Solved

Strategy to monitor and securing %APPDATA% folder and the %TEMP% folder on the system to prevent Ransomware ?

Posted on 2016-09-07
11
52 Views
Last Modified: 2016-09-29
Hi All,

Can anyone here please share some strategy for securing the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?

Because I believe the two common areas where the ransomware typically executes from are thetwo flders above.
 
Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files.

but how ?
0
Comment
11 Comments
 
LVL 29

Assisted Solution

by:Olaf Doschke
Olaf Doschke earned 50 total points (awarded by participants)
Comment Utility
1
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 50 total points (awarded by participants)
Comment Utility
most of the ransom wares are spreading over E-mail attachments, hence you have to train users not to open unsolicited emails, keep up to date antivirus, anti malware definitions, and do not assign local users administrative privileges so it'll not effect to all files on the system.

all the best
1
 
LVL 61

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
Comment Utility
Application whitelisting like use of applocker can actually restricted the authorized to run based on Publisher, Path or File hash rule. There are also possibly to avoid false positive that you may set the enforcement mode on the relevant rule collection to Audit only so that AppLocker does not block any application for the present time. Subsequently, once you are ready after a period of monitoring that there is really no such need to have appl running or certain does run at those folder you can change the enforcement mode to Enforce rules with the right rule in place and roll out as GPO policy.

For note - though it is true those folder are "hot favorite" for malware and like, it can also break and cause false positive (inconveniences to your users), so do the audit mode shared earlier first. Also consider whitelist other appl most likely browser and cloud based storage used in machine like Dropbox and Chrome that run from AppData folder itself. include blocking places like C:\temp, C:\ProgramData, Recycle Bin and other writable folders which you really do not want it to be tampered unless it is your whitelisted appl.

We know it is not foolproof on such preventive approach. Other means to augment include
a) Preventive/Detective
- Cryptoprevent or SecureAPlus - same as Applocker but like intuitive to include ready package to block those common vulnerable location
- Anti Ransomware software such as MalwareByte AntiRansomware, and WinPatrol WinAntiRansom which they would have behavioral rule to alert on sighting such anomalous activities.
- Audit rule on object changes can be done but it is non-trivial if you do not have SIEM or some log correlation to set that alarm on such events.

b) Deterrence - Setting up Decoy folder or equv such that Ransomware does its recursive encryption of file etc but on a fake folder and files. This allow time for the other detection mechanism to kick in to alert (hopefully). One example is from TrapX Cryptotrap.
2
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
Comment Utility
You can also add BD Antiransomware, although not configurable, it does monitor those folders.  And I also + cryptoprevent.   Those are endpoint solutions though.  There are ways to do this using GPOs as well.  And some software firms have solutions that can be implemented both at the endpoint and at the firewall (cylance.com and Sentinelone.com come to mind).
1
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 50 total points (awarded by participants)
Comment Utility
The reason those areas exist is to allow legitimate programs to run.  If you try and lock them down, you'll stop this.  It's kinda like trying to prevent a household robbery by filling the entire house with concrete.  It would work, but...

Better to do as above, work on the perimeter security, don't leave any "windows" open, and keep tested backup copies of all secure data.
1
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
Comment Utility
Indeed we need layered defence but even then taking worst case Endpoint is the last line of defence - imagine user just use a usb  portable drive that is infected and AV did not detect it. All defence layers are important.

You may configure your machine accordingly to reduce (not prevent) chances of ransomware infection. E.g. use it to mitigate ransomware by blocking executable not signed, in places ransomware like:

<users profile>\AppData\Local\Temp
<users profile>\AppData\Local\Temp\*
<users profile>\AppData\Local\Temp\*\*

For Windows machine, you can consider EMET (Enhanced Mitigation Experience Toolkit). It protects Windows computers against cyber attacks & unknown exploits. It detects and blocks exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. It augment existing AV and host FW to prevent exploits from dropping Trojan, but if you click open a file, it will not be able to help.

HitmanPro.Alert is another free Ransomware Protection & Browser Intrusion Detection Tool.
1
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
Comment Utility
Hitmanpro.alert is an excellent solution which I like so much I purchased. EMET is an excellent solution,  but the defaults are fairly restrictive.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
@BTan,

Does EMET is also freeware that can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=53354 ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
Comment Utility
1
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points (awarded by participants)
Comment Utility
The best backup plan is good clean backups of data. Monitoring the %temp% file locations themselves isn't going to save you at all. As stated above, the best way to prevent is to train users not to click on attachments, and to NEVER enable macros in office documents. Very few people actually need macros ever in their life time. EMET is a great defense for many new exploits that AV vendors don't have a detection for. Ransomware only works because no one has followed what I consider to be the number one BEST PRACTICE since computers became popular, have good backups!
Another best practice that is biting people in the a** is permissions on file shares. If your users don't need access to folders x, y and z, make sure they can't access those folders. Ransomware is looking at mapped drives and file shares, your registry keeps a very detailed log of previous files, share and paths that your users have been. Make sure you have backup's of all you vital data.
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
as shared by experts
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now