Guide | How To How to Protect and Harden a Computer against Ransomware

[LASER_oneXM]

hi

found this article few minutes ago on www.bleepingcomputer.com.
This board/portal has a quite good reputation so I'm frequently visiting this board to read the
latest news and threads about security/computer.

Here is the direct link to the article (date: December 22, 2016):
How to Protect and Harden a Computer against Ransomware

...a quote from this article:

2016 is almost over and it definitely taught us one thing; Ransomware is here to stay and it's only going to get worse. With even the smaller ransomware developers earning a lot of money, the ransomware explosion is going to continue with more innovative techniques used in 2017.

Therefore, it is important that every computer user, whether you are only using a computer at home or in the enterprise, needs to understand how to harden and protect their computer from ransomware. To help you, I have put together the most important steps a computer user needs to do in order to protect their themselves from ransomware. The bonus is that these steps will also protect you from a vast majority of other types of malware that use similar methods to infect a computer.

I know this article is long, but computer security is something that takes some effort. If you want to protect your computer and your assets, then I strongly suggest you print this article and read it as time permits.

 

[Svoll]

I am embarrassed to say I never knew about the part to Enable the viewing of Extensions. Will make that change right now!
This is quite a helpful guide for security

 

[HarborFront]

Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks

 

[shmu26]

Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks

if you use backup software such as macrium reflect for instance, I don't think that you can disable vssadmin.

But the other two processes mentioned can be safely disabled without affecting normal computer use.

The best way to do this is with process lasso, it works even in the free edition.
see this thread: Process Lasso 101

this is my list of disallowed processes, in process lasso:

 

[HarborFront]

if you use backup software such as macrium reflect for instance, I don't think that you can disable vssadmin.

But the other two processes mentioned can be safely disabled without affecting normal computer use.

The best way to do this is with process lasso, it works even in the free edition.
see this thread: Process Lasso 101

this is my list of disallowed processes, in process lasso:

Hi

You mentioned that the other 2 processes can be safely modified without affecting NORMAL computer use. What then are the situations that can affect these uses?

And if you have other apps like AppGuard, VS etc do you still need to disable Windows Script Host and Windows PowerShell? Or do you still need Process Lasso 101 then?

BTW, any link to compare the features for the free vs paid version of Process Lasso 101? Is the free version time limited? I can't find these info on their site.

Thanks

 

[shmu26]

Hi

You mentioned that the other 2 processes can be safely modified without affecting NORMAL computer use. What then are the situations that can affect these uses?

And if you have other apps like AppGuard, VS etc do you still need to disable Windows Script Host and Windows PowerShell? Or do you still need Process Lasso 101 then?

BTW, any link to compare the features for the free vs paid version of Process Lasso 101? Is the free version time limited? I can't find these info on their site.

Thanks

unless you want to run a script or powershell yourself, for maintenance or management purposes, I can't think of a realistic case where you would need them. And even if such a need arises, it takes about one second to disable process lasso.

VS decreases the need to disable these processes, but does not eliminate the need.
As for AppGuard, it depends how you have it configured. I am not a AG user, so I can't say much

the advanced features of process lasso, as far as you and me are concerned, is the lack of an occasional nag screen. There are some cool things that the paid version can do, but I don't even understand them (a gamer would probably appreciate them, though)

 

[HarborFront]

unless you want to run a script or powershell yourself, for maintenance or management purposes, I can't think of a realistic case where you would need them. And even if such a need arises, it takes about one second to disable process lasso.

VS decreases the need to disable these processes, but does not eliminate the need.
As for AppGuard, it depends how you have it configured. I am not a AG user, so I can't say much

the advanced features of process lasso, as far as you and me are concerned, is the lack of an occasional nag screen. There are some cool things that the paid version can do, but I don't even understand them (a gamer would probably appreciate them, though)

OK thanks

 

[tim one]

You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.

 

[Av Gurus]

Here is one excellent tool for all that stuff with excellent Help explanation:
Hard_Configurator - Windows Hardening Configurator

 

[HarborFront]

You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.

It is true that ransomware cannot access the data of encrypted drive but what if it corrupts the drive such that you cannot decrypt it? Isn't it rendering the drive useless?

 

[tim one]

It is true that ransomware cannot access the data of encrypted drive but what if it corrupts the drive such that you cannot decrypt it? Isn't it rendering the drive useless?

You are right, that is why I have another backup on the external HDD.
Unfortunately, nothing is totally predictable.

 

[jamescv7]

Well everything is sum it up on the article.

