Handling the aftermath of any crypto malware attack is a huge challenge that’s often impossible to tackle without paying the ransom.
Even the FBI advises to pay the ransom. The main hurdle to recovery is a high-entropy encryption that ransomware applies to encode victims’ files and hold them hostage.
The computational power to brute-force the decryption key is beyond our ability in most cases. Under these circumstances, prevention and damage mitigation techniques come to the fore as the only viable way to keep data intact.
Widespread ransomware strains like CryptoLocker, CryptoWall, CTB Locker, Locky and the more recent Petya Trojan share some features that allow formulating universal tactics to thwart the worst-case scenario. The distribution vectors, for instance, tend to rely on phishing, which is a type of social engineering methodology that involves harmful email attachments.
Related Article: You've Been Hacked: Now What?
It’s hence a good practice to refrain from opening files received from unfamiliar senders, especially if those are executables or Microsoft Office documents requesting you to enable macros. Exercising some extra caution with email attachments is an important tip, but there are quite a few more. Let’s get a glimpse of the most useful techniques to avoid contamination and stay safe when confronted with ransomware.
As far as damage mitigation goes, it’s hard to think of a better scenario than the availability of reserve copies of your files. Ransom Trojans per se aren’t difficult to remove, some of them even trigger a self-destruction routine once the data encryption job has been completed. It’s the file recovery that really matters, and backups will do the trick.
Consider leveraging a diversified backup strategy, where one copy of an arbitrary file is kept in the cloud, and two more copies reside on different physical media such as an external hard drive and a thumb drive. Also, there are specially crafted applications that enable users to automate the whole process by scheduling backup events and selecting appropriate files to secure.
Keep Software up to Date
Aside from phishing, exploit kits pose another likely entry point for ransomware assaults. These darknet services harness vulnerabilities on targeted computers that stem from unpatched software, mostly Adobe Flash Player and Java. Some software vendors, including Adobe and Microsoft, roll out updates strictly on schedule, but the discovery of new critical vulnerabilities may result in emergency patches.
That is why it’s a good idea to accept recommendations to run updates whenever those pop-up and manually check for the availability of new patches once in a while.
Filter Executables in Emails
When it comes to security, EXEs in the email don’t evoke good associations, to put it mildly. Ransomware operators love using executable files to deliver malicious payloads in messages masqueraded as invoices, missed delivery reports, payrolls, traffic violation notices, CVs and the like.
Most of the time, these items are inside ZIP archives, including self-extracting ones. If your email provider or antimalware app’s mail scan feature allows filtering incoming messages by extension of attached files, it’s strongly recommended to deny emails with executables on board.
Configure Windows to Show File Extensions
Ransomware distributors may disguise their malicious downloaders in a tricky file format string, where ostensibly non-executable objects are in fact EXEs. A file named “kitten.jpg.exe” is an example of this technique. One can take such file for an innocuous image but it ends up infecting the machine via an obfuscated malicious process.
To stay on top of what type of file you are dealing with, go to Control Panel, select Appearance and Personalization, click Folder Options, proceed to the View tab, then Advanced Settings and deselect the Hide Extensions feature.
Treat Macros with Caution
The recent Locky crypto malware campaign leveraged malicious Microsoft Word macros to serve the infection, so enabling those is the last thing you want to do if a dubious system message asks you to. If you fall for this trick, it’s a piece of cake for criminals to use a known macro vulnerability and execute the harmful code remotely.
Disable Processes Launching from AppData and LocalAppData
Most ransomware infections land inside AppData or LocalAppData directories and run from there rather than from Program Files. Therefore, it’s recommended to use the Local Group Policy Editor and define an app restriction policy to prevent programs from being executed from the aforementioned paths.
Toggle User Privileges
To protect a computer network against ransomware, it’s a good idea to restrict the scope of access for certain user roles. Having compromised one machine, remote attackers can only affect the areas within the IT infrastructure that the infected user has privileges to access. By limiting these privileges, system administrators can prevent ransom Trojans from encrypting data on network drives and shares where the most sensitive files are stored.
Related Article: Buyers and Sellers, Beware: Data Dangers of Ecommerce
Disable Remote Desktop Protocol
This piece of advice is becoming increasingly important because file-encrypting malware operators have come to heavily use Windows native remote access feature and third-party software to deposit malicious code onto computers.The Surprise Ransomware, which began circulating in March 2016, used insecure TeamViewer sessions to contaminate PCs on a large scale.
The criminals had managed to circumvent the barrier of TeamViewer authorization and remotely executed the dangerous payload. Therefore, be sure to turn off services like that when they are not in use. Also, consider using multi-factor authentication and restricting the range of allowed IDs through white listing features.
Ransomware infections are true predators in the present-day cyber threat landscape. At this point, there is no reliable vaccine that would keep users fully protected against these pests or recover data in the unfortunate event the malicious code injection takes place. One way or another, prevention is definitely better than cure, moreover, the recommendations above are free and easy to follow.
First and foremost, take data backups seriously and never click stuff on the Internet until you are certain it’s safe.