Ransomware is a type of malware that infects and locks a computer until the user pays a fee to regain access to the data. Paired with server-side polymorphism and industry-grade delivery infrastructures, the malware can enter a system through a malicious downloaded file, a vulnerability in a network service, or even a text message. Some of the most notable examples of ransomware are CryptoLocker, CryptoWall, WannaCry, and Petya.
Usually, in the case of encrypting ransomware, local files are encrypted using a randomly generated key pair that’s associated with the infected computer. While the public key is copied on the infected computer, the private key can only be obtained by paying for it within an allocated amount of time. If the payment is not delivered, the private key is threatened to be deleted, leaving no possible unencrypting method for recovering the locked files.
One of the most common infection vectors relies on drive-by-attacks through infected ads on legitimate websites, but it has also been known to infect via infected downloaded apps.
Because of the technology limitations that prevent users from retrieving the decryption key without paying the ransom, the best way to protect against the effects of ransomware is to not get infected in the first place. Ransomware infection can be limited and sometimes prevented with a few best practices:
1. Use an updated antivirus
Use an anti-malware solution with anti-exploit, anti-malware, and anti-spam modules that is constantly updated and able to perform active scanning. Make sure you don’t override the optimal settings and that you update it daily.
2. Schedule file backups
Regularly backup your files either in the cloud or locally so data can be recovered in case of encryption. Backups should not be stored on a different partition in your PC, but rather on an external hard-drive that is connected to the PC for the duration of the backup only.
3. Keep Windows up to date
Keep your Windows operating system and your vulnerable software – especially the browser and the browser plug-ins – up to date with the latest security patches. Exploit kits use vulnerabilities in these components to automatically install malware.
4. Keep UAC enabled
UAC (User Account Control) notifies you when changes are going to be made to your computer that require administrator-level permission. Keep UAC enabled to decrease or block the impact of malware.
5. Follow safe internet practices
Follow safe Internet practices by not visiting questionable websites, not clicking links, or opening attachments in emails from uncertain sources. Avoid downloading apps from unfamiliar sites — only install software from trusted sources. Do not provide personally identifiable information on public chat rooms or forums.
6. Enable ad-blockers
7. Use anti-spam filters
Implement and use an anti-spam filter to reduce the number of infected spam emails that reach your Inbox.
8. Disable Flash
When possible, virtualize or completely disable Adobe Flash, as it has been repeatedly used as an infection vector.
9. Enable software restriction policies
If your computer runs a Windows Professional or Windows Server edition or if you are a decision maker in the company’s IT team, enable software restriction policies. System administrators can enforce group policy objects into the registry to block executables from specific locations.
This can only be achieved when running a Windows Professional or Windows Server edition. The Software Restriction Policies option can be found in the Local Security Policy editor. After clicking the New Software Restriction Policies button under Additional Rules, the following Path Rules should be used with Disallowed Security Level:
• “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\\.*exe”
• “%userprofile%\\Start Menu\\Programs\\Startup\\*.exe”
• “%username%\\Application Data\\*.exe”
• “%username%\\Application Data\\Microsoft\\*.exe”
• “%username%\\Local Settings\\Application Data\\*.exe”