Strategy to monitor and securing %APPDATA% folder and the %TEMP% folder on the system to prevent Ransomware ?

Hi All,

Can anyone here please share some strategy for securing the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?

Because I believe the two common areas where the ransomware typically executes from are thetwo flders above.
 
Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files.

but how ?
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sajid Shaik MSr. System AdminCommented:
most of the ransom wares are spreading over E-mail attachments, hence you have to train users not to open unsolicited emails, keep up to date antivirus, anti malware definitions, and do not assign local users administrative privileges so it'll not effect to all files on the system.

all the best
1
btanExec ConsultantCommented:
Application whitelisting like use of applocker can actually restricted the authorized to run based on Publisher, Path or File hash rule. There are also possibly to avoid false positive that you may set the enforcement mode on the relevant rule collection to Audit only so that AppLocker does not block any application for the present time. Subsequently, once you are ready after a period of monitoring that there is really no such need to have appl running or certain does run at those folder you can change the enforcement mode to Enforce rules with the right rule in place and roll out as GPO policy.

For note - though it is true those folder are "hot favorite" for malware and like, it can also break and cause false positive (inconveniences to your users), so do the audit mode shared earlier first. Also consider whitelist other appl most likely browser and cloud based storage used in machine like Dropbox and Chrome that run from AppData folder itself. include blocking places like C:\temp, C:\ProgramData, Recycle Bin and other writable folders which you really do not want it to be tampered unless it is your whitelisted appl.

We know it is not foolproof on such preventive approach. Other means to augment include
a) Preventive/Detective
- Cryptoprevent or SecureAPlus - same as Applocker but like intuitive to include ready package to block those common vulnerable location
- Anti Ransomware software such as MalwareByte AntiRansomware, and WinPatrol WinAntiRansom which they would have behavioral rule to alert on sighting such anomalous activities.
- Audit rule on object changes can be done but it is non-trivial if you do not have SIEM or some log correlation to set that alarm on such events.

b) Deterrence - Setting up Decoy folder or equv such that Ransomware does its recursive encryption of file etc but on a fake folder and files. This allow time for the other detection mechanism to kick in to alert (hopefully). One example is from TrapX Cryptotrap.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Thomas Zucker-ScharffSolution GuideCommented:
You can also add BD Antiransomware, although not configurable, it does monitor those folders.  And I also + cryptoprevent.   Those are endpoint solutions though.  There are ways to do this using GPOs as well.  And some software firms have solutions that can be implemented both at the endpoint and at the firewall (cylance.com and Sentinelone.com come to mind).
1
Danny ChildIT ManagerCommented:
The reason those areas exist is to allow legitimate programs to run.  If you try and lock them down, you'll stop this.  It's kinda like trying to prevent a household robbery by filling the entire house with concrete.  It would work, but...

Better to do as above, work on the perimeter security, don't leave any "windows" open, and keep tested backup copies of all secure data.
1
btanExec ConsultantCommented:
Indeed we need layered defence but even then taking worst case Endpoint is the last line of defence - imagine user just use a usb  portable drive that is infected and AV did not detect it. All defence layers are important.

You may configure your machine accordingly to reduce (not prevent) chances of ransomware infection. E.g. use it to mitigate ransomware by blocking executable not signed, in places ransomware like:

<users profile>\AppData\Local\Temp
<users profile>\AppData\Local\Temp\*
<users profile>\AppData\Local\Temp\*\*

For Windows machine, you can consider EMET (Enhanced Mitigation Experience Toolkit). It protects Windows computers against cyber attacks & unknown exploits. It detects and blocks exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. It augment existing AV and host FW to prevent exploits from dropping Trojan, but if you click open a file, it will not be able to help.

HitmanPro.Alert is another free Ransomware Protection & Browser Intrusion Detection Tool.
1
Thomas Zucker-ScharffSolution GuideCommented:
Hitmanpro.alert is an excellent solution which I like so much I purchased. EMET is an excellent solution,  but the defaults are fairly restrictive.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
@BTan,

Does EMET is also freeware that can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=53354 ?
0
btanExec ConsultantCommented:
1
Rich RumbleSecurity SamuraiCommented:
The best backup plan is good clean backups of data. Monitoring the %temp% file locations themselves isn't going to save you at all. As stated above, the best way to prevent is to train users not to click on attachments, and to NEVER enable macros in office documents. Very few people actually need macros ever in their life time. EMET is a great defense for many new exploits that AV vendors don't have a detection for. Ransomware only works because no one has followed what I consider to be the number one BEST PRACTICE since computers became popular, have good backups!
Another best practice that is biting people in the a** is permissions on file shares. If your users don't need access to folders x, y and z, make sure they can't access those folders. Ransomware is looking at mapped drives and file shares, your registry keeps a very detailed log of previous files, share and paths that your users have been. Make sure you have backup's of all you vital data.
-rich
0
btanExec ConsultantCommented:
as shared by experts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.