Ransomware is a type of virus that encrypts a users files locally and in files shares. Ransomware encrypts the files using an encryption key only known by the attacker. Specific file extensions are usually targeted to only encrypt files a user wants/needs. Files can usually be decrypted by paying ransom in bitcoin to the attacker. Ransomware is delivered by drive-by-download (visiting a compromised website no download necessary), exploits, mass email campaigns (SPAM), and visiting compromised website and downloading/opening something.
How organizations or IT departments can Prevent Ransomware Infections:
- Backup your files with at least one disconnected medium or backup appliance. Ransomware can end up encrypting your backups if your backups are on the same network and are accessible via a file share. Preferably have backups in three different physical locations with one of those locations being on a disconnected medium (tape, backup drive physically disconnected, SFTP, SCP, DVD, etc.) or backup appliance. Keep backups for at least 6 months. If you are using cloud file storage then make sure to setup cloud to cloud backup.
- Consider cloud file storage with versioning for important non confidential files. (Cloud storage is not a backup)
- Setup volume shadow copies on Windows file shares. Check the schedule and set the max size limit (Setting the max size will prevent the drive from filling up. Set a large enough size to have at least 4 months of versions). https://technet.microsoft.com/en-us/library/cc771893.aspx
- Backup your websites and website databases (ransomware is also targeting linux web servers)
- Fine tune your computer desktop imaging process at least yearly. Being ready and quick to re-image desktops will help recover faster after a virus attack occurs.
- Office 365 turn on version history (Versioning only works with Office documents! Cloud backups are very important.) https://support.office.com/en-us/article/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893
- Setup web filtering appliance for your network. This will prevent old ransomware from being downloaded. If you cannot afford a web filtering appliance then you can use the host file from http://winhelp2002.mvps.org/hosts.htm. You can also use Open DNS to help with web filtering https://www.opendns.com/
- Setup new firewall to geo-block IP addresses from at least Russia and China. This will prevent some ransomware from being downloaded or the virus uploading the encryption key to the crooks servers stopping the encryption process. Block at least TCP and UDP ports 137,138,139,445,3389 from the outside. Deny all incoming traffic and only allowing what is needed is best. https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
- Setup a good SPAM filter and block certain extensions in attachments (exe, zip, rar, vbs, scr, etc.). This will prevent some SPAM messages with ransomware/viruses from your users.
- Install Anti-virus program on all client workstations and keep them updated. This will prevent old viruses. Configure ant-virus to scan compressed files.
- Setup Windows Server Update Services https://technet.microsoft.com/en-us/library/hh852344(v=ws.11).aspx or something equivalent, and keep all servers and desktops updated.
- Principal of Least Privilege (POLP): Only give write permissions on shares to users/groups that absolutely need those permissions. Default to read only permissions whenever possible. Audit your file shares and review the needed permissions for each share. This limits the damage that a ransomware can cause if the infected user has read only permissions. (New ransomware is targeting all shares a user has ever accessed regardless of mapped drives)
- Setup Group Policies to restrict applications from running in appdata directories. This prevents some ransomware from being run. http://www.bitdefender.com/support/how-to-protect-from-cryptowall-1354.html
- Add Group Policies for Software Restriction Policies to block executables from running within compressed files. http://www.questiondriven.com/2016/04/05/software-restriction-policies-to-prevent-ransomware/ http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
- Disable SMB 1.0 on Windows Operating Systems (Warning this will make Windows Server 2003 or Windows XP unable to connect to shares on a server with this disabled. )
- #(Run this command from within PowerShell for Windows Server 2012/Windows Server 2012 R2/Windows 8/Windows 10):
Set-SmbServerConfiguration -EnableSMB1Protocol $False -Confirm:$False
- #Run this command from within PowerShell for Windows Server 2008/Windows Server 2008 R2/Windows 7:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
- How to disable SMB 1.0 Connections to other file servers with SMB 1.0 shares. Run the commands below on Servers and Desktops from command window (reboot required, Windows 7 or newer, and Windows Server 2008 or newer):
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
- Install Microsoft Windows SMB Vulnerability Security Patch
- SMB Vulnerability Patch for End of Life Operating Systems:
- Windows Server 2003 x86 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55248
- Windows Server 2003 x64 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55244
- Windows XP SP3 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55245
- Install Microsoft Windows June 2017 Security Update https://technet.microsoft.com/en-us/library/security/4025685.aspx
- Install Microsoft Windows July 2017 Security Update https://support.microsoft.com/en-us/help/4025341/windows-7-update-kb4025341
- Add ldapenforcechannelbinding to domain controllers after July 2017 security update has been deployed to all client workstations.
- Layer user account and password security. Make sure all servers has different service accounts for different applications and passwords are different for each. Make sure the accounts have the minimum required permissions to run applications/services. Only make needed accounts with admin privileges on servers. This will limit access to the server from other compromised accounts.
- Limit access to servers by vlan/subnet. Limit access to only needed servers, services, ports, and applications by subnet/site. Limit access from one site/subnet to another to only needed ports,services,servers, etc. This will reduce impact of worms to the site infected, and possibly keep servers from becoming infected.
- Disable Auto Play via Group Policy to prevent usb auto play viruses http://www.maxi-pedia.com/disable+autorun+autoplay+via+group+policy
- Disable Microsoft Office Macros in Group Policy
- Setup Ransomware Detection Service https://github.com/prestoncooper/RansomwareDetectionService/ on your Windows File Server. This will notify you when file shares become compromised by any Ransomware. CommandProgram option is available to stop an infected user. Train users to leave SourcePath files/folders alone to prevent false positives. This service can be used to monitor servers for ransomware infection as well. This service can help cleanup file shares. If you have a good backup after an infection, the bad files can be deleted prior to restore using the Find Files tab and File Filter tab. This program also will aide in the restore of files. The compare tab can be used to compare binary of files vs the last good backup and give you a list of the files changed (make sure no copy options are used when comparing a backup). Audit tab can compare file signatures and only restore the corrupted/encrypted files (Audit tab does not work on text files only binary files with signatures). The Audit Files tab and Find Files tab will also make note of file owners of corrupted/encrypted files.
- Prepare for your response for when a ransomware event occurs. (expect to get a ransomware attack and prepare/practice what you will do) http://www.natlawreview.com/article/ransomware-attacks-prevention-and-preparedness
- Don’t pay the ransom. (Paying the ransom will fund and set precedent for future ransomware attacks.) If you get hit and you don’t have backups then you might not have a choice. If you followed the previous bullet points you will have options for restoring files. Paying the ransom will also encourage a future attack. Paying the ransom does not guarantee that you will get your files back, or that once you pay they will ask for more money.
- Setup File Screens to block the creation of “*.scf” files in any file shares. You could add more additional file extensions that you don’t want to allow in your file shares (*.scr, *.docm, etc.). https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
- If you are an advanced user disable the windows script host. Make sure to test this in your environment before deploying it. If you are using scripting in your organization, if tools use scripts, or if software you use use the windows script host you won’t be able to disable it. https://technet.microsoft.com/en-us/library/ee198684.aspx
- If you do not need Remote Desktop, disable it, otherwise change the port on servers and workstations. If you do this you must communicate this change with your IT team, and check your firewall settings for the new port. https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop
- Control Panel ->”File Explorer Options” Uncheck “Hide extensions for known file types”. Users need to know what type of file is about to be opened. Make this setting global by group policy https://community.spiceworks.com/topic/405797-using-gpo-to-force-disabling-hide-extensions-for-known-file-types-in-explorer
- Keep operating systems (Windows, MAC, Linux) and third party applications (Adobe Reader, Flash, Java, etc.) updated on all clients. This will prevent some virus infections. Alternatively, uninstall any vulnerable extensions from all web browsers (flash, java, adobe reader)
- If you are an advanced user, look into hardening security for your organization’s operating systems https://adsecurity.org/?p=3299
- Consider using source control for important documents. https://sourceforge.net/projects/gitextensions/ Source control programs store document change history in files without extensions. (This will only work while source control is not targeted.)
- Consider application white listing to prevent malicious software and unapproved programs from running. https://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-to-prevent-cryptolocker-and-more
- Consider disallowing installation of applications by users. (Depends on your IT staff and user base if this is possible. Not enough IT staff or users are very independent then this might not be possible. [No local admin privileges])
- Consider application sand boxing.
- Block known-malicious Tor IP addresses https://www.torproject.org/docs/faq-abuse.html.en#Bans
- Beta Test CryptoPrevent on client workstations https://www.foolishit.com/cryptoprevent-malware-prevention/
- Train users to not trust or open attachments from unknown senders and suspicious emails.
- Train users to never enable macros on a Microsoft Office file from an email attachment or downloaded file.
- Make note of the user that was infected by noting the file owner of ransomware created files. Make note of creation times of ransomware files created with user infected to help determine website sites that caused the infection so you can black list the sites on your web content filter or firewall. Notify the infected user on the cause of the infection if an email or download caused the infection. Train the user on how to avoid the same problem again if necessary.
- Audit your file shares and look for encrypted files before backups are deleted. The sooner you catch an infected share the less data loss and a more recent backup can be restored. Ransomware Detection Service can find ransomware related file extensions and files (off hours only). Some ransomware don’t modify file extensions and even can keep the same file size. The only way to check is to open some files and verify content. I added Auditing to the Ransomware Detection Service.
- Disable or Uninstall browser extensions that are not needed for all users. If you are an advanced user Install browser extensions like Adblock, Noscript onto Chrome and Firefox.
- If you are an advanced user then install and setup Microsoft EMET https://www.microsoft.com/en-us/download/confirmation.aspx?id=50766 http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/
- If you are an advanced user setup and Deploy Microsoft EMET with Group Policy Settings. This will take research and testing but in the end your environment will be more secure. http://windowsitpro.com/security/control-emet-group-policy
- Look into newer Anti-virus programs that offer ransomware protection. Malwarebytes etc.
- If you are an advanced user look into Securing Domain Controllers to Improve Active Directory Security https://adsecurity.org/?p=3377
- If you are an advanced user look into LSA Protection https://adsecurity.org/?tag=enable-lsa-protection
- If you are an advanced user look into additional methods to prevent Mimikatz https://adsecurity.org/?page_id=1821
How to Recover from Ransomware:
Another prevention article: https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don’t-be-caught-out.html