Solved

recommended steps to prevent ransoneware and is the any apps that can detect an attack prior to

Posted on 2016-11-12
33
70 Views
Last Modified: 2016-11-19
What can we do to prevent a ransoneware infection, any apps we can installed?
0
Comment
Question by:rayluvs
  • 8
  • 8
  • 8
  • +3
33 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884648
Install top notch Spam filtering to eliminate most of the threat.

Train people not to open emails from strangers. Opening strange emails (which then trigger the attack) is a large cause of ransomware.

These attacks come in email and most AV and like applications do not prevent incoming email. Some AV will detect the attachment and delete it
0
 
LVL 61

Accepted Solution

by:
btan earned 252 total points
ID: 41884687
A couple of solution has evolved with ransomware variant emerging to prevent it from even starting the file encryption - mainly is to detect anomalous activities of targeted folder access with aggressive search, read/write, surge in resource usage during to high I/O read etc. Baseline hardening is still paramount that include
- no administrative rights (user should not allow such privileges)
- application whitelisting (applocker or cryptoprevent)
- avoid turning on unnecessary services (esp RDP access, strong password, 2FA)
- verify backup readiness (do not store in same target machine, keep a copy offline)
- user education (vigilant on red flags in phished email, website and not open/click suspicious attachment/url)
- remember not to default pay ransom (report incident immediately)

Solution (not in any order)
- Malwarebytes Anti-Ransomware, Anti-exploit
- Bitdefender Anti-Ransomware,
- Sophos InterceptX,
- Winpatrol WinAntiRansom,
- TrapX CryptoTrap (set fake token)
- Anti Ransom (open source, using honeypots, similar to TrapX.)

Like to suggest you check out EE article on the ringfence and mitigation action listing
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html

You still need to maintain cyber hygiene and the baseline controls like host AV, FW and secure browser (clean up the plugin)
0
 

Author Comment

by:rayluvs
ID: 41884702
Ransomware not possible infection if one just browse to page? Only thru email?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884712
I have not seen Ransomware via browsing. I keep Smart Screen ON and that prevents rogue websites quite well. The common approach is via Email.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884724
Let me give you an example.

1. I was away last week at Microsoft and I needed transportation from the airport to the hotel. I chose Shuttle Express as it was most economical. They do business by website and email and they send me an email confirmation and receipt in the form of a PDF file. I receive it, open the PDF and print it. No issue.

2. I see an email from FedEx saying my package could not be delivered (I got above 5 of these). I do not have any package outstanding. There is an attachment. I delete these emails.  No issue.

Now, what do you think the attachment was in number 2. Ransomware !  Almost for certain.

User training and knowledge is paramount.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41884752
Ransomeware can come through popup ads.  Install an adblocker as a first line of defense, ahead of antivirus software.  This reduces the scanning that antivirus software have to do to block those for you.
http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/

For email, a lot of providers have hidden the full headers, making it a bit more difficult to see where they originate.  As part of the education, you should teach your users how to display the full headers when they have questions about legitimacy of the email.  That way you can receive them and help them identify email.  On Windows systems, it's gotten much harder to remote install software without user permissions.  Users generally have to install them.  Teach users mainly to not click on attachments they're not expecting.  Confirm all wire transfer requests with additional in-person phone confirmation.

You should have multiple backup sets, with at least one set that is disconnected and off the internet, preferably off-site too.  It should be swapped in after other backups are verified and you can rotate them out.  That keeps any ransomeware from hitting all your backups too, so that you have something to recover from.
0
 
LVL 27

Assisted Solution

by:davorin
davorin earned 62 total points
ID: 41884754
Ms says that you can get infected with ransomware with

"How did ransomware get on my PC?
In most instances ransomware is automatically downloaded when you visit a malicious website or a website that's been hacked."
from https://www.microsoft.com/en-us/security/portal/mmpc/help/infection.aspx

I have seen a couple of infections coming with mails with pdf or doc attachments, which included link to infected web site.
Experts above already suggested lots of important things that can help you prevent ransomware infection, but you can never be 100% safe.
On my opinion the most important thing is to have a good backup.
In some rare cases I use also cryptoprevent.
0
 

Author Comment

by:rayluvs
ID: 41884769
Great info!

If a non-admin user accounts get infected in a Windows 8/10 PC, would the other users accounts in the computer (other non-admin & ADMIN users) also be infected?
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41884771
That all depends on the malware.  You should scan the entire system and remove all traces.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884772
It depends on the ransomware. A number just infect the user folder but it may easily spread.

Do NOT depend upon corrective action. That largely does not work. Use Preventative techniques to avoid problems.

Once a give machine is compromised, it should be formatted and Windows reinstalled.

This stuff is not a joke, and not kids hacking. These are criminals attempting to extort money.
0
 

Author Comment

by:rayluvs
ID: 41884811
We thought that a non-admin user has no access to other users folders of the same PC even less access to the Windows administrator folders (or login space within the same PC).  

How is that possible?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884815
If the file you opened is smart enough, it can access other folders. It can take admin rights if clever.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41884850
It's called privilege escalation.  Hackers can bypass the security measures and become an administrator or system.
0
 

Author Comment

by:rayluvs
ID: 41884871
Yes makes sense.
0
 

Author Comment

by:rayluvs
ID: 41884872
Before closing, there was an entry suggesting one  should format the drive and do Windows reinstalled.   Just how bad is a ransomware that this procedure should be done?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41884874
Ransomware encrypts files and the results cannot normally be unencrypted. If the virus has firmly parked itself, then format and reinstall is good advice. There is no conclusive answer that works all the time, so we recommend as per above.

The best cure is always prevention.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41884947
It all depends on how much you trust the antivirus programs and how technically well-versed you are.  If you aren't that technical, the best thing to do is to reinstall.  If you're technical, and understand the severity of your infection and can guaranty that you are safe, then you may be able to get away with it.  Unfortunately, that's still a risk.  The best bet is to always reinstall from a known safe source.
0
 

Author Comment

by:rayluvs
ID: 41884977
Thank!!! Great Info!!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 252 total points
ID: 41885010
Pardon for being late in sharing.

Infecrion via browsing definitely possibke and it can be easily be done via drive by download. Meaning page compromised eigher Wil mal advert or the page has injecred hidden code that exploit browser vulnerability or pop up saying you needed to install update of player which is fake and user just click proceed.

Multiple user files can still be infected though Ransomware can elevate it privileged access to all folder. You can consider encrypting those other user files so that ransomware cannot access easily those files even if it managed to brutw force into the user account. Employ 2FA to make it as greater deterrence.

Check out the EE faq. As for clean build, as in all infected machine, it ia still recommended to have clean fresh build as compared to just an AV cleaned. That is best practice and recover your backup data.  

TL;DR - Ransomware
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html
0
 

Author Comment

by:rayluvs
ID: 41885031
Hi,

In your entry "...You can consider encrypting those other user files so that ransomware cannot access easily those files even if it managed to brutw force into the user account. Employ 2FA to make it as greater deterrence.", what do you mean by us encrypting other users files?  Do you mean we should encrypt all our drive for example with the encryption apps that comes with windows?

Please explain.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 252 total points
ID: 41885041
For a matter of fact, ransomware would not care if the files are encrypted or not encrypted. They just simply go through to encrypt it as long as they can reached those files. The encryption is typically on the fly using the current login account. e.g. once Ransomware get into the system, it will take on the SYSTEM rights (if the current login is of any administrative accounts/rights) to reach all files or it can be based on the current login "normal" (least privileged) user account which only restrict access to that user's files. Hence the preach on the education to make sure no administrative account or group assigned to user unnecessarily.

Having said that, the encryption of file/folder is still advocated for confidentiality and more specifically ransomware (coupled with other malware as one of their carrier is exploit kit) variant (such as CryptXXX) has shown that it has evolved to also siphon information on top of the "blind" encryption (in this example, it adds the .crypt extension), asking for ransom.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41885045
Truly, after all was said, prevention is the best answer. That is why I do, mostly with effective spam control.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41885053
Security has multiple layers.  Prevention is just the first layer.  You can't neglect the backups either.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 252 total points
ID: 41885073
The incident reporting of it is important wsp for enterprise, everyone should know the procedures. For home end user or personal asset owner, do not rush through to pay ransom. It is not guaranteed if such cleaning is complete or all files are recoverable. Ransomware may also corrupted the files due to poor coded decryption tool or its own not well tested encryption code that just copied and not tested well. There can be legal implications too..

Other more salient defences include

-  Always showing hidden extensions (lockedFile.jpg is actually lockedFile.jpg.exe);

- Filtering out executable files from email servers;

- Disable remote desktop connections to prevent it from mass spread to gaining a foothold on your other device or networks;

- Filtering macro-enabled files like .docm. Since macros are another way to execute code on targets;

- Consider Data Leakage Prevention (DLP) and anomaly detection. E.g. deterrence to leak data attempts out of the network into Internet - attention to suspicious outbound connections and peer to peer file sharing and IRC connections;

- Verify your backup besides assuming that regular backup is always ready. Use another account for backup for rhe scheduled incremental and completed archival and backup program;

- Adopt 2FA so that account login is not just password based only which can further the spread of infection and reach by Ransomware or its accompanying exploit kit attempting brute force login.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 62 total points
ID: 41888200
- no admin accounts
- no macros in office documents (possible activated by the user on a case by case basis)
- no executable files in email and possibly in web browsing either ( filter by file type )
clam with PUA filters enabled does a good job in order to filter hidden executables in weird places
- automated INCREMENTAL backups, with possibly alarms triggered when the difference between files is huge or a non crypted file suddenly became crypted

... not using windows is obviously by far the most effective measure you can take.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41889143
... not using windows is obviously by far the most effective measure you can take.

I keep seeing these biased opinions about Windows and it's blatantly wrong.  I've had to deal with users on Linux and Macs that have gotten into trouble with trojans and rootkits too.

Macs have mainly just been ignored, so they've been staying safely under the radar for years, but I've seen some scripted Linux trojans attempting to run on a Mac imperfectly.  If they knew that they hit a Mac, they would have hidden it better.  Early Mac Virus scanners didn't see them, so I've cleaned them manually.  IBM has announced that they're moving over to Mac, and that's going to make OS X a big fat target now.  Macs are much easier to backdoor and hack than you think.   Yes, in earlier years, there were no real threats to OS X, but it's not because it was more secure.  It's just been ignored because of the tiny market share.

I've dealt with numerous users that have gotten trojaned with IRC bot C&C servers on Linux.  The Windows viruses/trojans connect to linux IRC C&C server to get their orders.  Yes, they have them on Windows too, but the C&C servers are typically on Linux.  The main reason Windows is targeted is because it's far more numerous, but with the stupid move to IoT crap, we're seeing IoT devices being used more easily.  Linux is only as secure as the admin that manages it.  I've had to eradicate trojans and rootkits from other people's linux and unix systems.  I've also dealt with linux servers that have had code injection, so Linux isn't really as safe as you think.  These are typically from script kiddies, so their code and logs are in the packages.  The experts that actually program these could probably hide better.

As an OS, Windows is probably more secure out of the box now than OS X or any Linux, due to years of hardening against attacks.  It's the users that get hacked, and it's been the user's fault for installing or clicking on something they shouldn't, but these days, you can get drive-by attacks through your browser too, and they can infiltrate Linux, OS X, and Windows with the right code.  If you're not tech savvy, you can easily get attacked on any system.

P.S. They generally have scores of Linux/Unix C&C servers to control hundreds to thousands of Windows botnets.  You need both the bots and the C&C servers for the botnets to work.  They generally have several C&C servers redundancy.  The Windows bots don't work on their own.  Linux is not more secure and neither are Macs.  They're just different.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 62 total points
ID: 41889909
i do not think this is the right place for this discussion but then,

i never EVER said linux was generally safe ( nor even mentioned linux or any linux distrib ).

i actually do think that windows is less secure than mostly anything else, and not just because it is more targeted. there are a wealth of reasons for that. i personally have a hardened win2k that has worked through about everything since sasser without being hit ( at least by the huge number of known threats that i could not have missed ) and i'm not blattantly anti-ms. but as far as security goes, they're most definitely not my bet.

you can obviously install easy-to-hack-if-not-voluntarily-trojaned-in-the-first-place software such as the bunch of stuff around mdns responder that apple was nice enough to render popular enough to be installed by default in many places it shouldn't including by default in OSX, usb devices ( among others ) may contain viruses in microcodes that will not care about the OS because they act on the hardware, .... the list is long and besides the point.

but we're dealing with ransomware. currently, all the ransomware versions i've been able to get a sample of could only infect windows computers, and in many cases required office, adobe or some other software to be installed in the first place. i'm interested in a linux version, nevertheless. the bold does not mean i'm shouting. just to make it easy for those who don't care about the above.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41889913
@rayluvs - Can you follow up please?
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41890027
Bold is emphasis.
CAPS IS SHOUTING.

Your anecdotal experience, limits you.  I also said users, not sysadmins are the ones that generally get problems.  Your statement about not using Windows is still blatantly wrong going forward.  A year or two ago, I may have just accepted it, even if I didn't agree fully with it, but it's definitely becoming a fallacy as more users move over.  Ransomware is still relatively new and the first targets have been Windows, but they've already targetted Linux and Mac, and it's just a start.

Mac Ransomware:
https://blog.malwarebytes.com/cybercrime/2016/03/first-mac-ransomware-spotted/

Linux Ransomware:
https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/
http://www.pcadvisor.co.uk/feature/security/linux-ransomware-why-everyone-could-be-affected-3637406/


No matter which OS you use, you still must follow the same security procedures to protect yourself.  If you're not familiar with the OS you've switched to, you're going to have problems.  Don't just switch for switching sake.  If users don't know the new OS, they're just going to have more trouble with it and give more work to the sysadmin.  Follow the suggested procedures promoted by several of the other comments to protect the systems.  There's several good suggestions in previous comments to help reduce ransomware attacks.  You won't get rid of them all because non-technical users will do some stupid things.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 62 total points
ID: 41890141
@serialband
i pretty much agree with most of the above.
thanks for  your comment regarding my "anecdotal" experience.
like i said, this is not the place to express constructive comments regarding this or that os design, much less raw statements.

back to the topic

truth is most variants of this ransomware are not actually viruses that use exploits on this or that OS to move from a host to the next. this also explains why most existing heuristics ( which quite often detect the use of specific syscalls ) are/were quite inefficient in order to detect it. they usually come packaged inside something else and the user actually triggers the operation. this is also true of most of the windows variants i encountered up to now.

the mac ransomware described in the article is actually something that could quite efficiently work everywhere as long as anyone can publish files that users may install as an administrator. note that using repositories helps against such problems and i'd be quite surprised to see a ransomware end up in bsd ports for example.

so maybe not using windows as an OS is not that much the point in this case. rather don't use fancy tools that may execute things without user's consent ( or rather without even notifying him ) such as office macros, embedded jscript executables in emails, embedded executable code in images or videos ( asf, wmp, ... ), autoruns on removable devices, ... ms still has the lead in that respect but it is quite true that most distributions that aim to be user-friendly desktops are following the lead and sometimes brought their own additional dangers.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 62 total points
ID: 41890169
... not using windows is obviously by far the most effective measure you can take.
I only had issue with that one line you made about not using Windows.  That certainly needed correction and I provided the facts to show that it's wrong.  I don't disagree with anything else you said and I wasn't debating you.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 62 total points
ID: 41891221
@serialband : no harm meant, no hard feelings, and i'm ready to discuss OSes at lenght with you on a different possibly private thread. btw i'm far from being convinced and i do not believe either the linux/OXS ransomware mentionned have been engineered by the same people or even the same kind of people ( techy not nerdy, reversible, different attack vectors relying on software exploits rather than user software, no separate downloader, no morphing, uses standard crypto libs, ... )... and that basically could not harm an end user, much less if the user applied even basic security ( noexec on home dir , temp dir , and removable drives would be enough, execution control software such as apparmor would be quite efficient as well )
0
 

Author Closing Comment

by:rayluvs
ID: 41894172
WOW!!!  We have read thru all u guys and they are Great!!!! Thanx Lots Expert!!!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Read about achieving the basic levels of HRIS security in the workplace.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now