Recommendations for Preventing Ransomware Exploitation

By James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

Ever since the WannaCryptor ransomware attack, also known as WannaCry or Wcrypt, began wreaking havoc around the globe, ICIT has received a flood of inquiries from policymakers, governments, and the private sector on how organizations can defend themselves.  ICIT is pleased to provide the following layered defense strategy, which every organization can implement to minimize exposure and thwart ransomware infection.

  1. Practice comprehensive cyber-hygiene
    1. Do not follow suspicious links or open attachments from unknown contacts.
    2. Rely on complex and memorable account credentials.
    3. Deploy privacy protections under the settings page of social media accounts.
    4. Hover the cursor over a link prior to clicking to ensure that the URL matches the hyperlink.
    5. Install ad-blocker and do not track browser extensions, such as AdBlock and DoNotTrack.
  2. Remain Current on Patches and Updates for Operating Systems and Applications.
    1. Often, applications can be configured to automatically update
  3. Modernize systems and applications to limit reliance on out-of-support programs
    1. Antiquated systems are insecure and increasingly demand more resources to protect.
    2. When possible, invest in reliable modern technology and applications.
      1. However, in order to avoid being a “technological crash-test dummy”, wait a few months before adopting brand new operating systems and technologies. Once the first few rounds of patches have been issued, the systems should be safer.
      2. This caveat is necessitated by manufacturers’ continued refusal to incorporate security-by-design throughout the developmental lifecycle of products and services.
  4. Regularly Back-Up systems and create restore points, preferably on multiple media.
    1. At least one backup medium should be an external system/ storage device
    2. Windows includes the option to create System Restore Points from which the user can backup and restore their PC.
      1. While sophisticated ransomware wipe restore points, many unsophisticated ransomware do not.
      2. To restore from a restore point, the user can boot the computer in safe mode from the boot menu (typically pressing ESC at the Windows logo during startup).
    3. Backup Individual Files:
      1. Copy important individual files onto external devices, via cloud storage, or email them to yourself using trusted and secure accounts.
    4. Backup the entire PC
      1. Right-click the Start button
      2. Select Control Panel, then System and Maintenance, and then Backup and Restore
      3. Do not back-up files to the same partition (i.e. C drive) that Windows is installed on. Use the secondary partition (i.e. D drive) or an external device.
      4. If you have never used Windows Backup, or if you have recently upgraded your version of Windows, Select Set up backup
        1. Afterward, Windows will regularly and automatically backup the system at user-specified intervals.
        2. Otherwise, choose either Back-up now or Create new, full backup
    5. Create a System Image
      1. System images are a snapshot of all the files and applications on a system at a particular time.
      2. Right-click the Start button
      3. Select Control Panel, then System and Maintenance, and then Backup and Restore
      4. Choose Create a system image in the left pane
    6. Create a Restore Point
      1. Click the Start button
      2. Select Control Panel, then System and Maintenance, and then System
      3. Navigate to System Protection in the left pane
      4. Click the System Protection tab and select Create
    7. To Restore the System to that Point:
      1. Right-click the Start button
      2. Select Control Panel, then System and Maintenance, and then Backup and Restore
      3. Select Restore my files
      4. Additional details on system restore and backup available at: https://support.microsoft.com/en-us/help/17127/windows-back-up-restore
  1. Install Anti-Malware (keep it current) and Configure Firewall Rules according to a whitelist
    1. Anti-malware applications are programs that automatically monitor user PCs, prevent compromises, and remove infections.
    2. Popular consumer anti-malware applications include: Malwarebytes, Trend Micro, McAfee, Norton, etc.
      1. Many applications can be configured to monitor the user system in real-time and to automatically scan the system at predetermined intervals.
    3. A Firewall whitelist is a list of allowed traffic according to preapproved type or the origin (person, network, site, etc.). All other traffic is blocked by default.
      1. YouTube tutorials can help to configure Firewall applications
  2. Never Click on links or email attachments from unknown sources/ senders
  3. Delete unsolicited email and mark it as spam
  4. Do not click on suspicious links, ads, or “click-bait”
  5. Employ content scanning and filtering on email and messaging clients, and on browsers
  6. Do not connect unknown external storage devices (USB, hard drive, CD, Bluetooth, etc.)
    1. In fact, disable auto-run settings on the system. Autorun is the feature of Windows that opens USBs and other devices the second that they are connected. This can lead to the inadvertent spread of malware.
    2. To disable auto-run in Windows 7:
      1. Click Start
      2. Select Run
      3. Type “regedit” in the Open box
      4. Locate and click the registry entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
      5. Right-click NoDriveTypeAutoRun
      6. Click Modify
      7. In the Value data box, type 0xFF
      8. Click OK and restart the system
    3. Procedures to disable autorun in other Windows OS detailed at: https://support.microsoft.com/en-us/help/967715/how-to-disable-the-autorun-functionality-in-windows
    4. After Autorun is disabled, connected media can be accessed through the Computer panel on the Start menu, rather than forcing a popup upon connection.
  1. If Ransomware infection occurs, Do Not pay the ransom
    1. There is limited chances of the attacker actually unlocking the system.
      1. Some ransomware, such as the May 2017 WannaCry ransomware, do not even contain decryption mechanisms or technical procedures to identify which victim has paid the ransom.
    2. Paying ransoms encourages attackers to broaden their campaigns and it inspires new threat actors to launch additional attacks because the campaigns are seen as profitable.
    3. Paying ransoms funds the development of nascent malware and ransomware, it increases the likelihood that others will be victimized by ransomware by encouraging new campaigns, and it may even fund terrorism, cyber-criminal attacks, or adversarial nation-state efforts.
    4. Contact proper authorities/ personnel
    5. Restore the system from the latest external backup

 


Leave a Reply