Ransomware is a type of virus that encrypts a users files locally and in files shares. Ransomware encrypts the files using an encryption key only known by the attacker. Specific file extensions are usually targeted to only encrypt files a user wants/needs. Files can usually be decrypted by paying ransom in bitcoin to the attacker. Ransomware is delivered by drive-by-download (visiting a compromised website no download necessary), mass email campaigns (SPAM), and visiting compromised website and downloading/opening something.
How to Prevent a Ransomware Infection:
- Backup your files with at least one disconnected medium or backup appliance. Ransomware can end up encrypting your backups if your backups are on the same network and are accessible via a file share. Preferably have backups in three different physical locations with one of those locations being on a disconnected medium (tape, backup drive physically disconnected, DVD, etc.) or backup appliance. Keep backups for at least 6 months. If you are using cloud file storage then make sure to setup cloud to cloud backup.
- Consider cloud file storage with versioning for important non confidential files. (Cloud storage is not a backup)
- Setup volume shadow copies on Windows file shares. Check the schedule and set the max size limit (Setting the max size will prevent the drive from filling up. Set a large enough size to have at least 4 months of versions). https://technet.microsoft.com/en-us/library/cc771893.aspx
- Backup your websites and website databases (ransomware is also targeting linux web servers)
- Office 365 turn on version history (Versioning only works with Office documents! Cloud backups are very important.) https://support.office.com/en-us/article/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893
- Setup web filtering appliance for your network. This will prevent old ransomware from being downloaded. If you cannot afford a web filtering appliance then you can use the host file from http://winhelp2002.mvps.org/hosts.htm. You can also use Open DNS to help with web filtering https://www.opendns.com/
- Setup new firewall to geo-block IP addresses from at least Russia and China. This will prevent some ransomware from being downloaded or the virus uploading the encryption key to the crooks servers stopping the encryption process.
- Setup a good SPAM filter and block certain extensions in attachments (exe, zip, rar, vbs, scr, etc.). This will prevent some SPAM messages with ransomware/viruses from your users.
- Install Anti-virus program on all client workstations and keep them updated. This will prevent old viruses. Configure ant-virus to scan compressed files.
- Only give write permissions on shares to users/groups that absolutely need those permissions. Default to read only permissions whenever possible. Audit your file shares and review the needed permissions for each share. This limits the damage that a ransomware can cause if the infected user has read only permissions. (New ransomware is targeting all shares a user has ever accessed regardless of mapped drives)
- Setup Group Policies to restrict applications from running in appdata directories. This prevents some ransomware from being run. http://www.bitdefender.com/support/how-to-protect-from-cryptowall-1354.html
- Add Group Policies for Software Restriction Policies to block executables from running within compressed files. http://www.questiondriven.com/2016/04/05/software-restriction-policies-to-prevent-ransomware/ http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
- Disable Auto Play via Group Policy to prevent usb auto play viruses http://www.maxi-pedia.com/disable+autorun+autoplay+via+group+policy
- Disable Microsoft Office Macros in Group Policy
- Setup Ransomware Detection Service http://ransomwaredetectionservice.codeplex.com/ on your Windows File Server. This will notify you when file shares become compromised by any Ransomware. CommandProgram option is available to stop an infected user. Train users to leave SourcePath files/folders alone to prevent false positives. This service can also be used to cleanup file shares. If you have a good backup after an infection, the bad files can be deleted prior to restore using the Find Files tab and File Filter tab. This program also will aide in the restore of files. It can compare file signatures and only restore the corrupted/encrypted files. The Audit Files tab and Find Files tab will also make note of file owners of corrupted/encrypted files.
- Setup File Screens on your Windows File Servers to detect files and extensions caused by ransomware http://www.questiondriven.com/2015/10/27/file-screens-to-monitor-file-shares-for-ransomware/ This will notify you when you get hit by an older ransomware and the owner of the file is the infected user. Passive monitoring notifies you when a possible infection occurs and gathers the file owner to get the infected user. The big caveat being that the ransomware creates files or file extensions that are not random and in the file shares that become encrypted. Ransomware do not always change files extensions or create text ransom notes. This fact renders File Screens inadequate for detection of current and future ransomware.
- Control Panel ->”File Explorer Options” Uncheck “Hide extensions for known file types”. Users need to know what type of file is about to be opened. Make this setting global by group policy https://community.spiceworks.com/topic/405797-using-gpo-to-force-disabling-hide-extensions-for-known-file-types-in-explorer
- Keep operating systems (Windows, MAC, Linux) and third party applications (Adobe Reader, Flash, Java, etc.) updated on all clients. This will prevent some virus infections. Alternatively, uninstall any vulnerable extensions from all web browsers (flash, java, adobe reader)
- Consider using source control for important documents. https://sourceforge.net/projects/gitextensions/ Source control programs store document change history in files without extensions. (This will only work while source control is not targeted.)
- Consider application white listing to prevent malicious software and unapproved programs from running. https://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-to-prevent-cryptolocker-and-more
- Consider disallowing installation of applications by users. (Depends on your IT staff and user base if this is possible. Not enough IT staff or users are very independent then this might not be possible. [No local admin privileges])
- Consider application sand boxing.
- Block known-malicious Tor IP addresses https://www.torproject.org/docs/faq-abuse.html.en#Bans
- Beta Test CryptoPrevent on client workstations https://www.foolishit.com/cryptoprevent-malware-prevention/
- Train users to not trust or open attachments from unknown senders and suspicious emails.
- Train users to never enable macros on a Microsoft Office file from an email attachment or downloaded file.
- Make note of the user that was infected by noting the file owner of ransomware created files. Make note of creation times of ransomware files created with user infected to help determine website sites that caused the infection so you can black list the sites on your web content filter or firewall. Notify the infected user on the cause of the infection if an email or download caused the infection. Train the user on how to avoid the same problem again if necessary.
- Audit your file shares and look for encrypted files before backups are deleted. The sooner you catch an infected share the less data loss and a more recent backup can be restored. Ransomware Detection Service can find ransomware related file extensions and files (off hours only). Some ransomware don’t modify file extensions and even can keep the same file size. The only way to check is to open some files and verify content. I added Auditing to the Ransomware Detection Service.
- Disable or Uninstall browser extensions that are not needed for all users. If you are an advanced user Install browser extensions like Adblock, Noscript onto Chrome and Firefox.
- If you are an advanced user then install and setup Microsoft EMET https://www.microsoft.com/en-us/download/confirmation.aspx?id=50766 http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/
- Setup and Deploy Microsoft EMET with Group Policy Settings. This will take research and testing but in the end your environment will be more secure. http://windowsitpro.com/security/control-emet-group-policy
- Beta Test Malwarebytes Anti-Ransomware (only on a few client workstations, don’t deploy globally yet.) https://forums.malwarebytes.org/topic/177751-introducing-malwarebytes-anti-ransomware/
- Don’t pay the ransom. (Paying the ransom will fund and set precedent for future ransomware attacks.) If you get hit and you don’t have backups then you might not have a choice. If you followed the previous bullet points you will have options for restoring files.
How to Recover from Ransomware:
Another prevention article: https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don’t-be-caught-out.html