Solved

Strategy to monitor and securing %APPDATA% folder and the %TEMP% folder on the system to prevent Ransomware ?

Posted on 2016-09-07
11
72 Views
Last Modified: 2016-09-29
Hi All,

Can anyone here please share some strategy for securing the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?

Because I believe the two common areas where the ransomware typically executes from are thetwo flders above.
 
Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files.

but how ?
0
Comment
11 Comments
 
LVL 29

Assisted Solution

by:Olaf Doschke
Olaf Doschke earned 50 total points (awarded by participants)
ID: 41787426
1
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 50 total points (awarded by participants)
ID: 41787436
most of the ransom wares are spreading over E-mail attachments, hence you have to train users not to open unsolicited emails, keep up to date antivirus, anti malware definitions, and do not assign local users administrative privileges so it'll not effect to all files on the system.

all the best
1
 
LVL 62

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41787652
Application whitelisting like use of applocker can actually restricted the authorized to run based on Publisher, Path or File hash rule. There are also possibly to avoid false positive that you may set the enforcement mode on the relevant rule collection to Audit only so that AppLocker does not block any application for the present time. Subsequently, once you are ready after a period of monitoring that there is really no such need to have appl running or certain does run at those folder you can change the enforcement mode to Enforce rules with the right rule in place and roll out as GPO policy.

For note - though it is true those folder are "hot favorite" for malware and like, it can also break and cause false positive (inconveniences to your users), so do the audit mode shared earlier first. Also consider whitelist other appl most likely browser and cloud based storage used in machine like Dropbox and Chrome that run from AppData folder itself. include blocking places like C:\temp, C:\ProgramData, Recycle Bin and other writable folders which you really do not want it to be tampered unless it is your whitelisted appl.

We know it is not foolproof on such preventive approach. Other means to augment include
a) Preventive/Detective
- Cryptoprevent or SecureAPlus - same as Applocker but like intuitive to include ready package to block those common vulnerable location
- Anti Ransomware software such as MalwareByte AntiRansomware, and WinPatrol WinAntiRansom which they would have behavioral rule to alert on sighting such anomalous activities.
- Audit rule on object changes can be done but it is non-trivial if you do not have SIEM or some log correlation to set that alarm on such events.

b) Deterrence - Setting up Decoy folder or equv such that Ransomware does its recursive encryption of file etc but on a fake folder and files. This allow time for the other detection mechanism to kick in to alert (hopefully). One example is from TrapX Cryptotrap.
2
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
ID: 41789849
You can also add BD Antiransomware, although not configurable, it does monitor those folders.  And I also + cryptoprevent.   Those are endpoint solutions though.  There are ways to do this using GPOs as well.  And some software firms have solutions that can be implemented both at the endpoint and at the firewall (cylance.com and Sentinelone.com come to mind).
1
 
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 50 total points (awarded by participants)
ID: 41790361
The reason those areas exist is to allow legitimate programs to run.  If you try and lock them down, you'll stop this.  It's kinda like trying to prevent a household robbery by filling the entire house with concrete.  It would work, but...

Better to do as above, work on the perimeter security, don't leave any "windows" open, and keep tested backup copies of all secure data.
1
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41790550
Indeed we need layered defence but even then taking worst case Endpoint is the last line of defence - imagine user just use a usb  portable drive that is infected and AV did not detect it. All defence layers are important.

You may configure your machine accordingly to reduce (not prevent) chances of ransomware infection. E.g. use it to mitigate ransomware by blocking executable not signed, in places ransomware like:

<users profile>\AppData\Local\Temp
<users profile>\AppData\Local\Temp\*
<users profile>\AppData\Local\Temp\*\*

For Windows machine, you can consider EMET (Enhanced Mitigation Experience Toolkit). It protects Windows computers against cyber attacks & unknown exploits. It detects and blocks exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. It augment existing AV and host FW to prevent exploits from dropping Trojan, but if you click open a file, it will not be able to help.

HitmanPro.Alert is another free Ransomware Protection & Browser Intrusion Detection Tool.
1
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
ID: 41790551
Hitmanpro.alert is an excellent solution which I like so much I purchased. EMET is an excellent solution,  but the defaults are fairly restrictive.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41790572
@BTan,

Does EMET is also freeware that can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=53354 ?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41790602
1
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points (awarded by participants)
ID: 41792627
The best backup plan is good clean backups of data. Monitoring the %temp% file locations themselves isn't going to save you at all. As stated above, the best way to prevent is to train users not to click on attachments, and to NEVER enable macros in office documents. Very few people actually need macros ever in their life time. EMET is a great defense for many new exploits that AV vendors don't have a detection for. Ransomware only works because no one has followed what I consider to be the number one BEST PRACTICE since computers became popular, have good backups!
Another best practice that is biting people in the a** is permissions on file shares. If your users don't need access to folders x, y and z, make sure they can't access those folders. Ransomware is looking at mapped drives and file shares, your registry keeps a very detailed log of previous files, share and paths that your users have been. Make sure you have backup's of all you vital data.
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 41821336
as shared by experts
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question