The true essence of protection goes on Hardening and Lockdown the crucial operation, they should install like Voodoshield, SecureAplus and few others as resident AV as it packed with Whitelisting.

People should learn understanding the interactive pop-ups rather automated.

 

[shmu26]

OK thanks

Process Lasso is really a performance optimizer tool, and a good one, but we co-opt one of its features for our security purposes.

 

[509322]

Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks

Virtually nothing.

I've only seen Windows use Powershell a single time. The Windows 10 Upgrade Utility - GWX - used it.

Once in a great while, Windows Update will use wscript.exe (Windows Script Host). I have seen it on W7 only.

Powershell is a menace that 99.99999 % of typical users do not need on their system. Both wscript.exe and cscript.exe should be disabled as well. If you need them, you enable them, do what you need, then promptly disable them. It is that simple.

If something gets blocked, noting is permanently broken. Blocks are no big deal - even during a Windows Update. Just re-enable, update Windows again, then promptly disable. Simple.

Renaming vssadmin.exe shouldn't affect anything. It's a command line utility. Once again, 99.99999 % of typical users don't use it.

There's a lot of stuff shipped with Windows that a user does not need. Disabling what you do not need reduces attack surface and prevents many attacks.

There's a reason that the industry calls many Windows processes - well - vulnerable processes.

If people would just put a little bit of effort into learning more about the topic, then they could increase their system protection significantly.

 

[shmu26]

You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.

also Rollback Rx can do a lot to protect data, as discussed here: Question - Can you hide partitions from ransomware?

 

[shmu26]

Renaming vssadmin.exe shouldn't affect anything.

this process is not utilized by Macrium Reflect and similar softwares?

 

[Andy Ful]

Virtually nothing.

I've only seen Windows use Powershell a single time. The Windows 10 Upgrade Utility - GWX - used it.

Once in a great while, Windows Update will use wscript.exe (Windows Script Host). I have seen it on W7 only.

Powershell is a menace that 99.99999 % of typical users do not need on their system. Both wscript.exe and cscript.exe should be disabled as well. If you need them, you enable them, do what you need, then promptly disable them. It is that simple.

If something gets blocked, noting is permanently broken. Blocks are no big deal - even during a Windows Update. Just re-enable, update Windows again, then promptly disable. Simple.

Renaming vssadmin.exe shouldn't affect anything. It's a command line utility. Once again, 99.99999 % of typical users don't use it.

There's a lot of stuff shipped with Windows that a user does not need. Disabling what you do not need reduces attack surface and prevents many attacks.

There's a reason that the industry calls many Windows processes - well - vulnerable processes.

If people would just put a little bit of effort into learning more about the topic, then they could increase their system protection significantly.

I would agree. But, one should be careful with SRP and script blocking. In rare cases, loading hardware driver can need a script or something from hardware directory located outside C:\Windows, C:\Program Files, C:\Program Files (x86). If so, the system can break down after restarting. See also (posts #32-#58):
Hard_Configurator - Windows Hardening Configurator

 

[shmu26]

I would agree. But, one should be careful with SRP and script blocking. In rare cases, loading hardware driver can need a script or something from hardware directory located outside C:\Windows, C:\Program Files, C:\Program Files (x86). If so, the system can break down after restarting. See also (posts #32-#58):
Hard_Configurator - Windows Hardening Configurator

that's why I don't like SRP. It does get in the way sometimes, and you can't just disable it with a click.

 

[shmu26]

this process is not utilized by Macrium Reflect and similar softwares?

to answer my own question: I don't think Macrium Reflect uses vssadmin.exe. I searched on the macrium reflect knowledgebase, and I didn't even get a single hit.

But it is used by Windows when it makes a scheduled restore point.
This article explains a workaround if you want to disable it: Why Everyone Should disable VSSAdmin.exe Now!

 

[Andy Ful]

that's why I don't like SRP. It does get in the way sometimes, and you can't just disable it with a click.

You are right, but I think that sometimes the standard antivirus can mess up the system even worse (especially in Windows 10). In the case of SRP the cure is simple. Start the system from bootable media and edit the Registry offline (delete one registry key). In the case of the system spoiled by antivirus, no one knows what happened, and sometimes using system restore point does not help.
Anyway, SRP gives you more possibilities to hang the system.
The strangest history I experienced, was with Shadow Defender (my favorite) after the cumulative Windows update. I restarted two times the system, and activated shadow mode. After the next restart Windows chose finally to update system and restart, so I had to use bootable media to edit offline the startup locations in the Registry (to deactivate Shadow Defender).