-rights for normal users. Most of users with a company laptop shouldn't be able to install programs anyway (at least in theory).
• Disable, via GPO, the use of macro's in Office if possible. If not possible, only allow digitally signed macro's. Disable Windows Script Host and make the use of antivirus mandatory.
• Install antivirus on all machines in the network and especially for those users with a company laptop which they can/may take home as well.
• If present, activate the option to also scan archives (ZIP, RAR, ...) by the antivirus.
• Install a robust anti-spam solution and prohibit the use of attachments with dangerous extensions such as .exe, .scr, .... However, also block scriptlets, such as JavaScript files (.js).
• Verify the file sharing permissions of your users. Try to be as efficient as possible - a user belonging to group X is not related to group Y or its share at all? Prohibit or restrict access - use ACLs for example.
• Inform users about the dangers of opening attachments from unknown senders, or clicking on links randomly everywhere. Education is important as well. Also, have a plan of action ready (procedures) when a malware-infection (ransomware or otherwise) would happen.
• Consider changing the default action of potentially malicious scripts and their associated extensions, to notepad for example. This is rather trivial to implement with GPO. More information on changing a default action is here and here.
  Example of extensions to change are:
  .js, .jse, .wsc, .wsh, .wsf, .sct, .vbe, .cmd and .hta.
  You may additionally add: .ps1, .vbs and .bat, granted you don't use these scriptlets.
  Always test on one or several machine first, before deploying on your whole network.
• Use policies to prohibit executable files running from specific locations. See here.
• Consider restricting the use of WMI. See here.
  
  
  Last but not least, the two most important rules are:
• 'Failing to prepare is preparing for failure':
  Prevention is more important than removal/disinfection.
• Create backups on a regular basis! Don't forget to disconnect your external hard drive afterwards. A word of warning: be careful when backing up to the cloud - once you notice you are infected, immediately terminate the network/internet connection or shut down the machine to prevent further encryption of your files.
  
  Also test if your backup is functional by restoring some (test)files. A backup is always the best option for restoring your files, but you have to know the backup has succeeded and as such is functional.

Tools

Browser:
Avoid using Internet Explorer or Edge - other browser are more 'customizable', which means you can have some extra protection with an add-on or extension. (however, don't forget to keep these up-to-date as well)

Activate click-to-play for plugins (such as Flash or Silverlight)
uBlock Origin (Chrome)
uBlock Origin (Firefox)
NoScript

Block the execution of scripts:
Remediate VBS Worm (option D)
Script Defender

CryptoPrevent Malware Prevention:
CryptoPrevent Malware Prevention

Java:
Why should I uninstall older versions of Java from my system?

Disable PowerShell:





Resources

Backups:
Back up and restore: frequently asked questions

Office:
Enable or disable ActiveX controls in Office documents
Block or unblock external content in Office documents
Enable or disable macros in Office files

Using GPO:
2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool download
Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool
Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool


Identify ransomware:
ID Ransomware

List of ransomware, both known & unknown:
Ransomware Overview

No More Ransom project (decrypters etc.):
The No More Ransom Project

Ransomware extra information:
Ransomware: a Q&A

Windows File Sharing:
Understanding Windows Server 2008 File and Folder Ownership and Permissions

Windows Script Host (WSH):
Disabling Windows Script Host

WMI permissions and restrictions:
Managing WMI security


Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

 

[Andy Ful]

I have some comments about PowerShell in the USERS part:
The advice in the post can uninstall only the old PowerShell 2.0, so in fact, the PowerShell is not disabled. Windows 8, 8.1, 10 uses by default PowerShell 3.0, 4.0, 5.0. The old PowerShell 2.0 is only installed for compatibility with old scripts, and should be uninstalled because some malware can use it to bypass Windows security for the newer PowerShell versions (like Constrained Language mode). For more information about protecting the system against PowerShell, see:
How-to Guide - How do you secure PowerShell?

 

[Prorootect]

I have some comments about PowerShell in the USERS part:
The advice in the post can uninstall only the old PowerShell 2.0, so in fact, the PowerShell is not disabled. Windows 8, 8.1, 10 uses by default PowerShell 3.0, 4.0, 5.0. The old PowerShell 2.0 is only installed for compatibility with old scripts, and should be uninstalled because some malware can use it to bypass Windows security for the newer PowerShell versions (like Constrained Language mode). For more information about protecting the system against PowerShell, see:
How-to Guide - How do you secure PowerShell?

Yes, thanks a lot @Andy Ful for your How-to Guide - How do you secure PowerShell?

 

[Andy Ful]

The advice from bartblaze.blogspot.fr for securing vulnerabilities related to Office documents will be sufficient for many users. But many vectors of infection, are still opened (OLE, DDE commands, etc.). Some of them are also available in non-Microsoft Office applications (OLE, ActiveX Controls, etc).
Windows 10 introduced a very nice solution for managing Office documents. Simply, the user should install (free) Word Mobile, Excel Mobile and PowerPoint Mobile as the default applications for viewing and printing Office documents. Those Universal Applications are executed in AppContainer Sandbox and all active content embedded in documents (macros, OLE, DDE commands, etc.) is blocked.
.
For document editing, the user can buy the full Word Mobile, etc.(to unblock editing feature), or can use the favorite desktop Office suite. The second case requires 2 Office suites installed. The documents are opened by default in Word Mobile, etc - which gives the user the decent protection. For editing, the user has to open first, one of the applications from the desktop Office suite, and then load the document using application file menu.
.
Another secure solution is using online services like Office Online or Google Drive.