Security Blog

Do you really want to hurt me?

Give me time to realize my crime
Let me love and steal.
I have danced inside your eyes
How can I be real.

Recently a software plague named WannaCry has put many crucial systems on their knees. Rivers of words have been spent about Eternal Blue, Microsoft Patch MS-017 and Ransomware, so I am not contributing to the flood. Instead I would like to focus on how to protect oneself from Ransomware.

Ransomware is a malicious code that encrypts your files and then asks for a ransom to decrypt them.

WannaCry targets windows systems, so we will focus on them, but many of the steps you find below applies to non-Windows systems as well.

Now, let’s see how to mitigate the possibility of a Ransomware attack with a bunch of countermeasures:

  • Install a personal firewall: this is very basic and can help prevent the software from communicating with the encrypting server
  • Monitor the network for “weird” traffic, especially if coming from C:\windows\temp or any of the following directories:
    • %appdata%\*.exe
    • %appdata%\*\*.exe
    • %localappadata%\*.exe
    • %localappdata%\*.exe
  • Block weird traffic, especially if coming from directories mentioned above and/or on the following ports: 137, 139, 445 (these are the CIFS for windows, if you disable them you are not going to be able to share files on a LAN)
  • Map the application you want to run in the systems and allow only them to run, maybe through a GPO (or sudo-rights and SELinux in *nix systems)
  • Install and keep your antivirus up to date
  • Install OS security patches as they come up, extraordinary service windows for critical vulnerabilities might be scheduled
  • Do not open attachments that come from unknown/untrusted resources
  • Create a GPO to disable the .exe file to be executed from c:\windows\Temp and the following directories:
    • %appdata%\*.exe
    • %appdata%\*\*.exe
    • %localappadata%\*.exe
    • %localappdata%\*.exe
  • Create a GPO to disable the hiding of extension in Windows, so that executables are easier to identify
  • Verify any “weird” presence in the following Registry Keys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Perform periodic backups of systems and have them disconnected from the network, if your systems are compromised you can always restore your data from an offline backup. Please remember it must be OFFLINE BACKUP, otherwise the malware will crawl to your online backup and encrypt that as well and you are back at square 1.
  • Restrict unauthorized applications to establish inbound and outbound connections in the personal firewall of every single laptop
  • Enable IPS if present on the personal firewall on the laptops and on the main firewall
  • Block .exe and .zip files in e-mails
  • Educate yourself regarding security awareness once/twice a year
  • Run the following powershell script to identify if there are any other Cryptlocker malware(s) in the system:
    • (Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding Unicode

If you get infected, you can always cross your fingers and take a look here:

https://www.nomoreransom.org/decryption-tools.html

That’s all folks! Enjoy and try to stay safe, a thing that is becoming a challenge during this epoch.

 

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100
  • info@24solutions.com