Dealing with the aftermath of ransomware attacks is like Russian roulette, where submitting the ransom might be the sole option for recovering locked data. This is precisely why focusing on prevention is a judicious approach to adopt.
The growth of ransomware over the past few years has driven the security industry to create myriads of tools applicable for blocking these types of threats from being executed on computers. Few of them are bulletproof 100%, though.
This article is focused on additional measures that users should employ to ensure a higher level of defense against these plagues.
Ransomware Prevention Tips
1. First and foremost, be sure to back up your most important files on a regular basis.
Ideally, backup activity should be diversified, so that the failure of any single point will not lead to the irreversible loss of data. Store one copy in the cloud, resorting to services like Dropbox, and the other on offline physical media, such as a portable HDD.
An efficient tactic is toggle data access privileges and set read / write permissions, so the files cannot be modified or erased. An additional tip is to check the integrity of your backup copies once in a while.
2. Customize your anti-spam settings the right way.
Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It's a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr.
3. Refrain from opening attachments that look suspicious.
Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.
4. Think twice before clicking.
Dangerous hyperlinks can be received via social networks or instant messengers, and senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible.
5. The Show File Extensions feature can thwart ransomware plagues, as well.
This is a native Windows functionality that allows you to easily tell what types of files are being opened, so that you can keep clear of potentially harmful files. The fraudsters may also use a confusing technique where one file can be assigned a couple of extensions.
For instance, an executable may look like an image file and have a .gif extension. Files can also look like they have two extensions - eg, cute-dog.avi.exe or table.xlsx.scr - so be sure to pay attention to tricks of this sort. A standalone known attack vector is through malicious macros enabled in Microsoft Word documents.
6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other up-to-date software.
This habit can prevent compromises via exploit kits.
7. In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
This is particularly efficient on an early stage of the attack because the ransomware won't get the chance to establish a connection with its Command and Control server and thus cannot complete the encryption routine.
8. Think of disabling vsremove it.
This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.
If it is disabled on a computer at the time of a compromise, ransomware will fail to use it to obliterate the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.
9. Keep the Windows Firewall turned on and properly configured at all times.
10. Enhance your protection more by setting up additional Firewall protection.
There are security suites out there that accommodate several Firewalls in their feature set, which can become a great addition to the stock defense against a trespass.
11. Adjust your security software to scan compressed or archived files, if this feature is available.
12. Disabling Windows Script Host could be an efficient preventive measure, as well.
13. Consider disabling Windows PowerShell, which is a task automation framework.
Keep it enabled only if absolutely necessary.
14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).
In particular, disable macros and ActiveX. Additionally, blocking external content is a dependent technique to keep malicious code from being executed on the PC.
15. Install a browser add-on to block popups as they may also pose an entry point for ransom Trojan attacks.
16. Use strong passwords that cannot be brute-forced by remote criminals.
Set unique passwords for different accounts to reduce potential risk.
17. Deactivate AutoPlay.
This way, harmful processes won't be automatically launched from external media, such as USB memory sticks or other drives.
18. Make sure you disable file sharing.
This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.
19. Think of disabling remote services.
Otherwise, the threat could rapidly spread across the enterprise network, thus calling forth serious security issues for the business environment if your computer is part of it.
For example, the Remote Desktop Protocol can be leveraged by the black hat hackers to expand the attack surface.
20. Switch off unused wireless connections, such as Bluetooth or infrared ports.
There are cases when Bluetooth get exploited for stealthily compromising the machine.
21. Defines Software Restriction Policies that keep executable files from running when they are in specific locations in the system.
The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp, and Windows \ SysWow.
22. Block known-malicious Tor IP addresses.
Tor (The Onion Router) gateways are the primary means for ransomware threats to communicate with their C&C servers. Therefore, blocking those may prevent the critical malicious processes from getting through.
Since ransomware is definitely today's number one cyber peril due to the damage it causes and the prevalence factor, the above countermeasures are a must. Otherwise, your most important files could be completely lost.
The key recommendation, though, is the one about backups - offline or in the cloud. In this scenario, the recovery consists of removing the Trojan ransom and transferring data from the backup storage.
Currently dealing with the consequences of ransomware is not very promising from the file decryption perspective. That is why thwarting the virus attack can save you a pretty penny and guarantee peace of mind.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor's Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
