Strategy to monitor and securing %APPDATA% folder and the %TEMP% folder on the system to prevent Ransomware ?

Posted on 2016-09-07
Medium Priority
Last Modified: 2016-09-29
Hi All,

Can anyone here please share some strategy for securing the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?

Because I believe the two common areas where the ransomware typically executes from are thetwo flders above.
Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files.

but how ?
LVL 30

Assisted Solution

by:Olaf Doschke
Olaf Doschke earned 200 total points (awarded by participants)
ID: 41787426
LVL 17

Assisted Solution

by:Sajid Shaik M
Sajid Shaik M earned 200 total points (awarded by participants)
ID: 41787436
most of the ransom wares are spreading over E-mail attachments, hence you have to train users not to open unsolicited emails, keep up to date antivirus, anti malware definitions, and do not assign local users administrative privileges so it'll not effect to all files on the system.

all the best
LVL 66

Accepted Solution

btan earned 1000 total points (awarded by participants)
ID: 41787652
Application whitelisting like use of applocker can actually restricted the authorized to run based on Publisher, Path or File hash rule. There are also possibly to avoid false positive that you may set the enforcement mode on the relevant rule collection to Audit only so that AppLocker does not block any application for the present time. Subsequently, once you are ready after a period of monitoring that there is really no such need to have appl running or certain does run at those folder you can change the enforcement mode to Enforce rules with the right rule in place and roll out as GPO policy.

For note - though it is true those folder are "hot favorite" for malware and like, it can also break and cause false positive (inconveniences to your users), so do the audit mode shared earlier first. Also consider whitelist other appl most likely browser and cloud based storage used in machine like Dropbox and Chrome that run from AppData folder itself. include blocking places like C:\temp, C:\ProgramData, Recycle Bin and other writable folders which you really do not want it to be tampered unless it is your whitelisted appl.

We know it is not foolproof on such preventive approach. Other means to augment include
a) Preventive/Detective
- Cryptoprevent or SecureAPlus - same as Applocker but like intuitive to include ready package to block those common vulnerable location
- Anti Ransomware software such as MalwareByte AntiRansomware, and WinPatrol WinAntiRansom which they would have behavioral rule to alert on sighting such anomalous activities.
- Audit rule on object changes can be done but it is non-trivial if you do not have SIEM or some log correlation to set that alarm on such events.

b) Deterrence - Setting up Decoy folder or equv such that Ransomware does its recursive encryption of file etc but on a fake folder and files. This allow time for the other detection mechanism to kick in to alert (hopefully). One example is from TrapX Cryptotrap.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 31

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points (awarded by participants)
ID: 41789849
You can also add BD Antiransomware, although not configurable, it does monitor those folders.  And I also + cryptoprevent.   Those are endpoint solutions though.  There are ways to do this using GPOs as well.  And some software firms have solutions that can be implemented both at the endpoint and at the firewall (cylance.com and Sentinelone.com come to mind).
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 200 total points (awarded by participants)
ID: 41790361
The reason those areas exist is to allow legitimate programs to run.  If you try and lock them down, you'll stop this.  It's kinda like trying to prevent a household robbery by filling the entire house with concrete.  It would work, but...

Better to do as above, work on the perimeter security, don't leave any "windows" open, and keep tested backup copies of all secure data.
LVL 66

Assisted Solution

btan earned 1000 total points (awarded by participants)
ID: 41790550
Indeed we need layered defence but even then taking worst case Endpoint is the last line of defence - imagine user just use a usb  portable drive that is infected and AV did not detect it. All defence layers are important.

You may configure your machine accordingly to reduce (not prevent) chances of ransomware infection. E.g. use it to mitigate ransomware by blocking executable not signed, in places ransomware like:

<users profile>\AppData\Local\Temp
<users profile>\AppData\Local\Temp\*
<users profile>\AppData\Local\Temp\*\*

For Windows machine, you can consider EMET (Enhanced Mitigation Experience Toolkit). It protects Windows computers against cyber attacks & unknown exploits. It detects and blocks exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. It augment existing AV and host FW to prevent exploits from dropping Trojan, but if you click open a file, it will not be able to help.

HitmanPro.Alert is another free Ransomware Protection & Browser Intrusion Detection Tool.
LVL 31

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points (awarded by participants)
ID: 41790551
Hitmanpro.alert is an excellent solution which I like so much I purchased. EMET is an excellent solution,  but the defaults are fairly restrictive.

Author Comment

by:Senior IT System Engineer
ID: 41790572

Does EMET is also freeware that can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=53354 ?
LVL 66

Assisted Solution

btan earned 1000 total points (awarded by participants)
ID: 41790602
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points (awarded by participants)
ID: 41792627
The best backup plan is good clean backups of data. Monitoring the %temp% file locations themselves isn't going to save you at all. As stated above, the best way to prevent is to train users not to click on attachments, and to NEVER enable macros in office documents. Very few people actually need macros ever in their life time. EMET is a great defense for many new exploits that AV vendors don't have a detection for. Ransomware only works because no one has followed what I consider to be the number one BEST PRACTICE since computers became popular, have good backups!
Another best practice that is biting people in the a** is permissions on file shares. If your users don't need access to folders x, y and z, make sure they can't access those folders. Ransomware is looking at mapped drives and file shares, your registry keeps a very detailed log of previous files, share and paths that your users have been. Make sure you have backup's of all you vital data.
LVL 66

Expert Comment

ID: 41821336
as shared by experts

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The onset of year 2018 has been a usual business for IT teams still struggling to find their way out in terms of strengthening their cloud security.
You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question