What is Ransomware?

Ransomware is a type of malware that restricts the user’s access to their computer system. It then demands that its victims pay a ransom to gain access to their systems or to get their data back.  Some forms of ransomware encrypt files on the system's hard drive and require the user to pay a ransom for the encryption key.  Other forms may simply lock the system and display messages intended to coax the user into paying.

How do I get infected?

Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file.  It is frequently downloaded unintentionally by users visiting malicious or compromised websites.  It is also received in spam email as malicious attachments.

What can I do to prevent it?

  • Prevent Execution of Files in %AppData% Directories

Generally, most large-scale ransomware runs rely on either exploit kits or spam engines.  In both cases, for the malware to execute it usually resides in various temporary directories in Windows (%AppDada%).  It is possible to disable the ability to execute binaries in these directories via Group Policy or Security Policy which means when a user double-clicks on Invoice.exe, the malware will not run.  This is accomplished with Software Restriction Policies. The advantage of doing this is that it also can prevent some other forms of malware from executing also.

  • Fully Patched Systems, Java, Shockwave, Flash (et al)

Exploit kits rely on vulnerabilities on the client machine to get malware to execute. Usually this involves vulnerabilities in Java, Shockwave, Flash, and Adobe Reader. With Windows Update, many systems are now automatically configured to get updates.  It wasn't until recently, for instance, that Flash integrated an auto-updater.  Making sure these are updates will prevent exploit kits from being successful.  That being said, occasionally exploit kits do use 0-day exploits but it is a relatively rare occurrence.

  • Disable E-mails with Executable Attachments

Many ransomware emails use attachments with executables; simply disabling e-mails with executables will prevent users from receiving.  Also look for emails with "double file extensions".  Another common trick is attachments with a zip file that may include an executable or an html document (using other tricks to download an executable).  Teach users to spot these abnormal e-mails so they do not execute them is key.

  • Maintaining Strong Backups

Lastly, the importance of strong backups is key.  If a ransomware infection happens, there are only two choices for the organization: restore from backup or pay the ransom.  If backups are available, it may be a hassle but the eye-popping ransom demands are no longer the only path to a full recovery.

  • Use of "Vaccines"

All ransomware families need some mechanism to ensure that a victim machine is not encrypted using multiple keys.  A typical mechanism is to store the public key in registry (or other artifacts) so subsequent infections (or executions of the same malware binary) only use the original obtained key.  There have been attempts to create vaccines that abuse this need of the attackers to otherwise inoculate victim machines.  These may warrant investigation on a case-by-case basis to see if they provide value.