Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware avoidance


  • Please log in to reply
26 replies to this topic

#1 peterlonz

peterlonz

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 29 April 2016 - 10:57 PM

Just today I read that Ransomware installs as a result of someone opening a malicious email attachment.R

I doubt that this is either the only or even primary means of infection - but what do I know?

 

If indeed this is a primary source surely it is not too difficult to prevent any email attachment opening without the use of a specific security routine.

I use MS Outlook 2010, & I admit I am unaware of any such provision, but then that in itself is not surprising given the way MS design their SW.

 

I have also been wondering whether encrypted files on a PC can be further encrypted by Ransomware. Alternatively if such files were password protected, would this perhaps protect from Ransomware encryption?

 

Probably a series of dumb questions but if anyone can answer with confidence I'd be much obliged.

Thanks



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 30 April 2016 - 06:13 AM

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin.exe, close Remote Desktop Protocol (RDP) if you do not need it and routinely backup your data.

 

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. Preferably keeping a separate, offline backup to a device that is not always connected to the network.

Encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.

AskLeo on coping strategies for ransomware

Ransomware Prevention Tips:

You should also use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

 

Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name as well as the extension. If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

Kaspersky labs advises RDP Bruteforce attacks are on the rise especially by those involved with the development and spread of ransomware. IT folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to either whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, only allow RDP from local traffic, setup a VPN to the firewall and enforce strong password policies, especially on any admin accounts or those with RDP privileges.

You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

Some anti-virus and anti-malware programs include built-in anti-exploitation protection. For example, Emsisoft Anti-Malware uses advanced behavior blocking analysis which is extremely difficult to penetrate...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. Emsisoft has the ability to detect unknown zero-day attacks and file-encrypting malware (ransomware) attacks.

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

Malwarebytes 3.0 Premium with Anti-Exploit & Anti-Ransomware includes a real-time Protection Module that uses advanced heuristics scanning technology to monitor your system and prevent the installation of most new malware, stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer.

As with most ransomware...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.

Ransomware Prevention Tools:

Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,

While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn’t use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.

How-To Geek on Anti-exploit programs

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).

Important Fact: Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. Cyber-criminals succeed because they take advantage of human weaknesses...relying heavily on social engineering to exploit the the weakest link in the security chain.

Thus, the user is the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys.
If you have not done so already, you may want to read:


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RolandJS

RolandJS

  • Members
  • 4,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:02:27 AM

Posted 30 April 2016 - 06:30 AM

"...Ransomware installs as a result of someone opening a malicious email attachment..."

The above concern about getting bad stuff from opening an email is the very reason I have disabled any/all preview panels in my Eudora Pro [remember way back when?] , Mozilla Thunderbird and eM Client.  Unless times and operations have changed:

-- preview panels open the email in order to offer the end-user a pre-view

--  it was possible [back then for sure] to accidentally initiate something just by opening an email

 

Now that I think about it, the problem was opening html-type emails that just happen to contain "invisable" web-bots; word-docs and spreadsheet-type emails containing macros.


Edited by RolandJS, 30 April 2016 - 06:35 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (sevenforums)

Clone or Image often! Backup, backup, backup, backup... -- RockE (Windows Secrets Lounge)


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 30 April 2016 - 07:33 AM

Opening malicious email attachments is only one vector used to spread ransomware. As noted in the section :step2: of the link I referenced above, there are many other vectors to be aware of.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 peterlonz

peterlonz
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 30 April 2016 - 09:42 AM

Thanks for the response.

Quite a bit of detail there & some I don'y yet fully understand.

As I thought email attachments are only "one method in use".

Backup has always seemed problematic to me:

I have 4 Hard Drives installed, most are at least half full of data, not all very important stuff, but deciding what to dump would take ages.

I can't disc image for some weird reason - it seems my C drive does not have room although it should have.

Where & what cost to store this mass of data?

I can well understand why folk hardly ever backup.

Plus I gather the more recent Ransomware attacks manage to infiltrate the backups?

Just saying.



#6 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 April 2016 - 01:45 PM

I can't disc image for some weird reason - it seems my C drive does not have room although it should have.

You shouldn't be backing up to your C drive.  You should backup to external media, e.g. a USB hard drive.

 

Plus I gather the more recent Ransomware attacks manage to infiltrate the backups?

If you backup to an external hard drive and disconnect it when done, your backups shouldn't get infected.  On the other hand, if you keep the drive attached, then it's surely at risk too.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 30 April 2016 - 04:15 PM

If you use a cloud backup that provides strong encryption, includes versioning and does not utilize a drive letter (cloud backups typically do not use those), then you should be safe from crypto ransomware as you can back up to the date prior to the infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 peterlonz

peterlonz
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 30 April 2016 - 06:53 PM

I remain a bit uncertain on a few points (despite what looks like very clear guidance).

 

Re backup: lets say I wish to use "the cloud" & the qty of data is around 4 Tb in total; what cloud services can you recommend & typically what might this service cost p.a?

I also observe that some cloud services have recently been compromised, by careless management as I recall.

Further, if the Ransomware is designed to infiltrate your backup, then you probably will not know the date of original infection, which might be weeks before you encounter the result? Is this not so?

 

Disc imaging: I used several programs to attempt this & all seemed to involve an intermediate stage where C drive was used.

I am not quite daft enough to consider storing my image/backup there!



#9 RolandJS

RolandJS

  • Members
  • 4,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:02:27 AM

Posted 30 April 2016 - 07:02 PM

  If you get Ransomware and do not know it [for awhile], yes, you could be backing up encrypted data.  Still, some restorable backups are better than no restorable backups at all.

  Macrium Reflect, when making a full image of the OS partition, does involve volume shadowing for intelligent copying, whatever it adds to C during its operations, apparently cleans up after itself upon completion.  


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (sevenforums)

Clone or Image often! Backup, backup, backup, backup... -- RockE (Windows Secrets Lounge)


#10 UzY3L

UzY3L

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bucharest
  • Local time:10:27 AM

Posted 28 June 2016 - 06:57 AM

Ok, so it is a bad idea to use lots of programs at the same time but there is no all-in-one wonder product. So what do we do?  Run ESET + MallwareBytes + Emsisoft + McAfee? Or just ESET?

 

I mean, what would be the ideal combination for good protection?

 

ESET is 90$ . MallwareBytes is another 25$. While cheaper than paying for the ransom, it is still an expensive option for users. I am contemplating on buying an ESET license but even at 90$ it is something that I need to give more thought to.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 28 June 2016 - 08:05 AM

There is no universal "one size fits all" solution that works for everyone. I already provided the basic best defensive strategy to protect yourself from ransomware.

The only thing I would add is the fact that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.

The user is the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed.

Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats. The most important layer in that security defense? You! Most threats succeed because they take advantage of human weaknesses (laziness, apathy, ignorance, etc.), and less because of their sophistication.

Krebs on Security
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 28 June 2016 - 08:39 AM

For cloud backup, I personally recommend CrashPlan. I pay about $8USD per month, and get unlimited backup for all three of my hard drives - that's about 3TB of data. I also use a free account with Dropbox to backup my mobile devices - they sync photos to my Dropbox account (that I clear out if it gets too full since it's the free version), which syncs to my computer automatically, then gets grabbed by CrashPlan. :)

 

Carbonite is also a very excellent, user-friendly cloud service. It is about the same price and has excellent data retention - you can restore to a previous version up to a month or two ago.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 pnamajck

pnamajck

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 01 July 2016 - 10:54 AM

As  the  topic  of  this  thread  deals  with  ransom-ware  avoidance … and  pursuant  to  the  ideal  of  "backing up"  being  paramount …  the  quandary  being  that  ransom-ware  can  and  does  hide … until  such  a  time  as  it  manifests  it's  ugly  head  and  assumes  attack-mode.

 

In  other  words,  what  i  am  stipulating  is  this … innocuous  files  residing  on  one's  computer … being  backed  up  safely  to  another  drive … suddenly  those  "innocent"  files  can  awaken  deadly  ransom-ware.  What  i  am  trying  to  impress  is  that,  in  backing  up  files … you  may  be  backing  up  silent  ransom-ware.  Reformatting  one's  drive … post  ransom-ware  attack … you  will,  ultimately,  open  yourself  up  to  another  attack … hiding   in  your  backup.

 

I  am  vigilant … i  maintain  my  computer … i  have  read  theories  on  how  to  stay  ahead  and  sustain  a  "best defensive strategy"  approach.  There  are  vigilantes  here  on  bleepingcomputer.com  whom  i  wish  to  thank … as  well  as  other  forums (reddit, pcmag, etc)  i  scope  out.

 

However,  and  this  may  emanate  from  a  rather  "paranoid"  conception … seems  we  are  losing  the  "good"  battle.

 

One  month  from  now,  microsoft  will  be  launching  their  "anniversary"  edition  of  win-10 … veritably,  fraught  with  all  manner  of  security  holes  and  exploit  havens.

 

Seems  what  we  need  is  an  omnituens (all-seeing)  sentry … instead  of  relying  on  twenty-some  different  programs  which  specialize  in  one  or  two  differing  objectives.  probably  it  would  require  quantum  vortices  or  similar … it's  becoming  hopeless.  <sigh>



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 01 July 2016 - 11:01 AM

Just like with anti-virus programs...there is no universal "one size fits all" solution that works for everyone and there is no single best anti-ransomware solution.

As I have said before...the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 UzY3L

UzY3L

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bucharest
  • Local time:10:27 AM

Posted 01 July 2016 - 02:12 PM

I think that we agree that the average user does not surf the dark web daily or do penetration testing on a routine basis, causing his system to be a target. . What would be a best all-rounder? Take my case for example : got infected with Cerber while doing nothing. My PC was just connected to the web. Didn't open anything, as I was watching TV.

 

Granted, I was using windows firewall (which was turned off) and had no A-V installed. Going from that to what I've read and what I've been told (looking at you "quietman7"), a good all-rounder would be just ESET AV. Seem to have a bit of everything while not going to break your wallet.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users