Ransomware Protection and Removal
Ransomware attacks exploit weaknesses in data protection, and of users who are untrained or negligent in cyber security best practices.
Ransomware is a serious threat, spreading quickly and getting smarter at evading detection by anti-virus software and targeting key facilities, servers, users, high-value data files, databases, and backup files.
Protect your data and business now by implementing a ransomware protection, detection and response plan, to contain, eradicate and recover. Many of the recommendations found here also protect computer systems and data from other types of malware, attacks, user errors, device failures or disasters.
In September 2016, the FBI Internet Crime Complaint Center (IC3) published a ransomware Public Service Announcement (PSA) urging victims to report ransomware incidents and request assistance immediately from the local FBI field office. The FBI recommends users consider implementing the following ransomware prevention and business continuity measures (shown below in italics) to reduce the risk of a successful attack.
The FBI does not advocate paying a ransom to an adversary. Paying a ransom does not guarantee a victim will regain access to the captive data and it provides more funds for criminals to continue their malicious activity.
Note: Some recommendations may require advanced knowledge of a security consultant or system administrator. Do not make security or system changes beyond your level of knowledge. Seek help where needed. Create a data backup and a system restore point before installing new software or making system changes.
1. Frequent Automatic Backups
Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
Scheduled automatic data backups may be a better choice than continuous real-time backups to cloud storage. If the primary data file gets infected, real-time backups will quickly replicate the infection in the backup copy. Then, cloud storage data synchronization may send the infected files to other synced devices and overwrite good data.
Scheduled backups at night, or at key times during the work day, following peak data input, revisions or updates, may be sufficient for many home users and small businesses. If ransomware is detected, the scheduled backups may be stopped, or backup media removed to create an air gap for data protection until the infection is contained and eradicated.
Use backup software that includes file verification to ensure all files were written correctly. Monitor the backup log to check for errors during the backup process. Be aware that open files might not be saved. Where appropriate, save and close data files at the end of the work day so the latest version will be stored in nightly backups. Encrypted files may need to be backed up by the file owner, not by a backup program running as a different user.
WordPress users must backup WordPress files. Free plugins, including UpDraftPlus, may be used to save database backup copies to cloud storage.
Microsoft Outlook includes an email archive feature to save email to a local file that can be backed up. Time ranges may be selected to create email archive files covering different time periods.
Update: Acronis True Image 2017 New Generation, with Active Protection for Windows, is available by premium subscription, and includes local and cloud backup with ransomware protection by monitoring the Master Boot Record (MBR), abnormal file behavior, such as bulk file renaming, a whitelist of approved programs, a blacklist of unauthorized programs, program self-defense, and recovery of ransomware encrypted files by restoring good files from backup.
In addition, Acronis Notary technology uses a file hash value and Blockchain technology to generate a unique notary certificate to validate the file retrieved is identical to the file originally backed up.
2. Offline Backup
Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
Once the backup files are written, the storage media can be set to read-only for archiving fixed-content files, so that the data cannot be modified or deleted. Many permanent files do not need to be modified by the user, only archived for recordkeeping.
Archives should include a separate manifest of file hash values used for periodic testing of file integrity, such as once a month, to confirm file count and content fixity (see ExactFile and Fixity software). File Integrity Monitoring (FIM) helps identify when data is changed or manipulated. Computed hash values, such as SHA-256 (Secure Hash Algorithm 256-bit), change dramatically, even if only a single character is changed in a file, making alteration easier to detect.
Even without malicious or accidental changes, magnetic, optical and flash memory storage media is affected by damage, degradation and bit rot over time. If one copy becomes defective, another known good copy may be used to restore data.
Some media choices for archival read-only storage are USB flash drives with a write-protect switch, (Kanguru FlashBlu30, up to 256 GB), archival grade DVD (8.5 GB) or 4-layer Blu-ray discs (128 GB), and archival M-discs that can engrave up to 100 GB on BDXL.
Cloud storage must include versioning, so older versions of files are stored, not overwritten, and not deleted automatically. Caution: Some vendors delete files older than 30, 60 or 90 days.
Encryption should be used to protect confidential files. Some USB flash drives, including the fast Lexar JumpDrive P20 (up to 128 GB), are bundled with AES 256-bit encryption software included. Unauthorized users cannot access the encrypted container on the flash drive without the password. Brute force password guessing is throttled.
Scrutinize links contained in emails and do not open attachments included in unsolicited e-mails.
Beware of fake, spoof, malware, phishing and targeted spearphishing in an unsolicited email. Hold the mouse pointer over the web link embedded in the email to reveal the target website address. Do not click on an unknown link or a shortened link.
Do not open email attachments in an unsolicited email. Files that appear to be PDF or document files may be executable malware files.
4. Do Not Download Software from Unknown Sites
Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
Before executing any new software download, scan it with anti-virus and anti-malware software. Check the file with VirusTotal.com to see if problems are reported by any other antivirus software. To verify file integrity, if the file is accompanied by a hash value, use hash generator software to compute the hash value on the downloaded file and compare it to the posted hash value at the source.
5. Keep Software Updated
Ensure application patches, for the operating system, software, and firmware, are up to date, including Adobe Flash, Java, Web browsers, etc.
Set the operating system and application software to do automatic updates, when available. Many free applications must be updated manually. Free utilities are available to monitor software revisions and alert the user when a new version is available.
Always use the latest version web browser to include the latest security patches.
WordPress users should promptly update to new versions of WordPress and plugins. Avoid plugins that have not been updated in many months or that are no longer supported.
Hackers study new software releases to learn the weakness that is being secured. Then they can attack current users who are vulnerable because they are negligent and still running the old insecure version.
Install the latest firmware version on mobile devices including smartphones.
6. Keep Anti-Virus and Anti-Malware Updated
Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
Install highly rated premium internet security suite software, including anti-virus, with frequent automatic updates throughout the day to include detection of the latest threats. Relying only on threat signature detection is not adequate because sophisticated malware is learning how to avoid signature detection.
Behavioral, heuristic or anomaly detection is needed to discover abnormal behavior.
Internet security suite software includes anti-virus, email virus detection, spam and phishing blocking, anti-spyware, and web access protection from malicious or compromised websites. Some second-opinion anti-malware software is available that is compatible with anti-virus software.
MalwareBytes is popular second-opinion anti-malware software that can co-reside with anti-virus software. The free version only runs manually on demand. The premium version runs in real time and includes anti-ransomware software, based on CryptoMonitor, that was acquired by MalwareBytes. It uses proactive technology, not signatures or heuristics, to stop ransomware before it encrypts your files.
Update: IObit Malware Fighter 5 now includes an anti-ransomware engine. You can specify which data file extension types to protect, add approved programs to a whitelist, block unapproved programs on a blacklist, and see access history for protected files.
Update: Cybereason, a cyber security company, has released free software named RansomFree, a behavioral anti-ransomware tool for detecting and stopping never-before-seen ransomware.
Run scans on a frequent, automatic schedule to detect problems quickly. Enable idle-state scanning to run scans when you are away from the computer and logged off, or the computer is locked or in screen-saver mode.
Install security suite software on smartphones.
Caution: Do not rely on antivirus and antimalware protection software alone. Users must be trained to follow cyber security best practices to keep out malware and ransomware.
7. Disable Macros in Microsoft Office Files
Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
Block and do not open .docm files containing macro scripts.
Office 2016 now includes (added March 2016) a control to Block macros from running in Office files from the internet.
For Office 2013, install the Group Policy Administrative Template (ADMX/ADML) and Office Customization Tool (OPAX/OPAL) files (added October 2016).
Or, use a separate Office Viewer application with no macro support or macros disabled.
8. Block Program Execution from Common Ransomware Folders
Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
Create rules within Windows or with Intrusion Prevention Software (IPS). Programs should be allowed to run only from the usual Program Files folder where new programs cannot be installed without administrative privileges.
A management tool consists of the Software Restriction Policies (SRP) extension of the Group Policy Object (GPO) Editor snap-in, that administrators use to create and edit software restriction policies.
CryptoPrevent is a security tool that writes group policy object (GPO) restriction rules into the registry to prevent executable files in specific locations from running. Backup the registry before editing.
Additional Ransomware Considerations for Businesses
After the first 8 recommendations above, consider implementing these additional recommendations where appropriate. Some may not apply to home users and small businesses.
9. Security Training for Computer Users
Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
Attend webinars and training classes on computer security. Read about security. Follow cyber security news, blogs, social media, and alerts.
Create a business Written Information Security Policy (WISP) and have all employees read and follow it. Designate a security officer as the key contact person.
10. Patch Software Quickly to Remove Security Vulnerabilities
Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
Patch software quickly on all user systems when vulnerabilities are found. Larger enterprise businesses may use a centralized patch management system to keep all network devices updated.
11. Restrict the Use of Administrative Accounts
Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
Only the system administrator should use an account with administrative privileges. All other users must use a standard user account with limited privileges to prevent an intruder from gaining access or control to restricted content or authority. The administrator must use a standard user account when not performing administrative duties. Use two-factor authentication (2FA) where available.
12. Restrict User Privileges
Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
Do not give users unneeded privileges to allow Full Control, Modify, Read & Execute, Read, and Write for files and folders if lesser privileges like read-only are sufficient. Data lookup and reference files may be stored in a read-only folder or volume.
13. Use Virtualized Environments
Use virtualized environments to execute operating system environments or specific programs.
Install software to create virtual machines (VM) in virtualized environments, providing partitions and layers of protection. Intrusion detection tools are available, an infection may be isolated, disaster recovery is quick, and forensic analysis tools including snapshots are available to study the intrusion.
14. Categorize and Store Data Separately
Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
Different users and departments need access to different network segments and categories of data, not all of the network or data. Critical data may be stored on a highly secure network or on a restricted air gap system with no network connection. Intrusions will be limited to affecting only some data categories or users on one network segment.
Backup copies may be stored offline in a fireproof safe or at a secure offsite or disaster recovery (DR) location.
15. Require Passwords for Web Sites
Require user interaction for end-user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
Firewalls can use rules to block unauthorized access. Applications communicating with new websites that may not be categorized should require a user password or other authentication.
Secure SSL connections should be used. Users should not use mobile devices on public Wi-Fi hotspots without security suite software and an approved virtual private network (VPN).
16. Use Application Whitelisting
Implement application whitelisting. Only allow systems to execute programs known and permitted by the security policy.
Application whitelisting is intended to stop the execution of malware and other unauthorized software. Unlike security such as anti-virus software, which use blacklists to block known bad activity and permit all other activity, application whitelists are designed to permit known good activity and block all other activity.
Consider using application whitelisting technologies already built into the operating system, at least in a monitoring mode. Use the Security Policy Editor to configure the Software Restriction Policies category, under Local Security Policies, for a machine. Or, use the Group Policy Editor to configure a domain.
Expect that some ransomware may not be detected until after your data has been encrypted and a ransom note appears. Disconnect the infected devices from the network. Do not delete any files. Turn off system cleaner software. Ransomware traces are often found in temporary files and folders, needed to diagnose the problem. Do not delete any files moved to quarantine by security software.
Report the incident to the local FBI field office. Get cybersecurity or data recovery help as needed from a reputable provider.
Make an image or backup copy of the infected drive and save it before attempting data recovery. This will allow multiple attempts at data recovery if decryption fails.
Scan the malware program at VirusTotal.com or upload a small non-confidential encrypted file or ransom note file at ID-Ransomware at Malwarehunters.com to identify the strain and find out if a decrypter tool is available. Then follow the instructions for the decrypter tool. There is no guarantee that the decrypter you require will be available or that it will work. Remove the malware before decrypting or it may encrypt your files again.
If the ransomware cannot be removed, remove the infected drive. It may be repairable later when new software becomes available. For a system drive, replace it with a pre-infection clone backup. Otherwise, install a new drive and reinstall the operating system and applications.
For a data drive, replace it with a new drive and restore data files from a known good backup. Be careful not to infect backup media with ransomware. That is why read-only media is recommended for restoring files.
As a precaution, change passwords on all user accounts. Make sure the ransomware did not create a new user account or administrator account.
Strengthen security to prevent the same type of attack from happening again. Follow news for the strain to learn if a decrypter becomes available.
As anti-ransomware software improves, it will be able to detect and remove more ransomware variants.
Other Ransomware Protection
Home users and small office/home office (SOHO) businesses can build a strong defense by following cyber security best practices and some investment in hardware and software. Building a malware defense and recovery plan is much less expensive and less stressful than paying a ransom or facing permanent data loss of business files, personal records, or irreplaceable family photos and videos. Many businesses never recover from a disaster, including a data breach or data loss.
Larger enterprise businesses with a bigger budget can also hire a security consultant and use a system administrator to install more sophisticated defenses.
Other final tips:
Upgrade from stand-alone antivirus software to Internet security suite software for broader protection.
Scan files with security software before making a backup copy to prevent copying infected files.
Use a pop-up blocker on your web browser.
Use an ad blocker on your web browser to block malvertising.
In email settings, block automatic picture downloads from the Internet.
Set up an interactive firewall to approve or block outside communications.
Turn off remote access capability and Remote Desktop Protocol (RDP).
Enable the ‘Show file extensions’ option in Windows to spot potentially malicious files. Stay away from file extensions like .exe, .vbs and .scr.
Store all confidential files using military-grade 256-bit AES encryption.
VeraCrypt is free encryption software, based on TrueCrypt and improved.
Keep at least one backup computer disconnected from the network.
Split computers and devices into separate networks.
Create separate drive partitions on your primary hard disk or SSD for programs, data and media files.
Use cloning software to make a clone copy of your system hard disk or SSD periodically.
Small businesses should follow federal cyber security standard NIST IR 7621.
Use long, strong passwords to block brute force login attempts.
Log off when away from your computer.
Action Item: start or improve your ransomware protection plan. Keep several read-only data backup copies offline to restore files, after ransomware is detected and removed.
Disclaimer: Following the recommendations in this article does not guarantee protection from all ransomware or other malware. Follow cyber security best practices to minimize lost time, resources, revenue, customers and business reputation damage. Products or services mentioned are not endorsements. Conduct due diligence before purchase.
Image credits: 1,2,5,6,7,8 images from government websites, in public domain. 3,4 manufacturer product photos, Fair Use for commentary and public education, no affiliation.
About the Author
Jerry Lucas is a retired Principal Computer Hardware Design Engineer, employed with computer manufacturer Digital Equipment Corporation (DEC) for 23 years. He is currently CEO and training instructor at ABC Legal Docs, LLC, mobile notary public Colorado Springs and Colorado Notary Training. He writes educational blog posts in the Colorado Notary Blog in several categories, including technology, security, product reviews, small business, blogging, notary and legal topics, and notary history.
© Copyright 2017 ABC Legal Docs, LLC. All Rights Reserved.
Ransomware Protection and Removal
Ransomware Protection and Removal