Issue
- You want to use the best practices to configure your system to protect against ransomware malware
- General ESET application anti-ransomware best practices
- General anti-ransomware practices
- Recovering encrypted files
Details
Click to expand
Ransomware is malware that can lock a device or encrypt its contents to extort money from the owner in return for restoring access to those resources. This kind of malware can also include a built-in timer with a payment deadline that must be met; otherwise, the price for unlock the data and hardware will increase, or the information and the device will ultimately be rendered permanently inaccessible.
Ransomware is an infection that encrypts personal and data files. Typically, a workstation is infected, and then the ransomware will attempt to encrypt any mapped shared drives. This can make this infection seem as though it is spreading through your network when it is not.
While your files may be encrypted, your system may not be infected. This is possible when a shared drive on a file server is encrypted, but the server itself does not contain the malware infection (unless it is a Terminal server).
Other examples of known ransomware are:
- Win32/Filecoder
- Filecoder.WannaCryptor
- Win32/Filecoder.TeslaCrypt.A (TeslaCrypt) or "Win32/Filecoder.Locky.A" infection after opening an email from an unfamiliar source or ZIP files from such an email
- "CryptoLocker", "Cryptowall", "Dirty decrypt", and "CTB locker"
- Win32/TrojanDownload.Elenoocka.A
- Win32/Gpcode
Solution
The current versions of ESET applications use multiple layers of technologies to protect computers from ransomware.
Examples of these technologies include Advanced Memory Scanner, ESET LiveGrid® Reputation System, and Exploit Blocker.
Additionally, the latest ESET applications provide an enhanced Botnet Protection module that blocks communication between ransomware and Command and Control (C&C) servers.
General ESET application anti-ransomware best practices
- Enable the detection of PUA (Potentially Unwanted Applications)
Follow instructions in the linked article to detect unwanted, unsafe, and suspicious applications, such as RMM (remote monitoring and management) tools, vulnerable drivers, network scanners, and other software that can pose a security risk to your system. While these tools might be trusted, signed, and legitimate, even built-in system utilities, they are widely abused by attackers during ransomware intrusions. More information about potentially unwanted applications and potentially unwanted content.
-
Keep Advanced Memory Scanner and Exploit Blocker enabled
These newly designed ESET algorithms strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation and/or encryption.
Advanced Memory Scanner looks for suspicious behavior after malware decloaks in the memory, and Exploit Blocker strengthens protection against targeted attacks and previously unseen vulnerabilities, also known as zero-day vulnerabilities.
For maximum protection, we recommend that you upgrade your ESET applications to the latest version:
-
Keep ESET LiveGrid® enabled
The ESET Cloud Malware Protection System is based on ESET LiveGrid®. It monitors for unknown and potentially malicious applications and subjects samples to automatic sandboxing and behavioral analysis.
Make sure that ESET LiveGrid® reputation and ESET LiveGrid® feedback system is enabled and working in your ESET product.
-
Keep ESET updated
New variants of existing ransomware are released frequently, so it is important that you receive regular virus database updates (your ESET application will check for updates every hour, provided that you have a valid subscription and a working internet connection).
-
Virtual Machine users
For the best protection against ransomware malware, we recommend the use of ESET Endpoint Security for Windows in virtual environments.
-
Make sure you have Ransomware Shield enabled
Ransomware Shield, as a part of a Self-Defense technology, is another layer of protection that works as a part of the HIPS feature. For more information, see Ransomware Shield in the ESET Glossary and how to configure it in ESET applications.
-
Configure additional settings to protect against ransomware in ESET business products manually or using ESET PROTECT On-Prem/ESET PROTECT Policy
-
Notifications
Minimize your risk from encryption-based malware (ransomware)
-
Plan to back up your system regularly, and keep at least one backup in offline storage to protect your most recent work from an attack.
-
User permissions and restriction of rights
There are many types of restrictions, such as the restriction from accessing application data and even some that are prebuilt as a Group Policy Object (GPO).
- Disable files running from the AppData and LocalAppData folders.
- Block execution from the Temp subdirectory (part of the AppData tree by default).
- Block executable files running from the working directories of various decompression utilities (for example, WinZip or 7-Zip).
- Additionally, in ESET Endpoint Security for Windows, ESET Mail Security for Microsoft Exchange Server and ESET Server Security for Microsoft Windows Server, you can create HIPS rules to allow only certain applications to run on the computer and block all others by default: Create a HIPS rule and enforce it on a client workstation using ESET PROTECT On-Prem.
-
Do not disable User Account Control (UAC)
Do not open attachments claiming to be a fax, invoice, or receipt if they have a suspicious name or you did not expect to receive them.
-
Use Two-Factor Authentication (2FA)
We recommend ESET Secure Authentication, which can be used as a cloud or on-premises component. For more information, visit ESET Online Help.
-
Threat Defense
We recommend ESET LiveGuard Advanced.
-
Disable Macros (VBA) in Microsoft Office via Group Policy
Microsoft Office 2019 and earlier versions: Plan security settings for VBA macros for Office
Microsoft Office 365 uses the Office Cloud Policy Service (OCPS) to enforce policies that block macro execution in Office files from the internet.
-
Keep your system up-to-date
To ensure you have the best protection available, keep your operating system and applications up to date. Install the latest high-priority updates offered in the Windows Update tool, and check regularly or enable the Automatic Updates feature. New security updates patch the system vulnerabilities and reduce the risk of malware attacks.
-
Potential ports/services that could be exploited if left open
To prevent unknown IP addresses from performing successful Brute-Force attacks, we strongly recommend locking down SMB, SQL, and RDP.
Service Recommendations SMB Close file sharing ports 135–139 and 445. SMB ports should not be exposed to the internet. SQL Whitelist trusted IP addresses that are allowed to connect to SQL. RDP Stop external RDP brute‑force attacks by closing RDP to external connections. Use a VPN with two‑factor authentication to connect to the internal network.Set automatic account lockouts after a specified number of failed attempts, with a waiting period before unlocking.Enforce strong passwords.Disable unused or default accounts (administrator, admin, root).Whitelist specific users and groups for RDP login.Whitelist specific IP addresses to enable RDP connection. -
Remote Desktop Protocol best practices against attacks
Encryption-based malware often accesses target machines via the Remote Desktop Protocol (RDP) built into Windows. RDP allows others to connect to your system remotely, so the attacker can misuse RDP to remove the protection and then deploy the malware.
We recommend that you to disable or change the Remote Desktop Protocol. If you do not require the use of RDP, you can change the default port (3389) or disable RDP to protect your machine from ransomware and other RDP exploits. For instructions on how to disable RDP, visit the appropriate Microsoft Knowledgebase article below:
For more information about RDP, see the following WeLiveSecurity article: Securing RDP and remote access.
-
Password-protect your ESET application settings
If you are a business user, we recommend using a password to protect the ESET application from unauthorized changes by an attacker. This prevents unauthenticated settings modification, disabling the protection, or even uninstalling the ESET product. If you are using RDP, we recommend using a different password from the one used for the RDP login credentials.
For more information, see how to protect your ESET application with a password.
Can encrypted files be recovered?
Modern ransomware encrypts data using asymmetric encryption and multiple encryption algorithms. In short, files are encrypted with a public key and cannot be decrypted without the associated private key. With current ransomware, the private key is never located on the affected workstation or environment. This means that data will need to be restored from a good backup made before the infection.
If no backups are available, you can attempt to recover files from Shadow Copies. Download Shadow Explorer.
However, it is not uncommon for ransomware infections to delete Shadow Copies to prevent the recovery of files.
What steps should you take if infected with ransomware?
-
Disconnect the computer from the network.
-
Locate the TXT or HTML file with the payment instructions, for example, "How to decrypt" shared folders/drives encrypted. the malware researchers may use this for further analysis.
