Ransomware is malicious software that criminals use to hold computers or computer files to ransom, demanding payment from victims to get them back. Sadly, ransomware is an increasingly popular way for malware authors to extort money from companies and consumers alike.
Paying criminals is never a good idea, even when it seems expedient. Ransomware authors are under no obligation to actually give you back what you pay for, and there have been plenty of cases where either the decryption key did not work or the note asking for ransom never even appeared. Suffice it to say that criminals are not generally renowned for their excellent software testing or devotion to quality customer service.
What can you do about it?
On the one hand, ransomware can be extremely scary – the encrypted files can essentially be considered damaged and beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance.
There are a few things that you can do to keep ransomware from wrecking your day. Let’s start with what can be done in advance to help prevent malware from getting onto your system in the first place, and to minimize damage if it does happen.
Back up your data
“IT IS MY HOPE THAT IF ANYTHING GOOD CAN COME OUT OF THIS RANSOMWARE TREND, IT IS AN UNDERSTANDING OF AN IMPORTANCE OF PERFORMING REGULAR, FREQUENT BACKUPS TO PROTECT OUR VALUABLE DATA.”
The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is to have regularly updated backups. Many ransomware variants will encrypt files on drives that are mapped.
This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or backup service that is disconnected from your devices and network when not in use, and secured both physically and digitally.
Keep your software up to date
Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto systems unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update through the software’s internal update process, or go directly to the software vendor’s website.
Malware authors sometimes disguise their creations as software update notifications, so by going to well-known and good software repositories you can increase the odds of getting clean, vetted updates. On Windows, you may wish to double-check that old – and potentially vulnerable – versions of the software are removed by looking in Add/Remove Software within the Control Panel.
Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently update their creations to try to avoid detection, so it is important to have both these layers of protection. If you run across a ransomware variant that is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.
The next few tips are to help you deal with the methods that current ransomware variants have been using – these tips may not help in every case, but they are inexpensive and minimally intrusive ways to cut off access routes used by a variety of malware families.
Disable macros in Microsoft Office files
Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
Show hidden file extensions
One popular method malware uses to appear innocent is to name files with double extensions, such as “.PDF.EXE”. By default, Windows and OSX hide known file extensions; malware takes advantage of this behavior to make a file appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be easier to spot suspicious file types.
Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may want to deny mails that arrive with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services. Sending in ZIP files can also give you an extra layer of assurance, as it allows you to choose an official, universal password for use within your household or company, which can help you identify unofficial files that don’t use your agreed-upon password.
Disable files running from AppData/LocalAppData folders
You can create policy rules within Windows or with Intrusion Prevention Software, to disallow unique behavior often used by ransomware, which is to run its executable from the AppData or LocalAppData folders. If you have legitimate software that you know is set to run from the AppData area (note that this is fairly unusual behavior, and most legitimate software will allow you to choose another install location), you will need to add an exclusion from this rule.
Ransomware sometimes accesses machines by using Remote Desktop Protocol (RDP), which is a Windows utility that allows others to access your desktop remotely. If you do not need use RDP in your environment, you can disable it to protect your machines. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base article below:
If you find yourself in a position where you have already run a ransomware executable without having taken any of the previous precautions, your options are more limited. There are a few things you can still do that might help mitigate the damage:
Check to see if a decryptor is available
Sometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your problem is available for free, from a reputable source.
Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finishes encrypting your files. If you disconnect yourself from the network immediately you might decrease the number of files that it can encrypt.
Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it doesn’t hurt to try.
Set the BIOS clock back
Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.
If you are an ESET customer and are concerned about ransomware protection or think you have been targeted by ransomware, contact the customer care number for your country/region. They will have the latest details on how to prevent and remediate ransomware attacks.
In addition, there are several WeLiveSecurity articles that provide more information on this threat:
- Filecoder: Holding your data to ransom
- Remote Desktop (RDP) Hacking 101: I can see your desktop from here!
- For an audio explanation of, and historical perspective on, the topic of ransomware, listen to Aryeh Goretsky’s recent podcast on the subject: Ransomware 101.
Finally, it should be noted that the recent rash of ransomware attacks has generated a lot of breathless news coverage, mainly because it is a departure from previous trends in financially motivated malware (which tended to be stealthy and thus not data-damaging).
Ransomware can certainly be frightening, but there are many benign problems that can cause just as much destruction. That is why it has always been, and always will be, best practice to protect yourself against data loss with regular backups kept offline. That way, no matter what happens, you will be able to restart your digital life quickly. It is my hope that if anything good can come out of this ransomware trend, it is an understanding of an importance of performing regular, frequent backups to protect our valuable data.
by Lysa Myers, ESET We Live Security