Ransomware is malware that can lock a device or encrypt its contents to extort money from the owner in return for restoring access to those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met; otherwise, the price for unlocking the data and hardware will grow – or the information and the device will ultimately be rendered permanently inaccessible.
Filecoders/Ransomware are infections that encrypt personal and data files. Typically a workstation is infected, and then the filecoder/ransomware will attempt to encrypt any mapped shared drives. This can make this infection seem as though it is spreading through your network when it is not.
While your files may be encrypted, your system may not be infected. This is possible when a shared drive on a file server is encrypted, but the server itself does not contain the malware infection (unless it is a Terminal server).
Other examples of known filecoder/ransomware are:
The current versions of ESET products use multiple layers of technologies to protect computers from ransomware.
Examples of these technologies include Advanced Memory Scanner, ESET LiveGrid® Reputation System, and Exploit Blocker.
Additionally, the latest ESET products provide an enhanced Botnet Protection module that blocks communication between ransomware and Command and Control (C&C) servers.
These two features are enabled by default in ESET products version 5 and later. These newly designed ESET algorithms strengthen protection against malware that has been designed to evade detection by anti-malware products through the use of obfuscation and/or encryption.
Advanced Memory Scanner looks for suspicious behavior after malware decloaks in the memory, and Exploit Blocker strengthens protection against targeted attacks and previously unseen vulnerabilities, also known as zero-day vulnerabilities.
For maximum protection, we recommend that you upgrade your ESET products to the latest version:
Home users: Which ESET product do I have and is it the latest version? (Home Users)
Business users: Do I have the latest version of ESET business products?
The ESET Cloud Malware Protection System is based on ESET LiveGrid. It monitors for unknown and potentially malicious applications and subjects samples to automatic sandboxing and behavioral analysis.
Make sure that ESET LiveGrid® reputation and ESET LiveGrid® feedback system is enabled and working in your ESET product.
Home users: Update ESET Products—check for latest product modules
Business users: Update ESET endpoint products on individual client workstations—check for latest product modules
Ransomware Shield as a part of a Self-Defense technology is another layer of protection that works as a part of the HIPS feature. For more information, see Ransomware Shield in ESET Glossary and how to configure it in ESET products.
Configure additional settings to protect against ransomware in ESET business products manually or using ESET PROTECT/ESET PROTECT Cloud Policy
Plan to take backups of your system regularly, and keep at least one such backup in offline storage, to protect your most recent work from an attack.
User permissions and restriction of rights
There are many types of restrictions, such as the restriction from accessing application data and even some that are prebuilt as a Group Policy Object (GPO).
Do not open attachments claiming to be a fax, invoice, or receipt if they have a suspicious name or you did not expect to receive them.
What can I do to minimize the risk of a malware attack?
We recommend ESET LiveGuard Advanced.
To ensure you have the best protection available, keep your operating system and applications updated. Install the latest high-priority updates offered in the Windows Update tool, and check regularly or enable the Automatic Updates feature. New security updates patch the system vulnerabilities and reduces the risk of malware attack.
Microsoft has released patches for current Windows operating systems as well as Windows XP to mitigate a critical vulnerability. See Microsoft Security Bulletin MS17-010 - Critical for instructions to apply these updates.
To prevent an unknown IP address from performing successful Brute Force attacks, we strongly recommend locking down SMB, SQL, and RDP.
Encryption-based malware often accesses target machines using the Remote Desktop Protocol (RDP) tool integrated in Windows. RDP allows others to connect to your system remotely, so the attacker can misuse RDP to remove the protection and then deploy the malware.
a) Disable or change Remote Desktop Protocol
If you do not require the use of RDP, you can change the default port (3389) or disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions on how to disable RDP, visit the appropriate Microsoft Knowledge Base article below:
For more information about RDP, see the following WeLiveSecurity article: Remote Desktop (RDP) Hacking 101: I can see your desktop from here!
b) Password-protect your ESET product settings
If you need to keep RDP running and cannot disable or change the RDP settings, you can use a password to protect the ESET product from being altered by an attacker. This prevents unauthenticated settings modification, disabling the protection, or even uninstalling the ESET product. We recommend using a different password from the one used for the RDP login credentials.
Modern ransomware(filecoder) encrypts data using asymmetric methods and multiple types of encryption ciphers. In short, files are encrypted with a public key and cannot be decrypted without the associated private key. With current ransomware, the private key is never located on the affected workstation or environment. This means that data will need to be restored from a good backup made prior to the infection.
If no backups are available, you can attempt to recover files from Shadow Copies. You can use Shadow Explorer, which you can download from the following web page: http://www.shadowexplorer.com/downloads.html
However, it is not uncommon for ransomware infections to delete Shadow Copies to prevent recovery of files.