If you’re like me and don’t have direct control of your own email filtering, or want to go a step beyond, you’re going to want a way to prevent non-PE viruses from running. Software Restriction Policies are good for this if you’re using them in a whitelist capacity, provided that you’ve also added the extension to the Designated File Types. From a blacklist standpoint it’s tougher.
Another way to approach the problem is to change the default program to open a particular file extension, and if nothing else it’s another layer of security. This has come up in response to .js-powered ransomware variants and, most recently, a .hta variant of Locky.
The policy is as follows:
User Configuration -> Preferences -> Control Panel Settings -> Folder Options -> Open With
File Extension: hta
Associated Program: %windir%\system32\notepad.exe
Set as default: Enabled.
Enabling this policy and setting it to open in Notepad also benefits you because the end-user will still have something unusual (but now harmless) pop-up, a Notepad window that is full of dangerous-looking stuff. With any luck, they’ll notify the helpdesk so they can clean the system up.
So I have a code offering today, which I’m calling DangItBobby.ps1. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run the script and provide credentials of a local admin account. Then you tell it you’re looking for Bobby, it’ll check AD to make sure that’s a valid account, then check with WMI to see if there’s an explorer.exe process running under Bobby’s context on each computer, which you can narrow down with the first few characters of what the workstation might be. If they’re logged into multiple workstations it’ll let you choose which one to work with. Then it’ll give you a list of NICs and a little information about each one, and let you choose which one to disable.
I hope I don’t need to tell you to be careful running this.
When I first started fighting ransomware in late 2013, I had a premonition that this was something serious. While CryptoLocker was rather easily defeated in the enterprise and ultimately killed by killing the botnet, media outlets and tech sites ran with the story. It showed this small group making millions and millions of dollars. Guess what? More people started writing ransomware.
Cut to now. Ransomware-as-a-service is a real thing you can buy, some variants have live chat support to receive payment, and we routinely see new versions with bugfixes and feature-adds. One of the last major flaws in ransomware, the inability to enumerate non-mapped network shares, was overcome in the latest Locky build that calls
WNetOpenEnum() to attempt to traverse every share on the network.
For several years, the endgame was more abstract. Hit the PC with your rootkit, join it to your botnet, sell botnet access to spammers for a fee. Now they can cut out the middle man and have less overhead, since there’s not a need for constant command-control oversight. It’s a path to riches hampered only by the still-high knowledge barrier to acquire and send bitcoin. And by affecting the user’s files, rather than a popup about the FBI or TotesLegit AntiVirus which can simply be fixed by backing up the data and nuking the PC, you’ve got them at your mercy.
This is going to get worse way before it gets better. You’ll see builds that try to invoke APIs for popular cloud storage providers to delete the versioning. They’ll find ways to avoid taking ownership of a file to quickly spot the vector of infection. While it’s almost impossible to be truly proactive to effectively block ransomware, there are things that can be done.
- Avoid mapping your drives and hide your network shares.
WNetOpenEnum() will not enumerate hidden shares. This is as simple as appending a
$ to your share name.
- Work from the principle of least permission. Very few organizations need a share whereby the Everyone group has Full Control. Delegate write access only where it’s needed, don’t allow them to change ownership of files unless it’s a must.
- Be vigilant and aggressive in blocking file extensions via email. If you’re not blocking
.wsf, or scanning the contents of
.zip files, you’re not done. Consider screening ZIP files outright. Consider if you can abolish
.rtf in favor of
.docx which cannot contain macros.
- Install ad-blockers and script-blockers as standard loadout. Drive-by malware is out of control right now. Cut off the vector of infection. I use uBlock Origin which is easy to disable case-by-case and offers niceties like element blockers.
- Install the old CryptoLocker Software Restriction Policies which will block some rootkit-based malware from working effectively. You can create a similar rule for
%LocalAppData%\*\*.exe as well. It was pointed out in the reddit comments, that if it’s at all feasible, run on a whitelist approach instead of a blacklist. It’s more time-intensive but much safer.
- Stay up-to-date on the latest ransomware news, how they operate, and what the decrypt instruction filenames are. These can be added to file screens with FSRM to execute a command to kill the share. Simply disabling the affected user is not enough without also forcing them to log off.
- Backups. Having good, working, versionable, cold-store, tested backups makes this whole thing a minor irritation rather than a catastrophe. Even Windows Server Backup on a Wal-Mart External USB drive is better than nothing. Crashplan does unlimited versioned backups with unlimited retention at a flat rate, and there’s a Linux agent as well. Hell, Dropbox does versioned backups. Get something.
- [Added 5/12/2016] For some non-program (WinPE) viruses, you can change the default behavior of some extensions to open in Notepad rather than the original vulnerable target. A guide is here.
Ransomware has evolved a lot in just a couple of years, and the end is nowhere in sight. Get your defenses up, and know the enemy. There’s a lot less heartache doing the prevention before you’re hit than after.