I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and, as I said, I am not an expert in the cryptography field, I asked other experts on Experts Exchange to allow me to include some of their thoughts on the matter. Thanks to btan and McKnife for all their input (I edited some out for readability, left some out for technical reasons, and included some in various places in the article).
Let me preface this by saying the best prevention when it comes to any malware is up to date AV/AM software, well tested backups (yes you must test them), and safe computer usage habits. I have also incorporated some suggestions specific to ransomware prevention and more general suggestions on enhancing your computer security.
Encryption programs of the ransomware type are usually not virii, but rather trojans that encrypt your computer files and then the writers (thieves) demand a ransom to decrypt them. If you catch it early, there is a slight chance of decryption, but once you get the Ransomware pop-up, it is generally too late. This is because most ransomware works by silently encrypting your files and when finished it displays the ransom popup. If you either pay the ransom (not recommended) in a timely manner or restore from backup, you will probably be okay.
You CANNOT really trust that you will receive a working decryption key if you do pay the ransom, although it is in the financial interests of those who encrypted your files to decrypt them. Let me be clear though, I am NOT advocating paying. Generally, the cost of decrypting your files will not be worth it, nor a good idea, for several reasons:
So what can you do?
Prevention
Like location in the real estate market, prevention is everything. Since, if you are successful at preventing anything from happening in the first place, you won't need to worry about anything else. I will deal primarily with methods of prevention. It has become abundantly clear, even before I spoke to others about it, that the cryptography employed in these schemes, although not impossible to break, is difficult in the extreme. So let's look at some measures you can take to protect your computer.
A. BACKUP
First and foremost, and not only for this reason, keep good backups and test them regularly. The best backup in the world is useless if you can't restore from it when it is needed. See my article on backups and cloud backups for more information (I especially recommend versioning backups). It is essential that part of your backup routine should be to turn on previous versions/Shadow copy. This is not a difficult task, just follow these steps in Windows:
In Windows 8, turn File History on. This backs up selected directories in a Time Machine like fashion. Note that it will only work when the external drive that you designate as the file history drive is connected. And since it will only backup some directories, other measures are called for. A micro tutorial on starting and using File History can be found here. I also recommend using CrashPlan for Windows 7 or Windows 8.
Although CrashPlan used locally is free, the cloud option is an excellent value. Another free option is DriveImageXML for Windows 7 or Windows 8. And if you are using Windows 7 don't forget to enable and use the Native backup options. I have said more than once that you can never have too many backups, or to put it more bluntly, files you don't have backed up in two other locations, are files you don't care about. (That is two locations other than your computer, at least one of these should be physically in another geographic area -- that is why cloud backup is helpful.)
B. NETWORK SHARES
This applies to the question of what to do once you have discovered the infection as well. Cryptography infections such as the ones discussed here CAN encrypt network shares that are mapped as a drive on your computer (assigned a drive letter), but they do not encrypt network shares that are either mapped using a UNC path (\\myserver\myshare) or connected to by using a shortcut. UPDATE: It was pointed out to me that a new variant of ransomware - CryptoFortress - WILL encrypt network shares that use a UNC path. See this article (also linked to below in the comments). Thanks to Rob Hoffman for the heads up! So the only real defense is prevention!
So, the best way to be nice to whomever is taking care of the network share and, at the same time, prevent your files stored on it from being encrypted, is to NOT map it as a drive (assign it a drive letter). Either use the UNC path, or create a shortcut to the drive in question and use that. At this time it behooves me to remind system administrators and anyone else in charge of network shares that the most important part of protecting yourself and everyone who uses the share is to set permissions properly.
Follow the Principle of least privilege. The link will take you to explanations and best practices (if you still need them). In this way, if a user does get infected, only the directories they have write permissions to will be encrypted. If policies are set correctly, either using GPOs or the bulk version of CryptoPrevent, you will have a lot less to worry about. Also, your backup routine should be significantly more robust and incorporate better testing than the ones I have outlined here.
C. ANTIVIRUS/ANTIMALWARE
Second, have up to date AV/AM software. This will help but don't count on it. Make sure you have heuristics turned on. You also should look into EMET. EMET (Enhanced Mitigation Experience Toolkit) will help protect you from various malware and should be an integral part of your security setup.
D. SAFE COMPUTING
Third, practice safe computing (especially since crypto type trojans use social engineering to get people to download and execute them), that means
E. MULTI-LAYERED SECURITY
Fourth, use a multi-layered approach to security. You may ask, isn't this what everyone advises against? What you need to understand is that advice against using more than one AV solution means don't use more than one solution that ACTIVELY scans your files. Some applications call this on-access scanning. As long as only one application is allowed to do on-access scanning, multiple applications can run on your machine. For instance, on one of my machines I have Malwarebytes Anti Malware Pro with on-access scanning running and Microsoft Security Essentials with on-access scanning turned off (it doesn't like that, but tough). So to best protect your computer I suggest the following:
In terms of CryptoPrevent (free or Premium), the software is built upon the ideas in the post on CryptoLocker at bleepingcomputer.com. The CryptoPrevent program makes the necessary changes as outlined in the guide at bleepincomputer; the difference is that the program doesn't require the user to deal directly with the registry. It not only locks down execution of programs from certain directories, you can also create a whitelist of programs that are okay to run (a whitelist is a list of something that has been approved in some way -- in this case if your computer is clean the whitelist contains the names of the programs that AREN'T malware).
This is in comparison to a blacklist, in which you would have to list all the programs you don't want to run (for an example of a blacklist check out the host file mentioned earlier). A whitelist is not only easier to create and maintain, it is also more likely to protect you. If you use CryptoPrevent to its best advantage, you will add all current applications (assuming your system is clean -- CryptoPrevent is just that a preventative measure -- it will NOT decrypt files that have been encrypted) to a whitelist. The program will prompt you to do this. Note that the free edition does not automatically download definition updates, as stated on the bottom of the CryptoPrevent page. The author of CryptoPrevent has created several videos to show it in action. Just remember that these were made by the author:
CryptoPrevent vs CryptoLocker 2
There is also a silent video here that shows CryptoPrevent installation (latest version) on a Windows 7 64-bit machine. Another tool, released by SurfRight (now owned by Sophos), is CryptoGuard. It should be noted that this is trialware. The software will scan your computer, tell you what needs to be deleted (you can choose what to do with each entry or take the defaults), and will then delete the various occurrences, at least until the trial runs out. CryptoGuard is more intrusive than CryptoPrevent. They work differently, assuming you are using the free version of CryptoPrevent. CP free makes some basic registry changes and enables and changes local or group security policies. CryptoGuard is more of a monitoring application. Learn more on how CryptoGuard works here.
I can't emphasize enough that CryptoPrevent/CryptoGuard or similar software should be just ONE facet of an overall security plan to prevent any malware infection.
For more general cryptography information (and a more technical bent), check out this article by Giovanni Heward: http://www.experts-exchange.com/Security/Encryption/A_12460-Cryptanalysis-and-Attacks.html
User MASQ has an excellent post on CTB-Locker as an answer to a question here.
If you are familiar with security blogs, you will be familiar with Krebs on Security. I highly suggest reading Brian Krebs' articles/posts. At any rate he has a post about how to avoid Cryptolocker here. There is also a good article on the Malwarebytes website. And there is a tool to search for and list encrypted files here (the page is also another excellent reference).
Bev Robb, the person who mentored me into E-E, wrote a great article about ransomware on her security blog: https://teksecurityblog.com/4-ransomware-lessons-you-need-to-learn-before-it-snags-you/. There are some great guides if you need further help located here, here, here or here.
It has been pointed out that this guide may give a good preventative solution. Also, It is worth taking a look at Umbrella by OpenDNS. They have a blog located at https://blog.opendns.com. If you are interested you should especially check out this blog on Umbrella: https://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/.
I have been a subscriber to the windows secrets newsletter for over a decade (possibly two), and recently their lead article was about Ransomeware and how to defend yourself against it, I received permission to link to it - ou can read it here. Note that you may have to answer a question before reading the article. The article was written by Susan Bradley, who is a Small business Server and Security MVP.
User btan pointed me to this page with a bunch of toolkits to help out. And user Eirman suggested this article in the comments below. The article is about how harmless looking attachments might bring down certain doom. It is a must read. Btan's suggestion is also a must for anyone who has already been bitten. Another tool for those who have been bitten was pointed out by user btan - check out the locker unlocker tool.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Commented:
What a great piece of article! Seriously I really did enjoyed it! Well described.
Simple things you can do to protect against ransomware attacks:
http://expert-advice.org/2017/07/ways-to-protect-yourself-from-ransomware-attack/
https://www.lepide.com/blog/what-can-you-do-if-youve-become-the-victim-of-a-ransomware-attack/
Stay safe and don’t forget the best protection is always a backup.
Commented: