Ransomware has really risen to prominence this year, so much so, that the FBI is asking businesses and software security experts for emergency assistance in its investigation into a pernicious new type of ransomware known as MSIL/Samas. Unlike other strains this seeks to encrypt data across a whole network, not just an individual machine.
With reports that new ransomware installers can infect computers without users clicking anything, many businesses are probably wondering what on earth they can do to protect themselves from the ever growing threat. The good news is that are some steps you can take to reduce the risks.
Methods of detection/prevention
- Setup file screening management on file servers
Create a new group with a list of known temporary encryption file extensions in it (listed at the bottom of this article). Create a passive file screen template and set it to check for the known file extensions and ransom note files below, you can then send an email alert when any of these are found.
- Prevent file execution in user profiles
Make sure that the “traverse folder / execute file” permission is set to deny on all profile folders and create a new Software Restriction Policy under GPO that blocks all executables and all attachments (specifically ZIP files and EXEs) from being executed within the user profile folders. Remember to create unrestricted access to programs that legitimately use user’s profiles to run.
- Restrict folder access
Ransomware spreads through the mapped drive access of the infected user profile. Ensure that no users have access to admin shares or shares that they shouldn’t have to limit the spread of the virus.
- Ensure all servers and clients are updated regularly
Ransomware can exploit known vulnerabilities at the OS level which allows for infected websites to perform a “drive-by download”.
- Employ content scanning on mail servers
Use Mimecast or a similar solution to scan inbound emails for known threats and block attachment types that could pose a threat.
- Start custom anti-virus scanning
Anti-virus software relies on up-to-date virus definitions and normally ransomware is caught after it has encrypted files. Check for unauthorised applications that are opening and closing files within a short space of time (i.e. 8 files within 20 seconds) and then block them.
- Regularly take and test backups
Should you fall foul of a ransomware attack the best way to avoid paying out a hefty ransom is to revert to a recent backup. Make sure you are taking regular backups and that they are working so you can get the affected system up and running with minimal downtime.
- Educate your users
Make sure all of your users are given advice on how to spot potentially harmful files and what they should do if they need advice. It’s also important to make sure that users know how and when to report any suspected infections.
Known ransom note file names
HELPDECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, Coin.Locker.txt _secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles.txt FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY IHAVEYOURSECRET.KEY, SECRET.KEY, HELPDECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE[random].txt HowtoRESTORE_FILES.txt, HowtoRestore_FILES.txt, howto_recover_file.txt, restorefiles.txt, howrecover+[random].txt, _how_recover.txt, recoveryfile[random].txt, recoverfile[random].txt recoveryfile[random].txt, Howto_Restore, _FILES.TXT, help_recover_instructions+[random].txt, _Locky_recover_instructions.txt
Known file extensions used by Ransomware
.ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky