Ransomware: Expert advice on how to keep safe and secure

Ransomware: Expert advice on how to keep safe and secure

ESET's Lysa Myers offers a detailed and comprehensive overview on how to stay safe against ransomware attacks, a threat that is growing in prominence.

ESET’s Lysa Myers offers a detailed and comprehensive overview on how to stay safe against ransomware attacks, a threat that is growing in prominence.

Update (July 4th): In light of recent ransomware attacks, this feature now includes new sections.

After many years of financially motivated malware trying its best to stay under the radar, the swift and clamorous entrances of WannaCryptor and a Petya-like variant are most unexpected. While these outbreaks can seem frightening, it’s not difficult to prevent or at least mitigate the damage they cause.

What is ransomware?

Ransomware is malicious software that criminals use to hold computers or computer files to ransom, demanding payment from victims to get them back. Sadly, ransomware is an increasingly popular way for malware authors to extort money from companies and consumers alike.

Paying criminals is never a good idea, even when it seems expedient. In the case of the Petya-like variant – which is currently detected by ESET as Win32/Diskcoder.C (aka ExPetr; PetrWrap; Petya; NotPetya; GoldenEye; and PetyaCry) – the payment mechanism has been disrupted so that payment is not an option.

Ransomware authors are under no obligation to actually give you back what you pay for, and there have been plenty of cases where either the decryption key did not work or the ransom message was never shown. While criminals are not generally renowned for their excellent software testing skills or devotion to quality customer service, it is unusual for ransomware like WannaCryptor or Diskcoder.C to be so sloppily put together.

The goal of financially-motivated malware such as ransomware is for the extortionists to make some untraceable money, and such apparently elementary mistakes make payoff impossible.

What can you do about it?

On the one hand, ransomware can be extremely scary – the encrypted files can essentially be considered damaged and beyond repair. But if you have prepared your system properly, it is really nothing more than a nuisance.

There are a few things that you can do to keep ransomware from wrecking your day. Let’s start with what can be done in advance to help prevent malware from getting onto your system in the first place, and to minimize damage if it does happen.

Back up your data

The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is to regularly create, update, and test backups. You can find more information about how to create and maintain effective backups in the excellent whitepaper referenced here. Because Diskcoder.C may also affect the Master Boot Record, it is possible that it will encrypt the whole drive.

If your backups include a snapshot of your whole system, this can speed up the recovery process. Many ransomware variants will also encrypt files on drives that are networked, or will spread to other connected computers within a network. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or with a backup service that is disconnected from your devices and network when not in use, and secured both physically and digitally.

Keep your software up to date

Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto systems unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update through the software’s internal update process, or go directly to the software vendor’s website.

WannaCryptor and Diskcoder.C rely on vulnerabilities in older Server Message Block (SMB) versions to spread. You can check if your Windows machines have been patched against this vulnerability. If you have not yet disabled SMBv1, it is advisable to do this as soon as possible.

Disable SMBv1 via Group Policy 
Disable SMBv1 on a single server

Malware authors sometimes disguise their creations as software update notifications, so by going to well-known and good software repositories you can increase the odds in favor of getting clean, vetted updates. On Windows, you may wish to double-check that old – and potentially vulnerable – versions of the software are removed by looking in Add/Remove Software within the Control Panel.

Use a reputable security suite

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently update their creations to try to avoid detection, so it is important to have both layers of protection. If you run across a ransomware variant that is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

The next few tips are to help you deal with the methods that current ransomware variants have been using – these tips may not help in every case, but they are inexpensive and minimally intrusive ways to cut off access routes used by a variety of malware families.

Strengthen security on Admin accounts

As Diskcoder.C behaves differently if it’s run with Administrator level privileges, it’s important to lock these accounts down to minimize their utility for attackers.

If a local administrator account exists on your computer, make sure that the password is strong and unique. And if your computers belong to a domain, make sure the domain admin passwords are strong and unique too. Avoid re-using login credentials on workstations and servers at all costs. Using a second factor of authentication can help slow down or stop lateral movement of malware utilizing stolen credentials. Remote access to servers, in particular, needs to be protected by two-factor authentication.

When choosing which accounts should have administrator level privileges, keep in mind that no users or systems should have more access than is necessary to complete tasks that are legitimately within the scope of their work. As a general rule, most users should not have administrative rights on their machines, and should be limited in their ability to access resources outside of their own purview. You may also need to disable hidden default admin (ADMIN$) accounts and/or communication to hidden admin (ADMIN$) shares.

Disable macros in Microsoft Office files

Most people may not be aware that Microsoft Office document files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a fully-executable program file. By disabling macros in Office files, you deactivate the use of this scripting language.

Show hidden file extensions

One popular method malware uses to appear innocent is to name files with double extensions, such as “.PDF.EXE”. By default, Windows and OSX hide known file extensions; malware takes advantage of this behavior to make a file appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be easier to spot suspicious file types.

Filter executable file-types in email

If your gateway mail scanner has the ability to filter files by extension, you may want to deny mails that arrive with executable file-types such as “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services. Sending in ZIP files can also give you an extra layer of assurance, as it allows you to choose an official, universal password for use within your household or company, which can help you identify unofficial files that don’t use your agreed-upon password.

Disable files running from AppData and LocalAppData folders

You can create policy rules within Windows or with Intrusion Prevention Software to disallow behavior often used by ransomware, which is to run its executable from the AppData or LocalAppData folders. If you have legitimate software that you know is set to run from the AppData area (note that this is fairly unusual behavior, and most legitimate software will allow you to choose another install location), you will need to add an exclusion from this rule.

Disable RDP

Ransomware sometimes accesses machines by using Remote Desktop Protocol (RDP), which allows others to access your desktop remotely. If you do not need use RDP in your environment, you can disable it to protect your machines. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base article below:

Educate your users

While accidents do happen, it is important for all of your users to understand what acceptable use of network resources entails. This is something that should not just be done once when someone is hired. It should be an exercise that is revisited frequently. Posters or other educational materials can be displayed prominently, wherever public computers or internet connections are available.

Get started with this free resource: ESET Cybersecurity Awareness Training.

It is also imperative to encourage your users to let you know when an accident has occurred, so that damage can be limited by quick corrective action. Rewarding safer security behavior, including pointing out problems, can help you to foster an encouraging environment.

If you find yourself in a position where you have already run a ransomware executable without having taken any of the previous precautions, your options are more limited. There are a few things you can still do that might help mitigate the damage:

Disconnect from WiFi or unplug from the network immediately

If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finishes encrypting your files. If you disconnect your system from the network immediately by pulling your Ethernet cable or disabling wireless and Bluetooth connectivity, you might decrease the number of files that it can encrypt.

Check to see if a decryptor is available

Sometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your problem is available for free, from a reputable source. Because there are plenty of scammers and vultures preying on people who are vulnerable and desperate for help, I cannot stress enough the importance of checking to make sure the source of a decryptor is both well-known and trusted.

Use System Restore to get back to a known-clean state

If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it doesn’t hurt to try.

Set the BIOS clock back

Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.

Further information

If you are an ESET customer and are concerned about ransomware protection or think you have been targeted by ransomware, contact the customer care number for your country/region. They will have the latest details on how to prevent and remediate ransomware attacks.

In addition, here are several additional resources that provide more information that can help you address this threat:

Finally, it should be noted that the recent rash of ransomware attacks has generated a lot of breathless news coverage, mainly because it is a departure from previous trends in financially-motivated malware (which tended to be stealthy and thus not data-damaging).

Ransomware can certainly be frightening, but there are many benign problems that can cause just as much destruction. That is why it has always been, and always will be, best practice to protect yourself against data loss with regularly scheduled and tested backups that are kept offline. That way, no matter what happens, you will be able to restart your digital life more quickly.

Discussion