Best practices to protect against Filecoder (ransomware) malware
You want to configure your system or ESET product to protect against ransomware
- Your ESET product detects one of the following threats, or a variant of the threat:
Other filecoder threats are also known as the following:
"CryptoLocker", "Cryptowall", "Dirty decrypt", and "CTB locker"
Ransomware is malware that can lock a device or encrypt its contents in order to extort money from the owner in return for restoring access to those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met, otherwise the price for unlocking the data and hardware will grow – or the information and the device will ultimately be rendered permanently inaccessible.
Filecoders/Ransomware are infections that encrypt personal and data files. Typically a workstation is infected and then the Filecoder/Ransomware will attempt to encrypt any mapped shared drives. This can make this infection seem as though it is spreading through your network when it is not.
While your files may be encrypted, your system may not be infected. This is possible when a shared drive on a file server is encrypted but the server itself does not contain the malware infection (unless it is a Terminal server).
By following the instructions in each anti-ransomware section below, you can configure your systems to help protect against ransomware.
Click each image to open a new window with instructions for configuring each ESET module referenced (or see below for a description of each):
Configure best Practices using the information and instructions in this article as best practices for any user to help protect against ransomware—General anti-ransomware best practices and General ESET product anti-ransomware best practices
Configure Antispam settings in ERA version 6.3 and later—ESET Mail Security Antispam policy settings
Configure HIPS rules in ERA version 6.3 and later—Configure HIPS rules in ESET Endpoint Security/Antivirus, Mail Security and File Security
- Configure Firewall rules in ERA version 6.3 and later—ESET Endpoint Security Firewall rules
General anti-ransomware best practices—Minimize your risk from encryption-based malware (ransomware)
Keep backups of your system
Plan to take backups of your system on regular intervals to protect your most recent work from an attack. ESET recommends using one of the following backup solutions:
User permissions and restriction of rights
There are many types of restrictions, such as the restriction from accessing application data, and even some that are prebuilt as a Group Policy Object (GPO). Disable files running from the App Data and Local App Data folders, as well as executable files running from the Temp directory of various decompression utilities (for example, Winzip or 7Zip).
Additionally, in ESET Endpoint Security/Antivirus, ESET Mail Security and ESET File Security, you can create HIPS rules to allow only certain applications to run on the computer and blocking all others by default: How do I create a HIPS rule and enforce it on a client workstation? (6.x)
- Do not disable User Account Control (UAC)
Do not open attachments claiming to be a fax, invoice or receipt if they have a suspicious name or you did not expect to receive them.
What can I do to minimize the risk of a malware attack?
- Disable or change Remote Desktop Protocol
Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can change the default port (3398) or disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions to disable RDP, visit the appropriate Microsoft Knowledge Base article below:
For more information about RDP, see the following We Live Security article: Remote Desktop (RDP) Hacking 101: I can see your desktop from here!
Use two-factor authentication (2FA)
We recommend ESET Secure Authentication.
For example, see the following Knowledgebase article for instructions to secure the Windows login and RDP connection of computers that belong to your Active Directory (AD) domain using two-factor authentication (2FA):
Disable Macros in Microsoft Office via Group Policy
Office 2013/2016 (the following link is for 2013 but are the same settings for 2016): Plan security settings for VBA macros for Office
- Keep ESET updated
New versions of this malware are released frequently, so it is important that you are receiving regular virus database updates (your ESET product will check for updates every hour provided that you have a valid license and a working internet connection).
Business users: How do I know if my ESET business product is updating correctly?
- Keep Advanced Memory Scanner and Exploit Blocker enabled
These two features are enabled by default in ESET products version 5 and later. These newly designed ESET algorithms strengthen protection against malware that has been designed to evade detection by anti-malware products through the use of obfuscation and/or encryption.
We recommend that you upgrade to the latest version if you are running ESET Smart Security or ESET NOD32 Antivirus (including Business Editions) version 4.x or earlier:
Business users: Do I have the latest version of ESET business products?
- Keep ESET Live Grid enabled
Make sure that ESET Live Grid is enabled and working in your ESET product.
Ensure that "Network drives" is selected in Real-time file system protection.
With Network drives enabled, the ESET Real-time scanner will be able to trigger detection on an infected workstation, preventing the process from encrypting the drive.
For Virtual Machine users
For best protection against Filecoder malware, we recommend the use of ESET Endpoint Security in virtual environments. You can use ESET Endpoint Security with ESET Shared Local Cache to minimize load on your network that might otherwise be caused by multiple VMs downloading updates.
Modern Filecoders/Ransomware encrypt data using asymmetric methods and multiple types of encryption cyphers. In short, files are encrypted with a public key and are not able to be decrypted without the key. With current ransomware, the private key is never located on the affected workstation or environment. This means that data will need to be restored from a good backup prior to receiving the infection.
If no backups are available, you can attempt to recover files from Shadow Copies. You can use Shadow Explorer, which you can download from the following web page: http://www.shadowexplorer.com/downloads.html
However, it is not uncommon for ransomware infections to delete Shadow Copies to prevent recovery of files.
What steps should you take if infected with ransomware?
Locate the TXT or HTML file with the payment instructions, for example "How to decrypt" shared folders / drives encrypted.
Disconnect the computer from the network.
Run ESET SysRescue on the infected computer. Only restore from a backup once the threat has been identified and removed (see the above section Keep backups of your system).
- Contact ESET by following the instructions in the ESET Support Services section below.
ESET North American customers—You can start a live chat session with a technical support agent at the following web page: ESET Live Chat.
- ESET Customers worldwide—Contact your local ESET partner for support.
If you believe that you may have a Filecoder/Ransomware sample that is not being detected, use the following ESET Knowledgebase article to submit samples to ESET: