Home / Blog / Ransomware: preventative measures (I)

Ransomware: preventative measures (I)

Posted on 09/21/2021, by INCIBE
Ransomware: preventive measures (I)

Ransomware is a type of malicious program that aims to render infected computers unusable by encrypting their local files or those stored on network drives connected to them. This is mainly done for financial gain, by demanding that victims pay a ransom in exchange for decryption. These attacks prevent the computer from functioning correctly, causing a denial of service at both a system and information level, as the system is rendered unusable and the information inaccessible.

In other situations, the attacker may act for non-financial motivations as seen in cyberattacks motivated by political or social grievances, also known as hacktivism.

Since the first evidence of the use of ransomware was discovered in 1989, this malware has evolved and adapted to all current platforms like Windows, Mac and Android, allowing diverse families such as Petya, WannaCry, Maze or Ryuk to be developed and distributed on the black market through Ransomware-as-a-service (RaaS) platforms.

To minimize the infection risk or mitigate the consequences of a ransomware attack, as is the aim of this blog article, it is recommended to take certain preventive measures that will be explained below, grouped by blocks.

Hardening the operating system

Disabling Autorun of external drives

Autorun is a function that allows a program or file stored on a removable drive or CD/DVD to be automatically launched when it is connected, which could allow a virus or malware to open or install programs without the user being aware. Autorun parameters are set in the file autorun.inf.

Eliminating the use of shared drives and notepads

If the remote control function, accessible from the outside, is enabled on the computer, then shared drives and notepads can be used by attackers in their scripts with dictionaries and tools to obtain the correct user credentials. An example of this is the malware Dharma: as soon as it has control of the computer, it is able to download different payloads on to it using shared drives or notepads.

Controlling file access

Apply restrictive access rules for reading and modifying folders means that they cannot be changed by unauthorised software. This provides extra security against encryption by ransomware. In the Windows 10 operating system, this function is found in the Windows Defender Security Center

Applying the least functionality principle

Disabling all the unnecessary operating system components, especially ‘services’ in Windows such as the remote desktop, will reduce the number of possible vectors of entry for the ransomware.

Protecting PowerShell remote communication

The PowerShell command-line interface (CLI) allows commands to be written and executed through script generation, so is often used for the automation of tasks, allowing interaction with both the operating system and other Microsoft programs (Exchange, SQL Server or IIS).

In Windows 10, this command-line interface is enabled by default for all users. If it not needed, it is recommended to disable script execution in PowerShell through GPO o completely restrict access to the CLI, as malicious actors use PowerShell to spread malware on the network, usually via office documents with macros.

Disabling the Windows Script Host

Windows Script Host (WSH) is responsible for executing files commonly known as 'macros', such as JScript and VBScript files, which are widely used to deploy malware on computers.

Therefore, it should be assessed which users need to run such scripts and which do not. If it is not needed, the best option is to disable WSH. If it is needed, then protection measures should be implemented using Endpoint Detection and Response (EDR) tools such as CrowdStrike Falcon, or Cytomic Orion.

Disabling the macros of Office files sent by email

Microsoft Office's default 'protected mode' prevents macros in an Office document from running automatically without user approval. However, on occasion malicious actors are able to trick users into disabling ‘protected mode’ and run macros. An example of a deception technique consists of a malicious Word document that is somewhat confusingly formatted, with strange characters and a legible note that reads something similar to: ‘If this document is incorrectly formatted, please enable macros’.

For this threat, the best measure is to disable macros following a group policy if they are not needed, or to enable Microsoft Office's 'read-only mode'. It is important not to change the mode until the document has been confirmed to be completely clean.

Enabling file extension display

File extensions allow the user to see what type of document they are opening. They are therefore very useful for preventing possible ransomware attacks, as these usually use files with two different extensions in their names, pretending to be office files when in fact they are executable files.

Control via the Windows Event Viewer

The Event Viewer allows potentially dangerous IP addresses to be determined by means of the RDP access log, which is identified with the code 1149. In this documentation, the account and IP under which the access has been registered are indicated.

Using allow lists

The correct configuration of firewall rules enables allow lists or block lists based on IP addresses to be created. In this way, the use of a particular service by specific teams can be monitored. The procedure for setting up the above filtering is different depending on the OS used:

  • In Windows: Access ‘Windows Defender Firewall’ and select ‘Windows Defender Firewall with advanced security’. Next, right-click on ‘Input Rules’ and select ‘New Rule’.:

Creación de reglas de Firewall en Windows

Figure 1. Creating Firewall rules in Windows

A new window will open, select the personalisation option, indicating in the next window all the programs. The recommended configuration is the following:

Protocol type: TCP
Protocol number: 6
Local port: specific ports, specifically 3389 (default port for RDP)
Remote port: all ports

It is also advisable to also add SMB port 445 by default, as it has also been used in ransomware attacks, albeit to a lesser extent, as has 3389.

Next, choose whether you need to create block lists or allow lists. The latter are more reliable as the attack can only be carried out if the attacker has access to an allowed IP. In the case of a block list, an attack would only be averted if the list explicitly includes the attacker's IP.

Elección de IP a permitir

Figure 2. Selecting allowed IPs

Finally, add the IP addresses with access permission to the list and allow connection. It is also necessary to designate a name for the new rule created. If you want to verify that the rule created fulfils its purpose, you can perform a scan of the IP being used, checking which ports you have access to and which you do not, using a specific IP scanning tool

Herramienta de escaneo de puertos online

Figure 3. Online port scanning tool

  • In Linux (Ubuntu): Of the multiple firewall solutions for Linux distributions, one of the most popular is UFW. The process to block or allow connections requires the following steps, executing all or some of the commands:
sudo ufw enable //First, to activate the firewall in Linux:

sudo apt-get install ufw //If it is not installed by default, install it via: 

sudo ufw allow/deny [port]/[protocolo(TCP o UDP)] //To open of close a port

sudo ufw allow/deny from [dirección IP] //To allow or deny IP connections

sudo ufw allow from [dirección IP] to any port [port] //To specify a particular port
  • In Mac: Apple computers have their own firewall, on their official support page there is a guide for its use..

Apart from firewall solutions, there are also allow list applications. These apps only allow the execution of those resources that have a digital signature or certificate, the latter being self-signed certificates or certificates issued by an external certification authority (CA).

For this type of filtering, it is necessary to have a system in place that is capable of cataloguing software and has access control, restricted to users with special permissions, to manage its use.

There are many versions of this type of app available; among them AppLocker, Bit9 Parity Suite, McAfee Application Control or Lumension Application Control stand out.

Restricting software by policy

To uniformly restrict the use of a certain software on multiple computers, the best option is to use a GPO configuration in Windows, i.e., Windows Policies, which can be applied via the Local Security Policy; or Group Policies, via Windows Active Directory. In doing so, the following guidelines should be considered:

  • Start with the software restriction policy, and right-click on the 'new path rule' option, which will filter by file type and indicate the desired directory for this new policy.
  • After creating this new policy, check that it is working correctly by running the desired program in the path indicated in the policy. If the policy is configured correctly, a pop-up window should appear indicating that the program is blocked by the policy.
  • After installing the policy, if an attempt is made to execute a binary file from that path, an alert and a corresponding event will be generated.

If you are working in a Linux environment (Ubuntu), the simplest way to restrict the execution of a program to a user or group of users is to use the 'chmod' command:

  • Overview of assigning permissions with 'chmod':

Asignación permisos en Ubuntu

Figure 4. Assigning permissions in Ubuntu Source: metaphlex

  • To assign read, write and execute permissions for the current user; assign read and execute permissions for the current user group; and completely deny access to all other users, the following statement can be used:

chmod 750 [file to modify permissions]
  • In contrast to the above, with this other command, the rest of the users have read permission.

chmod 754 [file to modify permissions]
  • Lastly, here is a link to a complete guide to the ‘chmod’ command.

System hardening

Periodic security audits

Security audits help to maintain control over an environment’s weaknesses. This should be done periodically, both externally, to assess the exposure of equipment and services published on the internet, and internally, to gain detailed understanding of vulnerabilities that may affect non-published devices.

Policy of updates

It is recommended that the software and firmware of all systems be kept up to date to prevent breaches from potentially malicious websites using Web Exploit Kits or malicious files spread through emails or social media. The most-used resources for ransomware attacks are old versions of Java or Adobe Acrobat, among others.

For this method of protecting systems, patch management is essential, as patches seek to improve and correct computer problems more efficiently and faster than updates, especially in environments with a high volume of computers. For this task there are patch management tools such as TOPIA and Ninja RMM.

It is also important to establish an order of update priority, from most to least important. In this way, if there is a ransomware attack, the most critical computers will be protected. The order of criticality will depend on each infrastructure and can be assessed by performing a risk assessment, considering individually the impact of losing the information or service of a system.

Strong identification and authentication controls of user accounts

It advisable to create strong passwords and change them periodically. Some guidelines to follow are:

  • The password should be at least 8 characters long.
  • Combine letters and numbers.
  • Use both upper- and lower-case letters.
  • Include special characters.
  • Do not use recognisable words.
  • Do not use personal information (pet names, birthdays etc.)
  • Do not use the same password on several computers or registers.
  • Limit the number of access attempts

After applying the above, it is possible to check on some websites how strong the created password is and the estimated time it would take for a brute force attack to crack it. After checking it, it is advisable to change it again to avoid using exactly the same password.

Having a strong password reduces the risk of theft by techniques such as:

  • Brute force attacks, where several attempts are made trying different character combinations;
  • dictionary attacks, using lists of the most often used credentials (admin/admin or root/toor) and the use of default passwords;
  • and attacks using rainbowtables that use the precalculated hash values of possible passwords.

As well as passwords, the authentication methods used are also important. These can be grouped in three families:

  • Something you know, for example a password or PIN.
  • Something you possess such as a credit card or an RSA token.
  • Something you are (biometric authentication), such as hand configuration or fingerprint.

If at all possible, it is recommended to combine more than one method to prevent someone who knows your password from accessing the computer or the information.

Finally, implementing a policy that temporarily locks user accounts after a logon limit is reached, performing periodic user reviews, or implementing password rotation also help to increase security.

Restriction on the use of administrative accounts

Unless absolutely necessary, limiting the use of the administrator user by applying the principle of least privilege to system operators, is a measure that would prevent the entry and spread of malware. For this, there must be a proper match between credentials and permissions assignment, so that the execution ability of a 'normal' user perfectly limited compared to that of a user with administrative privileges. Administration permissions present a security problem when they allow the free execution of programs or access to sensitive directories.

Email security

Email is one of the main vectors of entry for ransomware attacks, as the malware could be present as an attached file, either executable or embedded in a Microsoft Word macro. Due to this, it is important to implement filter policies for all email files, such as a sandbox to analyse suspicious files in a safe way. Files with extension .ps2, .bat or .vba are not usually sent via email and blocking them is a way to avoid bigger problems.

Another course of action is to prevent malicious emails directly using anti-spam filters. These filters can act in several ways, the most common of which is to filter emails by domain, which allows emails from undesirable domains to be blocked. Other methods include the detection of fraudulent links or sensitive words in the email.