Search This Blog

Thursday, September 15, 2016

Avoiding Ransomware with built in basic changes


Ransomware is a pain for those that have been unfortunate to get infected or had to respond to a ransomware event.  While presenting at ISC2 Congress ransomeware was a hot topic and I was asked what can you do to avoid users getting infected?  Notice I am saying "avoid" versus "prevent".  Prevention is difficult due to the constant changes by malware creators to get people to open the malware.  Avoidance means a reduction, not 100% prevention.

Turns out there are a couple easy things you can do that are built into Windows and FREE, just add a little effort that will drastically reduce the ransomware infections.  First, let's look at how users get ransomeware in the first place.

Drive by surfing:

While surfing the Internet ransomeware can infect a computer when a person just visits a compromised website.  A person does not have to do anything other than visit the wrong website at the wrong time to get infected.

Drive by ransomeware avoidance:

I tell people to do the following things...

  1. Stop using Internet Explorer or Edge to surf the Internet unless the website specifically requires one of these browsers.  Why?  because there are no script blockers available for IE and Edge as of yet.  Drive by ransomware uses javascript to auto execute the ransomware script using the browser as the execution device.  Using a script blocker will avoid these types of infections.  
  2. Use Chrome or FirsFox with a script block extension(s) such as uBlock Origin, Script Block or No Script to name a few.
  3. Use Ad block extentions to block ads, ransomware loves ads, they will pay real money to get their infection ads on a legitimate ad website  

Email ransomeware avoidance:

This is how most people contract ransomware infections.  An email comes in with an attachment or URL and the person opens the attachment or weblink and BAM! infected.  But there is hope.  Email attachments or the URL that will take a user to a website that then has the user download a file and open the file.  The vulnerability here is the auto execution of file types that just are NOT needed by the average user or most users.  These file types are heavily used to infect computers because Microsoft and their ultimate wisdom allows odd file types to be executed if a user opens them and ransomeware is capitalizing on this vulnerability.  You can however tell Windows using Group Policy or setting locally to change the default behavior for any file type like the ones used by ransomware:

  • .js
  • .jse
  • .vbe
  • .vbs
  • .wsh
  • .wsf
  • .scr

To change the file extension default program in Windows 7 thru 10 open:

Control Panel - Default Programs - Associate a file type or protocol with a specific program


Find these extensions and change them all to open Notepad.  In fact, any file type that opens a script program should be changed.  Anyone actually using these file types will know how to open the file in the correct program they need.  Your average user will never need these auto execution settings.  Change anything with "Microsoft Windows based script host" to Notepad and now the scripts will not execute when a person opens them, they will just see the contents in Notepad.

Block Email attachments that are scripts or executables:

Many Email gateways and mail servers have the ability to block certain file types from being delivered to the end user.  Most will have executables blocked like attachments containing ".EXE", but most will not have the scripts mentioned above blocked.  Add these file types to be blocked upon receipt and now users will never even see the bad emails with ransomware.  If you do need these file types for developers, then educate the users to encrypt the files in an archive format like .Zip or .7z and password protect them.
 
We have already seen ransomeware being emailed within zip files, but without passwords or with the password included in the email asking the recipient to open the archive.  At least you now only have one thing to educate your users to watch out for and never open an archive where the password is included in the same email.

Of course there is always whitelisting using Applocker and/or Software Restriction Policies or other application whitelisting solution to block executable types and scripts that are not specifically approved.  This takes more work and effort by IT and is the most intrusive to users since you will block the execution of anything that drops onto a system, but will definitely block ransomware and other malware.

These simple improvements will reduce the ransomware risk your organization significantly.

Happy Hunting