How to protect yourself against Ransomware

What is ransomware?

Ransomware is a malicious code that encrypts your files and then asks for a ransom to decrypt them.

How can you protect yourself against ransomware? 

A lot of ransomware targets windows systems, so we will focus on them, but many of the steps you find below applies to non-Windows systems as well.

Now, let’s see how to mitigate the possibility of a Ransomware attack with a bunch of countermeasures:

  • Install a personal firewall: this is very basic and can help prevent the software from communicating with the encrypting server
  • Monitor the network for “weird” traffic, especially if coming from C:\windows\temp or any of the following directories:
    • %appdata%\*.exe
    • %appdata%\*\*.exe
    • %localappadata%\*.exe
    • %localappdata%\*.exe
  • Block weird traffic, especially if coming from directories mentioned above and/or on the following ports: 137, 139, 445 (these are the CIFS for windows, if you disable them you are not going to be able to share files on a LAN)
  • Map the application you want to run in the systems and allow only them to run, maybe through a GPO (or sudo-rights and SELinux in *nix systems)
  • Install and keep your antivirus up to date
  • Install OS security patches as they come up, extraordinary service windows for critical vulnerabilities might be scheduled
  • Do not open attachments that come from unknown/untrusted resources
  • Create a GPO to disable the .exe file to be executed from c:\windows\Temp and the following directories:
    • %appdata%\*.exe
    • %appdata%\*\*.exe
    • %localappadata%\*.exe
    • %localappdata%\*.exe
  • Create a GPO to disable the hiding of extension in Windows, so that executables are easier to identify
  • Verify any “weird” presence in the following Registry Keys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Perform periodic backups of systems and have them disconnected from the network, if your systems are compromised you can always restore your data from an offline backup. Please remember it must be OFFLINE BACKUP, otherwise the malware will crawl to your online backup and encrypt that as well and you are back at square 1.
  • Restrict unauthorized applications to establish inbound and outbound connections in the personal firewall of every single laptop
  • Enable IPS if present on the personal firewall on the laptops and on the main firewall
  • Block .exe and .zip files in e-mails
  • Educate yourself regarding security awareness once/twice a year
  • Run the following powershell script to identify if there are any other Cryptlocker malware(s) in the system:
    • (Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding Unicode
  • If you get infected, you can always cross your fingers and take a look here:

    That’s all folks! Enjoy and try to stay safe, a thing that is becoming more and more of a challenge.