Ransomware is growing like a hurricane. How you prepare can make the difference between a minor disturbance and a major disaster when the storm hits.
Ransomware prevention is the best way to ride this out. You need to lock down the windows (i.e. your machines) and back up the supplies (i.e. your files).
Why give this stuff away? Because crypto ransomware is scary, she said.
“The idea that someone external to you can encrypt all of your data and then you have no way to retrieve that data unless you pay them I think is just absolutely terrifying.”
Babinchak (who is also a Calyptix partner) recommends five ways to avoid a ransomware crisis at your office.
Note: This post was published in February 2015. Due to the rapidly evolving nature of malware, some of this information is subject to change.
How to prevent ransomware disasters: 5 ways
# 1. Group policies for Windows
Babinchak’s team released the Cryptolocker Prevention Kit (link below) back in 2013. It should have been called the “All-Purpose Ransomware Prevention Pack” because it stops all known variants from installing.
The best part? The kit still works.
It includes a set of group policies (GPOs) for Windows 7, Windows XP, and Windows terminal server. The policies block ransomware viruses from installing in their favorite directories.
“Our group policy prevents the launching of executables from certain folders in the user profile. In general, no legitimate applications launch from these folders, and so far all the crypto viruses are launching themselves basically in the same spot,” said Babinchak.
Babinchak recommends reading everything her team has published about Cryptolocker and related threats (about six short posts) before using the kit. You can see the material by searching “crypto” on the Third Tier blog.
Cryptolocker Prevention Kit – download it afterward, unzip the file, and follow the included PDF instructions.
# 2. Block malicious Tor IP addresses
Some crypto-viruses use the Tor anonymity network for command-and-control purposes. By blocking Tor IP addresses known to be malicious, you can prevent some ransomware from fully installing.
For example, the IP range 220.127.116.11/23 is associated with CryptoWall and other ransomware domains, according to CIS. To block connections between your network and this IP range, add it to the Static Blacklist in your AccessEnforcer.
Important Note: Not all ransomware uses Tor.
“There is another version of CryptoWall out there that doesn’t use the Tor network. It has another way to obtain its keys for encryption. We actually haven’t found a way to block that yet through IPs because it uses a whole floating range of them,” said Babinchak.
That said, the group policies in the Cryptolocker Prevention Kit linked above will prevent this type of malware from installing.
#3. Limit access to network shares
Once ransomware is on your machine, it begins searching for files to encrypt. It checks the local machine and the network.
“These viruses are able to affect anything that has a drive letter,” Babinchak said. “In most networks, you have mapped drive locations. For example, when you mount a backup, it gets a drive letter.”
How to prevent ransomware from infecting your backups is to check all network shares and backup locations. Change their permissions to allow access only by the administrator (and/or the backup service provider).
Also, when you need to mount a backup for restore purposes, make sure the permissions are set for read-only.
# 4. Filter spam and malicious attachments
All the ransomware Babinchak has seen requires the user to download and install something. Oftentimes, it’s a malicious email attachment.
“Our emails are checked for content and attachments before they reach the end user. That way we protect them from a lot of phishing attempts and infected attachments. So their email is pretty clean when we get it to them,” she said.
For example, CryptoWall spam emails may be disguised as a fax or shipping notice. Cryptolocker may pretend to be a voicemail alert or invoice notice. The attachments are often zip files that require a user to download and unzip.
Some ransomware infections begin with a “.scr” file that arrives in a “.zip” or “.cab” email attachment, according to Société Générale CERT. If possible, for ransomware prevention, block “.scr” files at the email gateway and establish application and device control policies to block their execution.
The number of businesses that operate without backups is shocking.
“In the 15 years we’ve been in business, only two times have we obtained a new client that had a good backup,” Babinchak said.
“There are so many businesses out there without a backup. If they get an infection like this, they’re done. There’s absolutely nothing you can do about it. They’re going to be out of business.”
Without backups, a ransomware infection can be a worst-case-scenario disaster for a small business. Recovery might be impossible – so always maintain backups of your files.
Also, test your backups regularly. Once Babinchak’s team on-boards a client, backups are automatically maintained and the restores are tested every month.
“The backup is only good if you can restore your data from it,” she said.
Bonus tips for ransomware prevention
Some additional advice on how to prevent ransomware from our post on Critroni decryption:
- Filter– Use web filtering to control the sites users can access. Use egress or outbound traffic filtering to block connections to malicious hosts.
- Limit – Do not allow user accounts to modify applications or the operating system. Create an administrator account for these functions and do not use it to browse the web.
- Configure– Adjust web browser security settings to prevent forced downloads.
- Protect – Install a reputable anti-virus, such as Microsoft Security Essentials or Malware Bytes, and use active monitoring.
- Patch– Always maintain the latest versions of your firewall, antivirus, operating systems, applications, and other systems. Routinely update as new patches become available, and update automatically if possible.
Think you’re infected?
The moment you think something is wrong, shut down the machine and call a professional, said Babinchak.
“The only way you can stop these infections from continuing is if they don’t have power. Once they are running, they are running.”
If a client thinks they are infected with ransomware, Babinchak’s team will first ask why the client thinks this is the case. Then the team will remove the hard drive from the computer, scan it, and remove any infections before returning power.
“Because if you power it back on, if the drive is infected it will continue to spread,” she said.
Get updates on classified malware research
Third Tier will soon have regular access to classified documents published by U.S. government agencies on virus research, hacking research, and related topics.
The documents require a low-level of security clearance to view. They are not allowed to be published publicly on a blog. So how do you get them?
Sign up for Third Tier’s Super Secret News! Just fill out the form on the left-side of the page linked above. The monthly newsletter starts in March.