Guide | How To How to Protect and Harden a Computer against Ransomware

The associated guide may contain user-generated or external content.

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
hi

found this article few minutes ago on www.bleepingcomputer.com.
This board/portal has a quite good reputation so I'm frequently visiting this board to read the
latest news and threads about security/computer.

Here is the direct link to the article (date: December 22, 2016):
How to Protect and Harden a Computer against Ransomware

...a quote from this article:
2016 is almost over and it definitely taught us one thing; Ransomware is here to stay and it's only going to get worse. With even the smaller ransomware developers earning a lot of money, the ransomware explosion is going to continue with more innovative techniques used in 2017.

Therefore, it is important that every computer user, whether you are only using a computer at home or in the enterprise, needs to understand how to harden and protect their computer from ransomware. To help you, I have put together the most important steps a computer user needs to do in order to protect their themselves from ransomware. The bonus is that these steps will also protect you from a vast majority of other types of malware that use similar methods to infect a computer.

I know this article is long, but computer security is something that takes some effort. If you want to protect your computer and your assets, then I strongly suggest you print this article and read it as time permits.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks
if you use backup software such as macrium reflect for instance, I don't think that you can disable vssadmin.

But the other two processes mentioned can be safely disabled without affecting normal computer use.

The best way to do this is with process lasso, it works even in the free edition.
see this thread: Process Lasso 101

this is my list of disallowed processes, in process lasso:
 

Attachments

  • Capture.PNG
    Capture.PNG
    18.8 KB · Views: 644

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
if you use backup software such as macrium reflect for instance, I don't think that you can disable vssadmin.

But the other two processes mentioned can be safely disabled without affecting normal computer use.

The best way to do this is with process lasso, it works even in the free edition.
see this thread: Process Lasso 101

this is my list of disallowed processes, in process lasso:
Hi

You mentioned that the other 2 processes can be safely modified without affecting NORMAL computer use. What then are the situations that can affect these uses?

And if you have other apps like AppGuard, VS etc do you still need to disable Windows Script Host and Windows PowerShell? Or do you still need Process Lasso 101 then?

BTW, any link to compare the features for the free vs paid version of Process Lasso 101? Is the free version time limited? I can't find these info on their site.

Thanks
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hi

You mentioned that the other 2 processes can be safely modified without affecting NORMAL computer use. What then are the situations that can affect these uses?

And if you have other apps like AppGuard, VS etc do you still need to disable Windows Script Host and Windows PowerShell? Or do you still need Process Lasso 101 then?

BTW, any link to compare the features for the free vs paid version of Process Lasso 101? Is the free version time limited? I can't find these info on their site.

Thanks
unless you want to run a script or powershell yourself, for maintenance or management purposes, I can't think of a realistic case where you would need them. And even if such a need arises, it takes about one second to disable process lasso.

VS decreases the need to disable these processes, but does not eliminate the need.
As for AppGuard, it depends how you have it configured. I am not a AG user, so I can't say much

the advanced features of process lasso, as far as you and me are concerned, is the lack of an occasional nag screen. There are some cool things that the paid version can do, but I don't even understand them (a gamer would probably appreciate them, though)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
unless you want to run a script or powershell yourself, for maintenance or management purposes, I can't think of a realistic case where you would need them. And even if such a need arises, it takes about one second to disable process lasso.

VS decreases the need to disable these processes, but does not eliminate the need.
As for AppGuard, it depends how you have it configured. I am not a AG user, so I can't say much

the advanced features of process lasso, as far as you and me are concerned, is the lack of an occasional nag screen. There are some cool things that the paid version can do, but I don't even understand them (a gamer would probably appreciate them, though)
OK thanks
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.
It is true that ransomware cannot access the data of encrypted drive but what if it corrupts the drive such that you cannot decrypt it? Isn't it rendering the drive useless?
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
It is true that ransomware cannot access the data of encrypted drive but what if it corrupts the drive such that you cannot decrypt it? Isn't it rendering the drive useless?
You are right, that is why I have another backup on the external HDD.
Unfortunately, nothing is totally predictable.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Well everything is sum it up on the article.

The true essence of protection goes on Hardening and Lockdown the crucial operation, they should install like Voodoshield, SecureAplus and few others as resident AV as it packed with Whitelisting.

People should learn understanding the interactive pop-ups rather automated.
 
5

509322

Just a few questions

What are the consequences of

a) renaming vssadmin
b) disabling Windows Script Host
c) disable Windows PowerShell

What software will be affected or under what circumstances are the above not to be modified? Any exclusion/exception can be made for them if they have been modified?

Is there any 3rd-party software to simplify the above modification like just having tickboxes?

Thanks

Virtually nothing.

I've only seen Windows use Powershell a single time. The Windows 10 Upgrade Utility - GWX - used it.

Once in a great while, Windows Update will use wscript.exe (Windows Script Host). I have seen it on W7 only.

Powershell is a menace that 99.99999 % of typical users do not need on their system. Both wscript.exe and cscript.exe should be disabled as well. If you need them, you enable them, do what you need, then promptly disable them. It is that simple.

If something gets blocked, noting is permanently broken. Blocks are no big deal - even during a Windows Update. Just re-enable, update Windows again, then promptly disable. Simple.

Renaming vssadmin.exe shouldn't affect anything. It's a command line utility. Once again, 99.99999 % of typical users don't use it.

There's a lot of stuff shipped with Windows that a user does not need. Disabling what you do not need reduces attack surface and prevents many attacks.

There's a reason that the industry calls many Windows processes - well - vulnerable processes.

If people would just put a little bit of effort into learning more about the topic, then they could increase their system protection significantly.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
You have to protect your data!
I've installed Steganos Safe 17 and I have created a 35 GB (z) partition where I have a copy of all my sensitive data.
Another backup of this data is on the external HDD.
The (z) virtual partition is invisible and protected by a strong password and data are encrypted with AES 256-bit algorithm.
No common ransomware or malware can access this partition and one option is to take advantage of a specific vulnerability of Steganos, rare but possible event.
The other possibilities are malware that work at a low level on the HDD which can delete data, partitions and boot sector, and this is an event that is difficult due to my security setup.

But also in this case I am protected because of my external backup.
also Rollback Rx can do a lot to protect data, as discussed here: Question - Can you hide partitions from ransomware?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Virtually nothing.

I've only seen Windows use Powershell a single time. The Windows 10 Upgrade Utility - GWX - used it.

Once in a great while, Windows Update will use wscript.exe (Windows Script Host). I have seen it on W7 only.

Powershell is a menace that 99.99999 % of typical users do not need on their system. Both wscript.exe and cscript.exe should be disabled as well. If you need them, you enable them, do what you need, then promptly disable them. It is that simple.

If something gets blocked, noting is permanently broken. Blocks are no big deal - even during a Windows Update. Just re-enable, update Windows again, then promptly disable. Simple.

Renaming vssadmin.exe shouldn't affect anything. It's a command line utility. Once again, 99.99999 % of typical users don't use it.

There's a lot of stuff shipped with Windows that a user does not need. Disabling what you do not need reduces attack surface and prevents many attacks.

There's a reason that the industry calls many Windows processes - well - vulnerable processes.

If people would just put a little bit of effort into learning more about the topic, then they could increase their system protection significantly.

I would agree. But, one should be careful with SRP and script blocking. In rare cases, loading hardware driver can need a script or something from hardware directory located outside C:\Windows, C:\Program Files, C:\Program Files (x86). If so, the system can break down after restarting. See also (posts #32-#58):
Hard_Configurator - Windows Hardening Configurator
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I would agree. But, one should be careful with SRP and script blocking. In rare cases, loading hardware driver can need a script or something from hardware directory located outside C:\Windows, C:\Program Files, C:\Program Files (x86). If so, the system can break down after restarting. See also (posts #32-#58):
Hard_Configurator - Windows Hardening Configurator
that's why I don't like SRP. It does get in the way sometimes, and you can't just disable it with a click.
 
  • Like
Reactions: Andy Ful

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
this process is not utilized by Macrium Reflect and similar softwares?
to answer my own question: I don't think Macrium Reflect uses vssadmin.exe. I searched on the macrium reflect knowledgebase, and I didn't even get a single hit.

But it is used by Windows when it makes a scheduled restore point.
This article explains a workaround if you want to disable it: Why Everyone Should disable VSSAdmin.exe Now!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
that's why I don't like SRP. It does get in the way sometimes, and you can't just disable it with a click.
You are right, but I think that sometimes the standard antivirus can mess up the system even worse (especially in Windows 10).:( In the case of SRP the cure is simple. Start the system from bootable media and edit the Registry offline (delete one registry key). In the case of the system spoiled by antivirus, no one knows what happened, and sometimes using system restore point does not help.o_O
Anyway, SRP gives you more possibilities to hang the system.:)
The strangest history I experienced, was with Shadow Defender (my favorite) after the cumulative Windows update. I restarted two times the system, and activated shadow mode. After the next restart Windows chose finally to update system and restart, so I had to use bootable media to edit offline the startup locations in the Registry (to deactivate Shadow Defender).:D
 
Last edited:
  • Like
Reactions: shmu26 and Av Gurus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top