Best Defensive Strategy against ransomware (crypto malware)
The most effective strategy to protect yourself from malware and ransomware (crypto malware) is a comprehensive approach to include prevention and backing up data. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin, close Remote Desktop Protocol (RDP) if you do not need it. An anti-virus solution alone is not enough protection since many ransomwares will deactivate (disable) it before encrypting data.
Important Fact: Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.
No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.
Your best defense against ransomware infection is to routinely BACKUP your data on a regular basis.
The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis in order to mitigate the risks of a ransomware attack. The only reliable way to effectively protect your data and limit the loss with this type of infection is to have an effective backup strategy...keeping a separate, offline backup to a device that is not always connected to the network or home computer. Therefore...your best defense is back up, back up, back up and the best solution for dealing with encrypted data after an infection is to restore from backups. Without having backups to restore from, your data most likely is lost forever.
Backing up data and disk imaging are among the most important prevention tasks users should perform on a regular basis, yet it's one of the most neglected areas.
Backing up Data Resources:
IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups (offline) to a device that is not always connected to the network or home computer so they are unreachable. If not, you risk not only malware infection but ransomware encrypting your backups and any backups of the backups when it strikes. In addition to encrypting data, many ransomware developers are now routinely searching for and destroying backups or simply deleting your backups.
As such, some imaging/backup software (i.e. Macrium Image Guardian, Acronis True Image) automatically restore and/or prevent targeted backup files from being encrypted by ransomware.
How Ransomware Works - Stages of Encryption Process:
The time factor involving the process of crypto malware (ransomware) infection and encryption can vary, however, attacks are typically conducted over time, ranging from a day to a month or longer, starting with the criminals breaching a network. After the attackers gain access to an individual computer or computers on the network, they can steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here by Lawrence Abrams, site owner of Bleeping Computer. The same principles apply if the infection is the result of a direct attack or downloading a malicious file with ransomware...at some point the malware is going to communicate with the attackers or install a backdoor Trojan giving access to the criminals.
In simplistic terms, crypto malware is usually packed by some kind of obfuscator or packer in order to conceal itself and goes through various stages before actual encryption of data and most victims become aware of it's presence.
1. The first stage of an attack is to access a victim's system, then download and execute its malicious files.
2. The second stage involves the malware connecting to the criminal's Command and Control server (C&C) in order to send information about the targeted computer.
3. During the third stage, the ransomware scans local drives, connected removable media (USBs, external hard drives) and any accessible network locations (mapped drives, network shares) searching for files to encrypt.
4. The encryption stage begins with encrypting all identified data (file formats) using some form of an encryption algorithm. Many encryption schemes are optimized on the CPU (computer's specifications) allowing the malware to encrypt blocks of data very fast...in a matter of a few seconds, a few minutes to several hours depending on a variety of factors to include the amount and size of data files as well as the intentions of the malware developers.
5. The last stage is usually the appearance of the ransom demand in the form of a screen message or ransoms notes dropped in every folder where files were encrypted.
Note: Some ransomware (STOP Djvu, Ryuk and a few others) only partially encrypt a file (first so many KB's at the beginning and/or end especially if it is very large). This is deliberate in order to save time and encrypt the data as quickly as possible (before anyone notices) so it does not actually read/write/encrypt the entirety of data. Partial encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data as explained here. Further, many encryption algorithms are optimized on the CPU (computer's specifications) allowing the malware to encrypt blocks of data very fast...in a matter of a few seconds, a few minutes to several hours depending on a variety of factors to include the amount and size of data files as well as the intentions of the malware developers.
With the latest generation of ransomware there is also the possibility of encountering an infection with a time-bomb feature designed to delay the execution of an attack. This involves a gestation period where the ransomware does not immediately encrypt data by design to maximize revenues and overcome any backup defense. Following this stage the ransomware will lie dormant and not delete or encrypt backup files. The ransomware may lie dormant for one, two or several months before finally beginning the encryption stage. However, when encryption begins, that process can start and finish very quickly.
Between 2017-2019, FireEye researchers have found that most ransomware gets executed three days after initial infiltration. This is a deliberate tactic which allows the attackers to delay encryption so they can use the extra time to harvest victims' data and use it as leverage to make victims pay the ransoms under the threat of leaking the stolen information.
Types of Ransomware & How it Spreads:
There are several classifications and types of ransomware. 1) File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. 2) Wiping ransomware which destroys (overwrites data)...meaning the affected data is not recoverable...it is destroyed beyond repair. 3) Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer. Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.
Types of Ransomware
- Polymorphic Ransomware
- Wiping Ransomware
- Publishing Ransomware (Doxware)
- Time-Bomb
Crypto malware can be responsible for dual (multiple) infections since it will encrypt any directory or file it can read/write to regardless if previously encrypted by disk encryption software or something else. Ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt (double-encrypt) them again and again if it has access. Even the same ransomware can encrypt data multiple times with different strains. Reports of multiple ransomware infections go back many years...it was very common for victims of TeslaCrypt to also be encrypted with CryptoWall during the early to late 2015 period. Even the same ransomware can encrypt data multiple times with different strains. That means dealing with all ransomwares and ransom demand payments in order to decrypt data. Unfortunately there is not much you can do in scenarios like this especially if any of the ransomwares are not decryptable .
