[KB3433] Best practices to protect against ransomware



Click to expand

Ransomware is malware that can lock a device or encrypt its contents to extort money from the owner in return for restoring access to those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met; otherwise, the price for unlocking the data and hardware will grow – or the information and the device will ultimately be rendered permanently inaccessible.

Ransomware are infections that encrypt personal and data files. Typically a workstation is infected, and then the ransomware will attempt to encrypt any mapped shared drives. This can make this infection seem as though it is spreading through your network when it is not.

While your files may be encrypted, your system may not be infected. This is possible when a shared drive on a file server is encrypted, but the server itself does not contain the malware infection (unless it is a Terminal server).

Other examples of known ransomware are:


The current versions of ESET products use multiple layers of technologies to protect computers from ransomware.

Examples of these technologies include Advanced Memory ScannerESET LiveGrid® Reputation System, and Exploit Blocker.

Additionally, the latest ESET products provide an enhanced Botnet Protection module that blocks communication between ransomware and Command and Control (C&C) servers. 

Figure 1-1

General ESET product anti-ransomware best practices

General anti-ransomware best practices — Minimize your risk from encryption-based malware (ransomware)

  • Keep backups of your system

    Plan to take backups of your system regularly, and keep at least one such backup in offline storage to protect your most recent work from an attack.

  • User permissions and restriction of rights

    There are many types of restrictions, such as the restriction from accessing application data and even some that are prebuilt as a Group Policy Object (GPO).

    • Disable files running from the AppData and LocalAppData folders.

    • Block execution from the Temp subdirectory (part of the AppData tree by default).

    • Block executable files running from the working directories of various decompression utilities (for example, WinZip or 7-Zip).

      Additionally, in ESET Endpoint Security/Antivirus, ESET Mail Security and ESET File Security, you can create HIPS rules to allow only certain applications to run on the computer and block all others by default: [KB8018] Create a HIPS rule and enforce it on a client workstation using ESET PROTECT (8.x – 10.x).

  • Do not disable User Account Control (UAC)

    Do not open attachments claiming to be a fax, invoice, or receipt if they have a suspicious name or you did not expect to receive them.

    What can I do to minimize the risk of a malware attack?

  • Use two-factor authentication (2FA)

    We recommend ESET Secure Authentication.

  • Threat Defense

    We recommend ESET LiveGuard Advanced.

  • Disable Macros in Microsoft Office via Group Policy

    Office 2013/2016 (the following link is for 2013 but are the same settings for 2016): Plan security settings for VBA macros for Office

  • Keep your system up-to-date

    To ensure you have the best protection available, keep your operating system and applications updated. Install the latest high-priority updates offered in the Windows Update tool, and check regularly or enable the Automatic Updates feature. New security updates patch the system vulnerabilities and reduce the risk of malware attack.

    Microsoft has released patches for current Windows operating systems as well as Windows XP to mitigate a critical vulnerability. See Microsoft Security Bulletin MS17-010 - Critical for instructions to apply these updates.

  • Potential ports/service that could be exploited if left open

    To prevent an unknown IP address from performing successful Brute Force attacks, we strongly recommend locking down SMB, SQL, and RDP.

    1. SMB

      Close file sharing ports 135-139 and 445. SMB ports should not be exposed to the internet.

    2. SQL

      Whitelist trusted IP addresses that are allowed to connect to SQL

    3. RDP

      • Stop outside RDP Brute Force attacks by closing RDP to external connections. Use a VPN with Two Factor Authentication to connect to the internal network.

      • Set automatic account lockouts after a certain number of failed attempts. Include a waiting period for automatic unlock after an account is locked out.

      • Enforce strong passwords

      • Disable common unused and default accounts, for example, administrator, admin, or root

      • Whitelist specific users and groups to allow login using RDP

      • Whitelist specific IP addresses to allow an RDP connection

  • Remote Desktop Protocol best practices against attacks

    Encryption-based malware often accesses target machines using the Remote Desktop Protocol (RDP) tool integrated in Windows. RDP allows others to connect to your system remotely, so the attacker can misuse RDP to remove the protection and then deploy the malware.

    We recommend you to disable or change Remote Desktop Protocol. If you do not require the use of RDP, you can change the default port (3389) or disable RDP to protect your machine from ransomware and other RDP exploits. For instructions on how to disable RDP, visit the appropriate Microsoft Knowledge Base article below:

    For more information about RDP, see the following WeLiveSecurity article: Remote Desktop (RDP) Hacking 101: I can see your desktop from here!

  • Password-protect your ESET product settings

    If you are a business user, we recommend using a password to protect the ESET product from being altered by an attacker. This prevents unauthenticated settings modification, disabling the protection, or even uninstalling the ESET product. If you are using RDP, we recommend using a different password from the one used for the RDP login credentials.

    On how to protect your ESET product with a password, visit KB7915

Can encrypted files be recovered?

Modern ransomware encrypts data using asymmetric methods and multiple types of encryption ciphers. In short, files are encrypted with a public key and cannot be decrypted without the associated private key. With current ransomware, the private key is never located on the affected workstation or environment. This means that data will need to be restored from a good backup made prior to the infection.

If no backups are available, you can attempt to recover files from Shadow Copies. You can use Shadow Explorer, which you can download from the following web page: http://www.shadowexplorer.com/downloads.html

However, it is not uncommon for ransomware infections to delete Shadow Copies to prevent recovery of files.

What steps should you take if infected with ransomware?
  1. Disconnect the computer from the network.

  2. Locate the TXT or HTML file with the payment instructions, for example, "How to decrypt" shared folders/drives encrypted. This may be used by our malware researchers for further analysis.

  3. Run ESET SysRescue on the infected computer. Only restore from a backup once the threat has been identified and removed (see the above section Keep backups of your system).

  4. Contact your local ESET partner for support

Need Assistance in North America?

If you are a North American ESET customer and need assistance, visit helpus.eset.com to chat with a live technician, view product documentation or schedule a consultation with an ESET Home Advisor.