General security

Ransomware Mitigation and Prevention

David Balaban
June 7, 2016 by
David Balaban

Crypto ransomware continues to be a scourge on the computer security arena. Not only do these infections grab and hold end users' files hostage, but they have also come to target organizations, including healthcare companies and police departments. When business assets and people's lives are at stake, effective techniques for ransomware prevention and mitigation come to the fore.

Below is a comprehensive list of methods applicable for this purpose. Keep in mind, though, that it's not a one-size-fits-all set of tips, and some of these avenues may not be suitable for your organization. However, by getting the big picture, you should be able to select the techniques that are worthwhile based on your company's needs, resources, and budget.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

  • Network segmentation

    This mitigation methodology pursues the goal of protecting the IT infrastructure of an organization by restricting the scope of resources that a cyber intruder can access. In other words, it presupposes the compartmentalization of data, network assets, and applications into standalone segments while limiting communication between these segments. Consequently, if a ransomware compromise takes place, the infection will not be able to traverse the whole network for data and encrypt it.

  • Software whitelisting
    The idea of whitelisting boils down to defining what is allowed to run on a computer rather than blocking suspicious or known malicious processes. Security suites can barely keep track of the huge volumes of new or slightly modified virus variants, so malware signatures are no longer an efficient response to the present-day cyber threat landscape. The tool called Windows AppLocker can automate the app whitelisting routine by allowing users to create a list of processes and applications that are authorized to run on the PC by default.
  • Use the Enhanced Mitigation Experience Toolkit
    Microsoft's Enhanced Mitigation Experience Toolkit (EMET) provides an additional protection layer that the ransomware distributor will have to defeat before exploiting software vulnerabilities on a PC. Along with making zero-day attacks a lot harder to pull off, EMET also accommodates the Certificate Trust feature. It detects and stops man-in-the-middle attacks that use the public key infrastructure (PKI). Individual customers can use the toolkit and deploy across the enterprise.
  • Maintain secure backups

    Compared to other tactics to thwart ransomware attacks and reduce the damage for end users and enterprise networks, data backups strike a golden mean. If there is an efficient backup strategy in place, all it takes to recover from such a compromise is remove the offending code and then download original copies of the mutilated files from a protected place outside of the targeted machine. The Trojan obliteration part tends to be easy. In fact, some of these infections trigger a self-termination routine after completing data encryption.