Decreasing your chances for recovering data with dual infections is that files may get encrypted/corrupted multiple times, especially if the victim tried to use another victim's decryption key, removed the extension or attempted to fix the files by renaming them first while the malware was still active. This typically results in added problems with more file corruption and complicates possible decryption. Further, using a faulty or incorrect decryptor (one intended for another specific type of ransomware) may cause additional damage or even further corrupt the encrypted files, thus decreasing your chances for recovering data.
Crypto malware spreads via a variety of attack vectors...through social engineering (trickery) and user interaction, opening a malicious or spam email attachment, executing a malicious file, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads, downloading software cracks, pirated software, fake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs) and RDP bruteforce attacks, a common attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside as explained here.
Update: Threat Bulletin: Ransomware 2020 - State of Play
During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).
Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.
For more detailed information, please refer to How Malware Spreads - How your system gets infected.
What to do when you discover your computer is infected with ransomware:
When you discover that your computer or network (if applicable) is being infected with ransomware you should immediately shut it down to prevent it from encrypting any more files. Shutting down the computer should stop any encryption to other drives that were connected at the time of infection as explained here by Lawrence Abrams, site owner of Bleeping Computer.
After detecting a ransomware attack, the first step a company should do is shut down their network and the computers running on it. These actions prevent the continued encryption of data and deny access to the system for the attackers. Once this is done, a third-party cybersecurity company should be brought in to perform a full investigation of the attack and audit of all internal and public-facing devices. This audit includes analyzing the corporate devices for persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by the ransomware operators.
Disconnecting the infected computer from the Internet does not stop the encryption process locally.
The infected computer should be isolated from other devices and if possible you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is ever discovered in the future. The encrypted files and ransom note text files do not contain malicious code so they are safe. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive and a fresh install of Windows.
Even if a decryption tool is available, there is no guarantee it will work properly (malfunction, defective, fake) as noted here or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files (or the original infected hard drive) and related information is a good practice.
IMPORTANT!!! The window for finding attackers on your network before ransomware is deployed is getting much smaller.
Removing Ransomware From An Infected Computer:
Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed but there are some exceptions. The malware developers usually do this to make it more difficult for security researchers to find and analyze their malicious payload. That also explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, many victims don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware which could still be present on the infected computer.
Some crypto malware (i.e. STOP/Djvu Ransomware) are known to leave behind malicious components that will encrypt any new files saved and re-encrypt any files victims previously managed to decrypt. Other ransomware (i.e. Phobos Ransomware) are very aggressive and do not end on a single run...they will run multiple times ensuring repeated infection. There are a few ransomwares that will store a victim's master key in the registry and if removed, the next time the computer is restarted, the ransomware could create a new master key and begin encrypting files again. That means encrypted data by two different keys.
Therefore it is recommended to isolate the infected computer from other devices and thoroughly check the system to ensure no such malicious components have been left behind. IT folks and advanced users who are ransomware victims can use Farbar Recovery Scan Tool (FRST), an advanced specialized tool designed to investigate for the presence of malicious and suspicious files. FRST logs provide detailed information about your system, registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, partition specifications and will also list system files that could be patched by malware.
There are a few ransomware variants that will add an entry to Run and RunOnce Registry Keys so the malicious executable or ransom screen always displays itself on each restart of the computer. In such cases, victims should look for a related entry under the Startup tab in Windows System Configuration Utility (msconfig) or use a tool such as Autoruns to search for and remove any malicious entries.
When dealing with ransomware removal it is best to quarantine malicious files rather than delete them until you know or confirm what infection you're dealing with. In some cases, samples of the malware itself are needed for further analysis in order to identify it properly or investigate for flaws which could lead to the creation of a decryption tool so your data can be recovered. Quarantine is just an added safety measure which allows one to view and investigate the files while keeping them from harming your computer. If using security scanning disinfection tools, system optimization and/or cleanup software on some ransomware before backing up, there is a chance they could remove related registry keys and malicious files which may be required to recover your data.
Important Note: Some ransomware have been known to install password stealing Trojans on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more. It is imperative that you change all passwords for your computer to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one.
If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Emsisoft Emergency Kit, Malwarebytes, Zemana AntiMalware or RogueKiller Anti-malware.
If the computer was shut down to prevent it from encrypting any more files as explained here, then you can use Kaspersky RescueDisk or similar LiveCD/Rescue utilities to assist with malware removal without having to boot into Windows. Offline scanning is a method to disinfect malware from outside an infected Windows system environment by using an anti-malware program that runs outside of the traditional operating system. Offline scanners are usually self-contained, do not require a network or Internet connection and are typically loaded onto a flash drive or CD/DVD and set to boot prior to the operating system. The advantage of offline scanning tools is that they can be used when the malware is not running and interfering with the clean-up process.
Note: Disinfection will not help with decryption of any files affected by the ransomware.
