As the impact and severity of crypto-ransomware threats and attacks has grown over the past 2½ years, we have published many blogs and articles on how best to defend against these modern day extortionists. We do not believe that our businesses or consumer customers should have to choose between extortion and losing precious, irreplaceable data.We often get asked the leading question: “which endpoint security solution will offer 100% prevention and protection from crypto-ransomware?” The simple answer is none. Even the best endpoint security (which we pride ourselves on innovating and striving towards) will only be 100% effective most of the time. At other times the cybercriminals will have found ways to circumvent endpoint security defenses and their attack will likely succeed. Each day many ransomware campaign operators create a new variant which is re-packed making it once again undetected for all of antivirus.
1. Use Reputable, Proven, Multi-Vector Endpoint Security
When it comes to endpoint security, there are many choices out there. While published detection tests help when it comes to crypto-ransomware, most detection testing is flawed – with many programs achieving 100% detection results that can’t be reproduced in the real world.
Webroot has built a strong reputation for stopping crypto-ransomware. Our goal, first and foremost, is to be 100% effective. Webroot was the first antivirus and antimalware vendor to move completely away from the standard, signature-based file detection method. By harnessing the power of cloud computing, Webroot replaced traditional, reactive antivirus with proactive, real-time endpoint monitoring and threat intelligence, defending each endpoint individually, while gathering, analyzing, and propagating threat data collectively.This predictive infection prevention model enables Webroot solutions to accurately categorize existing, modified, and new executable files and processes, at the point of execution, to determine their status.
Using this approach, Webroot rapidly identifies and blocks many more infections than signature-based approaches, and we are highly proficient at detecting and stopping crypto-ransomware.
Of course, you need protection that covers multiple threat vectors. For instance, real-time anti-phishing to stop email links to phishing sites, web browser protection to stop browser threats, and web reputation to block risky sites that might only occasionally be unsafe. Over the past four years, the Webroot approach to infection prevention has continuously proven its efficacy at stopping crypto-malware in real time by addressing threats the moment they attempt to infect a device, stopping the encryption process before it starts. Regardless of which endpoint security solution you choose, it’s essential it offers multi-dimensional protection and prevention against malware to ensure it quickly recognizes external threats and any suspicious behaviors. A next-generation endpoint security solution with protection beyond file-based threats is essential.
2. Back-up your data.
If you have failed to stop ransomware from successfully encrypting your data, then the next best protection is being able to restore your data and minimize business downtime.
Bear in mind when you are setting up your backup strategy that crypto-ransomware like CryptoLocker will also encrypt files on drives that are mapped, and some modern variants will look for unmapped drives too. Crypto-ransomware will look for external drives such as USB thumb drives, as well as any network or cloud file stores that you have assigned a drive letter to.
You need to set up a regular backup regimen that at a minimum backs up data to an external drive, or backup service, that is completely disconnected when it is not performing the backup.
The recommended best practice is that your data and systems are backed up in at least three different places.
» Your main storage area (file server)
» Local disk backup
» Mirrors in a cloud business continuity service
In the event of a ransomware disaster, this set-up will give you the ability to mitigate any takeover of your data and almost immediately regain the full functionality of your critical IT systems.
3. User Education.
The “human firewall” – your users – are often the weakest security link. A lot of lip service is paid to User Security Education, and with the advent of online self-paced courses there is no excuse not to look at using those tools to help educate your users of the risks they face in the office and from using the Internet at home.
If a user receives an invoice, receipt, or any other form of attachment from someone they are unfamiliar with, chances are it’s bad. For word document emails, it is also advised to warn users to avoid clicking “enable content” for emails from unfamiliar sources.
4. Disable execution of script files.
Ransomware such as Locky (.thor), Nemucod (.crypted), and Cerber are most often delivered via spam email. This spam email contains an attached zip archive. After the user opens the zip archive, there’s a script or a macro enabled office document and when opened, the ransomware payload is downloaded and executed.
In order to prevent these types of documents and scripts from running we recommend performing the following steps.
Step 1: Block WSF, VBS, WSH, HTA, VBS and JS files:
Option 1: REDIRECT SCRIPT FILE EXTENSIONS VIA GPO
To enable this policy setting, access the system set up for policy control and navigate to the following setting:
User Configuration – Preferences – Control Panel – Settings
Right-click on Folder Options and navigate to New > Open With .
Type in the each unwanted extension, i.e. wsf, js, vbs into the “File extension” box, then input the path of a program you want to have as default to open the file.
Tick Set as default and press OK.
We recommend redirecting the file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, .ps1.
If a system administrator needs to run a WSF, VBS, or JS file, they can still be run from the command line: C:\Windows\System32\WSCRIPT.exe C:\example.vbs
For startup scripts, the same principle applies, just make a call to WSCRIPT with the script as the argument.
1. Sign into the Webroot Enterprise Console and click Group Management.
2. Select the hostnames which you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download and execute a file.
3. Input the following link into the URL field:
For the Command Line Options field, the following commands can be used:
-disable – This command will redirect the default action for the following file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, to instead show a messagebox like so:
-enable – This command restores the default execution program for the file types mentioned above.
To disable Windows Script Host, execute the following in an elevated command prompt:
REG ADD “HKLM\Software\Microsoft\Windows Script Host\Settings” /v Enabled /t REG_DWORD /d 0 /f
To re-enable Windows Script Host, execute the following instead:
REG ADD “HKLM\Software\Microsoft\Windows Script Host\Settings” /v Enabled /t REG_DWORD /d 1 /f
As an alternative, you can send a file to all your endpoints that will accomplish the same:
- Sign into the Webroot Enterprise Console and click Group Management.
- Select the hostnames which you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download and execute a file.
- Input the following link into the URL field:
It is also recommended to create an email policy to block archive files (.zip, .jar, .tar, .7z, .msi, etc.) and executable/script files (.com, .exe, .scr, .bat, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd). These emails may contain an attached word document as well, with macros enabled. This macro can silently download and execute any infection of a criminal’s choosing.
Step 2: Disable Macro execution.
Office Macros can be beneficial to some work environments, however in most cases they are not necessary to have enabled and are only a security risk. Some ransomware utilize macro scripts within documents as a channel for payload delivery.
To enable this policy setting, Run gpedit.msc and navigate to the following setting:
User configuration > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
Double-click on Block macros from running in Office files from the Internet setting and Enable it.
Note: If there is not a policy controller available, as an alternative you can disable macros without notification manually:
Step 3: Prevent Users from running Powershell via GPO.
User configuration > Administrative templates > System
1. Double-click on Don’t run specified Windows applications.
2. Click the radio button Enabled to enable the policy.
3. Click the Show button next to List of disallowed applications and add powershell.exe to the list and click OK.
4. Test by attempting to run Powershell.
5. Patch and keep software up to date.
Ransomware such as: CryptMic, CryptXXX, Cerber, and Locky can be distributed via exploit kits, which target the software vulnerabilities of Adobe Flash Player, Oracle Java, Internet Explorer, Microsoft Silverlight and other vulnerable applications. If this software is exploited, an exploit kit landing page can execute arbitrary code and initiate a silent drive by download. It is critical for system administrators to keep this type of software up to date as most infections dropped by Exploit Kits are known as “zero days” (malware which is fully undetected by all antivirus). If outdated software must be present in your environment, we recommend you download and install Microsoft’s EMET to mitigate attacks.
6. Secure weak username/passwords which have Remote Desktop access.
Cybercriminals scan the internet daily for systems with commonly used RDP ports and bruteforce with weak usernames/passwords and attempt to gain access. Once access has been gained, they can deploy variants of ransomware, create user accounts, and download other unwanted malicious software.
Here’s some tips you can use to help secure RDP and prevent this type of attack.
Preventing scanning for an open port:
- Restrict RDP to a whitelisted IP
- Require two-factor authentication, i.e. smartcards
- Use protection software to prevent RDP bruteforce
- Create a GPO to enforce strong password requirements: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
- Change the default RDP port from 3389 to another unused port
- Change default RDP port from 3389 to another unused port
To change the default port, execute the following in an elevated command prompt –REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v PortNumber /d XXXX /fThe parameter “XXXX” is the port number you would like to move RDP to. It is recommended to choose a random port number that is not in use and outside of the 33XX port range.
Block RDP (port 3389) via firewall
- Restrict RDP to a whitelisted IP range
It is also important to monitor possible intrusions with Windows Event Viewer. This will show you what cybercriminals may be doing to try and get in, and help you adjust and use different security measures in your environment. Here’s an example to filter event logs for the event ID “4625” (An account failed to log on).