    It's recommended to avoid online backup services that map the cloud drive as a drive letter in the computer's data structure. This approach makes the cloud drive an easy target for crypto ransomware. A good practice is to follow the 3-2-1 backup rule: have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite.
  • Toggle anti-spam settings
    Ransomware operators typically rely on exploit kits and social engineering to spread the malicious loaders. Although the latter technique is easy to implement, it features an amazingly high infection rate. The black hat hackers deploy bulk spam campaigns and lure the would-be victims into opening their catchy attachments masqueraded as invoices, CVs, payrolls, missed delivery reports and the like. If a user is gullible enough, he or she runs the risk of unknowingly executing the malware this way. To avoid this, consider customizing your webmail server so that it blocks incoming messages with .exe, .scr, .vbs, .js, .jar, .bat, .pif, or .cpl attachments.
  • Click responsibly
    The phishing methodology being a widespread ransomware distribution vector, some basic security awareness can save you a lot of hassle. The rule of thumb is to refrain from opening suspicious email attachments and clicking dubious hyperlinks links received via instant messaging clients as well as social networks. Cyber criminals may compromise your contacts' accounts and send out booby-trapped files or malicious links on their behalf. Therefore, even if you know who the sender is, think twice before quenching your curiosity.
  • Keep macros disabled
    Cyber extortionists have recently started resorting to an old-school contamination trick based on macros in Microsoft Office documents. The strain dubbed Locky is circulating over emails with a Microsoft Word attachment disguised as an invoice. Originally, the contents of this document are gibberish, but a prompt to enable macros promises the user to make the text intelligible. However, doing so will allow the attacker to deposit and execute malicious code remotely through a known macro vulnerability. Therefore, if a document asks you to turn on macros, be sure to opt out of this offer.
  • Treat ActiveX with caution
    Similar to the intrusion technique through macros, ActiveX can also be leveraged to execute a ransomware loader on a computer. When you open a Microsoft Office document that has ActiveX controls, a Security Warning message appears with a recommendation to enable the content. However, ActiveX controls have a significant scope of access to the local file system and registry settings, which may allow a remote attacker to do a lot of damage. So think twice before enabling this framework if a message bar asks you to.
  • Configure Windows to show file extensions
    The perpetrators may disguise ransomware executables as files considered harmless. To this end, they tend to assign several extensions to the loader that make it look like an image, a video or an innocuous document. The filename Flowers.jpg, followed by a bunch of spaces and .exe, would be an example of this trick. Because some email clients display a limited number of characters of attachments' names, the user will think it's an image file, open it and get infected. Therefore, configuring the operating system and the preferred webmail client to show the genuine file extensions can help identify malicious payloads.
  • Keep your OS and software up to date
    Ransomware authors are increasingly relying on exploit kits for distribution. The recent infection called CryptXXX, for instance, ends up on computers through the aid of the infamous Angler EK. The breach commences with a browser redirect from a hacked website. Then, the would-be victim hits the exploit kit's landing page, which allows the offending code to look for vulnerabilities in unpatched programs running on the PC. In case a minor loophole is spotted, the automated kit deposits the ransom Trojan onto the system. The software most targeted in the course of such attacks includes Java, Adobe Flash Player, and web browsers, so it makes sense being slightly paranoid about whether you have the latest version of these solutions.
  • Consider renaming vssadmin.exe
    Vssadmin.exe is a program that administers the Volume Shadow Copy Service (VSS) on a Windows machine. It is built into the operating system and pursues the objective of creating snapshots of all user files at regular intervals so that the data can be restored in case of a hardware failure or unintended deletion. However, ransomware plagues use this process to disable VSS and erase all shadow copies. Effectively, this prevents the user from recovering files with the native Windows feature. To make these attempts null and void, one should rename vssadmin.exe to a random string so that the Trojan cannot locate it in the case of a compromise.
  • Go offline
    Although this tactic seems somewhat primitive, it works wonders on the early stage of a ransomware compromise. Timeliness is critical in this context. As soon as you notice suspicious network activity, weird User Account Control (UAC) popups, dubious processes running in the background and an abrupt CPU spike, consider turning off the Internet connection. The anatomy of the average cryptovirus attack includes communication with the hackers' Command and Control server. Therefore, if the machine goes offline, the infection won't be able to obtain the public encryption key from its server and thus fail to complete the data encryption job.
  • Keep Windows Firewall turned on
    The native Firewall is rather efficient in tackling ransomware because it monitors inbound and outbound traffic for known malicious and potentially harmful activity. Since ransom Trojans will actively exchange data with their C2 servers, the Firewall can identify this stealthy communication, block it and alert the user.
  • Use second-opinion firewall protection
    Popular Internet security programs and premium security suites deliver custom firewalls featuring advanced intrusion detection and prevention. These tools normally won't conflict with the stock firewall built into Windows, so the two can operate concurrently and enhance the efficiency of each other. Their usefulness for thwarting ransomware assaults is out of the question because these threats don't work autonomously and reach out to their C&Cs multiple times throughout a breach. Because this activity leaves a conspicuous footprint in the target system's web traffic patterns, the firewall defense is indispensable.
  • Customize your antivirus
    It's a good idea to configure your antivirus, antimalware or Internet security suite to be on the lookout for archived or compressed files. Ransomware programs tend to rely on these file types for circulation as well as offending activity when on board a workstation. By toggling these settings, if available, you can make sure the detection is more accurate.
  • Disable Windows Script Host

    The relevance of this recommendation stems from Windows Script Host's properties. This system component allows arbitrary JavaScript files to run outside the web browser if they were saved to the hard drive. Consequently, if a ransomware loader deposits a .JS file onto the machine's HDD, then WSH will run the script with all the privileges that a commonplace executable would have. It takes some Registry editing to disable Windows Script Host, but it's certainly worth the effort when it comes to ransomware prevention.

    What should you learn next?

    What should you learn next?

    From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.
  • Disable Windows PowerShell
    Perpetrators may harness the functionality of Windows PowerShell to deploy their attacks. In fact, some healthcare organizations recently fell victim to crypto ransomware that used this automation and configuration management framework to download the infection from a remote server and execute the bad script. The use of PowerShell helps malicious code evade antivirus detection, therefore, disabling it may do the prevention trick in some cases.
  • Install a popup blocker
    A browser extension that blocks third-party popup ads can keep you on the safe side as well. Such add-ons address the risk of drive-by downloads, where users are duped into clicking something that looks harmless, but the interstitial or in-page ad triggers an obfuscated malware download routine in the background. There is a vast choice of popup blockers offered to users on the cheap or for free, so it makes sense to get one.
  • Use strong passwords
    Creating hard-to-guess passwords is another rule of thumb. If black hat hackers succeed in guessing or brute forcing a password for any of your online accounts, the attack incident is just a matter of time. Since big dumps of sensitive information like that are constantly hitting the headlines, be sure to change your passwords on a regular basis, too.
  • Disable AutoPlay
    Removable media such as thumb drives or portable hard disks can carry ransomware payloads and thus spread the infection from one machine to another. One of the new samples dubbed ZCrypt or Ransom:Win32/ZCryptor.A was found to exhibit self-replication features, just like computer worms. It can, therefore, copy itself to adjacent devices and further propagate this way. When a contagious piece of hardware is connected to a healthy computer, it's in the user's best interest to prevent it from opening automatically.
  • Be careful with remote services
    Back in March 2016, malefactors behind a strain called the Surprise Ransomware exploited poorly secured TeamViewer sessions to execute the malign process on hundreds of machines manually. This incident should be a wake-up call for aficionados of Remote Desktop Protocol (RDP) and other remote administration tools (RATs), who should be doing a better job protecting their accounts from unauthorized breach through password dumps. Setting up two-factor authentication is a dependable countermeasure for such a compromise. Also, stay logged out of the remote service when it's not in use.
  • Disable file sharing
    Doing so won't help you steer clear of ransom Trojans altogether, but it is a good method to keep the threat isolated to a single machine and prevent it from propagating across the enterprise network. Just go to the 'View network status and tasks' menu in Control Panel, proceed to 'Change advanced sharing settings' and click the appropriate radio button.
  • Use Software Restriction Policies
    This is a simple but effective way to avert crypto malware attacks. When inside a computer, the overwhelming majority of ransomware strains will run from a specific system path, most likely from AppData, LocalAppData, Temp, UserProfile or WindowsSysWow64. Therefore, by adding a new path rule under Software Restriction Policies, you can prevent executables from launching if they are located inside one of the 'potentially risky' directories.
  • Set the BIOS clock back
    Crypto infections provide a deadline for the victim to submit the ransom, after which its size increases. It's usually somewhere between 4 and seven days, with the starting point being the time of complete data encryption. Fortunately, there is an easy way to get around this restriction. Setting the system BIOS clock to an earlier date will trick the countdown timer and give you an additional time span to find and implement a fix.
  • Study security forums
    Quite a few ransomware variants, including TeslaCrypt, DMA Locker, and AlphaLocker, were decrypted by researchers who released free decrypt solutions for everyone infected. Therefore, if confronted with a ransom Trojan, do not fail to look up the name on the Internet and surf security forums like BleepingComputer, where recovery breakthroughs appear once available.
  • Have a response plan in store
    This tip is particularly valuable for organizations. When hit by a ransomware threat, it's critical for an enterprise to adopt timely countermeasures and mitigations before the payment deadline expires and the ransom goes up. To this end, IT executives should do an inventory of critical data resources, know where these assets are located, and evaluate the damage from the possible unavailability of this data.

To be a moving target for online extortionists, individuals and organizations should be continuously assessing and enhancing their security posture. Ransomware authors are fine-tuning their methods, and computer users better follow suit.

David Balaban
David Balaban