Before doing anything, if possible it is recommended to backup or create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a decryption solution is ever discovered. The encrypted files and ransom note text files do not contain malicious code so they are safe. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive.
Of course you can always choose to do a reinstall of Windows (clean install/reformat) instead which will remove ransomware related malicious files...it also will erase all the data on your computer to include your files, any programs you installed and the settings on your computer so backup your important data first. Reinstalling will essentially return the computer to the same state it was when you first purchased and set it up to include any preinstalled and trial software provided by the vendor. However, there are boot sector viruses (bootkits) which can alter the Master Boot Record (MBR) as explained here and in those cases, you should also rewrite the MBR to ensure all malicious code has been removed.
If you need individual assistance only with removing the malware infection, there are advanced tools which can be used to investigate and clean your system. Please follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.
Ransomware victims should ignore all Google searches which provide numerous links to bogus and untrustworthy malware removal guides many of which falsely claim to have decryption solutions. After our experts tweet/write about a new ransomware or new variants, junk articles with misinformation are quickly written in order to scare and goad victims into purchasing sham removal and decryption software. In some cases, unsuspecting victims may actually be downloading a fake decryptor with more ransomware resulting in double-encryption that makes the situation even worst. Further, your personal and financial information are also at risk when dealing with scammers. Only use trusted sources when searching for information.
Preventing Ransomware:
Most security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place.
...there’s just no good way to decrypt files encrypted by ransomware Prevention before the fact is the only guaranteed peace of mind on this one.
Kaspersky labs reports RDP Bruteforce attacks are on the rise. Everyone should be aware that Remote Desktop Protocol is a very common brute force attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside. Attackers will use remote port scanning tools to scan enterprise computer systems, searching for RDP-enabled endpoints commonly used to login from outside the workplace. When the attacker finds a vulnerable RDP-enabled endpoint they use a barrage of login attempts by guessing or brute force attacking the password. Attackers can also use phishing of a company employee to gain access and control of their machine, then use that access to brute-force RDP access from inside the network.
Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything. The attacker can use remote access tools to introduce and execute crypto malware, generate the encryption keys, encrypt data files and upload files back to the them via the terminal services client. The attacker can also steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here.
In addition to searching for devices with exposed RDP or weak passwords that can be exploited by brute-force attacks, criminals are also using that access to routinely search for and destroy backups or simply delete your backups.
IT admins and other folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to only allow RDP from local traffic, whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, setup a VPN to the firewall, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges. Those using a server may even want to consider using a host-based intrusion prevention system (HIPS) like RdpGuard for Windows Server to protect from brute-force attacks.
Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.
If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.
Ransomware Prevention Tips:
You should use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software. Some anti-virus and anti-malware programs include built-in anti-exploitation protection.
Emsisoft Anti-Malware includes a Behavior Blocker which continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. Emsisoft's three security levels (or layers) of protection help to prevent the installation of malware and stop malicious processes before they can infect your computer. With the release of v2017.5, Emsisoft now has a separate Anti-Ransomware module.
ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.
Windows Defender Exploit Guard (introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Exploit protection consists of exploit mitigations which can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected. Controlled folder access protects common system folders and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders. Attack Surface Reduction (ASR) is comprised of a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats. Network protection protects against web-based threats by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing Windows Defender SmartScreen. Windows Defender EG is intended to replace Microsofts EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here.
Malwarebytes Premium with Anti-Exploit & Anti-Ransomware includes a real-time Protection Module that uses advanced heuristics scanning technology to monitor your system and prevent the installation of most new malware, stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer.
Ransomware Prevention Tools:
Other Malware Prevention Tools:
Important Note: Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of
Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,
While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldnt use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.
How-To Geek on Anti-exploit programsROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective
code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code.
Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on
ROP and
ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as
Microsofts Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).
As such, users need to know and understand the protection features of any anti-exploit/anti-ransomware program they are considering to use.
If you have not done so already, you may want to read:
.
Updated: 07/21/23
What to do when you discover your computer is infected with ransomware:
When you discover that your computer or network (if applicable) is being infected with ransomware you should immediately shut it down to prevent it from encrypting any more files. Shutting down the computer should stop any encryption to other drives that were connected at the time of infection as explained here by Lawrence Abrams, site owner of Bleeping Computer.
After detecting a ransomware attack, the first step a company should do is shut down their network and the computers running on it. These actions prevent the continued encryption of data and deny access to the system for the attackers. Once this is done, a third-party cybersecurity company should be brought in to perform a full investigation of the attack and audit of all internal and public-facing devices. This audit includes analyzing the corporate devices for persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by the ransomware operators.
Disconnecting the infected computer from the Internet does not stop the encryption process locally.
The infected computer should be isolated from other devices and if possible you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is ever discovered in the future. The encrypted files and ransom note text files do not contain malicious code so they are safe. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive and a fresh install of Windows.
Even if a decryption tool is available, there is no guarantee it will work properly (malfunction, defective, fake) as noted here or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files (or the original infected hard drive) and related information is a good practice.
IMPORTANT!!! The window for finding attackers on your network before ransomware is deployed is getting much smaller.