The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin.exe, close Remote Desktop Protocol (RDP) if you do not need it and routinely backup your data.
The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. Preferably keeping a separate, offline backup to a device that is not always connected to the network.
Encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.
AskLeo on coping strategies for ransomware
Therefore...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.
IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.
Ransomware Prevention Tips:
You should also use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.
Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name as well as the extension. If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.
Kaspersky labs advises RDP Bruteforce attacks are on the rise particularly by those involved with the development and spread of ransomware. IT folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to either whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, only allow RDP from local traffic, setup a VPN to the firewall, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges.
You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.
Some anti-virus and anti-malware programs include built-in anti-exploitation protection.
Emsisoft Anti-Malware includes a Behavior Blocker which continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. Emsisoft's three security levels (or layers) of protection help to prevent the installation of malware and stop malicious processes before they can infect your computer. With the release of v2017.5, Emsisoft now has a separate Anti-Ransomware module.
Windows Defender Exploit Guard (introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Exploit protection consists of exploit mitigations which can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected. Controlled folder access protects common system folders and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders. Attack Surface Reduction (ASR) is comprised of a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats. Network protection protects against web-based threats by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing Windows Defender SmartScreen. Windows Defender EG is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here.
Malwarebytes 3.0 Premium with Anti-Exploit & Anti-Ransomware includes a real-time Protection Module that uses advanced heuristics scanning technology to monitor your system and prevent the installation of most new malware, stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer.
Ransomware Prevention Tools:
Other Malware Prevention Tools:
Important Note: Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,
While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn’t use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.
How-To Geek on Anti-exploit programs
ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).
As such, users need to know and understand the protection features of any anti-exploit/anti-ransomware program they are considering to use.
Important Fact: Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. Cyber-criminals succeed because they take advantage of human weaknesses...relying heavily on social engineering to exploit the the weakest link in the security chain.
Thus, the user is the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys.
If you have not done so already, you may want to read: