Ransomware: What is it, and how do you defend yourself against it? (Part 4)


This entry is part of 6 in the series Computer Security Made Simple

In my previous posts, I have covered what ransomware is, what it does, and how it attacks. I’ll wrap this series up with some defensive measures that you can take (and no, switching to another operating system isn’t the end-all), and a little more about ransomware in general.

Defensive Measures:

So the first and foremost thing that I need to discuss here is the attitude. If you don’t want to get infected by ransomware (or any other malware, for that matter), you need to change your attitude about computers and security. Saying things like “Well I use <insert Operating System here>, so I don’t need antivirus.”, or “I don’t visit those types of websites, so I’m not too worried.”, or “Updating takes too much time. I don’t want the hassle of rebooting. And I don’t want to give <insert “evil corporation”> more of my information through their collection schemes.” won’t work. Because the attackers are counting on these attitudes. They use Social Engineering tactics to get you to open infected emails. They hack into sites that you wouldn’t consider to be “bad” and insert malicious code. Or they hack into the ad networks serving up the advertisements to your favorite sites and insert malicious code there. And they take advantage in the lull in updating your computers (or the fact that you’re still using Windows XP–even though it hasn’t been supported in years) to attack via security holes.

And there are methods of installing malware on Mac OS (via a corrupted version of the Transmission BitTorrent client, for example), Android phones (via an exploit created by an Italian Security firm and sold to various Governments), and even Linux. You don’t know for sure what “holes” someone has found. They may not have exploited them yet because the ROI isn’t high enough. (For Linux users, dare I mention Systemd?  Or should I point out that most Raspberry Pis use a Linux-based operating system–and have malware aimed at them?) Essentially if it has an operating system, it can be attacked. Yes, some may be harder to crack. But they can still be cracked. So your attitude has to be “I need to take whatever steps are available to me to keep my devices secure.”

So having said all of this above, what security measures can (and should) you take?

  • Backup your data – I’ve harped on this over and over, but it definitely rings true here. If you have an effective backup system (multiple versions of your data), you’re more set to protect yourself without having to pay the ransom. This is essentially a cure after you’ve been infected with the disease.

    Even having multiple versions may not be a complete solution. Some malware may take it’s time to encrypt your data. So you either have to hunt through a number of older versions or pay the ransom to get all of your files back. Plus all of those versions cost money for the physical (or cloud) storage and time.

    Have you tested your backups lately? A perfect backup solution only works if you know that it will properly recover to your systems. You should test your recent backups occasionally–if nothing else, so you know how the procedure works. I had an experience restoring a laptop for a friend, where I found out that if I put the first disc in from the recovery (which you’d assume), that was all I could restore. I had to start with the last disc, then go back to the first one and work my way through.

  • Patching your operating system and various plugins and programs – In many cases, the attackers don’t hit the Operating System directly. They exploit vulnerabilities in the various plugins and programs you have installed. Things like Flash Player, Java, Adobe Reader, Microsoft Office, and other programs are the main vectors of attack. But there are still holes in the Operating System itself. Consider this, an operating system consists of hundreds of millions of lines of code spread through various files. It’s impossible to expect every single line to be perfect, especially when they have to interact with each other in different ways. Your Operating System takes up around 15 to 20 GB of space alone (the equivalent space would be more pictures than your entire family has stored on their devices–unless you’re a photographer, in which case it’s probably a close race).

    It’s important to uninstall older versions of the programs if they aren’t removed during the update process. Java is really good about this, in that when you verify your Java version, it checks for older versions and offers to remove them for you.  Unless you absolutely must keep an older version, you should remove it.

  • The Principle of least Privilege – What this means is that you use the lowest level of administration necessary to do your work. For example, if you’re surfing the Internet, listening to music, checking your email, or working on a document, you don’t need to be a “Computer Administrator” or “superuser” for those tasks. So you use a limited access account. Now, when you’re installing (or updating) something, you may need Administrative access. That’s the only time you should have it.

    Windows attempts to accomplish this using User Account Control (UAC). It sets all accounts as “limited users” by default, and prompts you when you’re trying to perform some action that would require administrative access. If your account is a Computer Administrator, it just asks if you want to do it. If your account is a limited user, you have to enter the credentials (username/password) for an Administrator account. The problem with UAC is how it was originally implemented. It was so annoying that people either instinctively clicked “yes”, or shut it off. It has greatly improved in the more recent versions of Windows though. So if you have it disabled, I suggest trying it out again (if you’ve upgraded from Windows Vista and/or Windows 7, that is).

    Linux uses “su” (short for superuser or root) and “sudo” (short for superuser doers) to accomplish this. In essence, this is what UAC and “Administrator” in Windows are based on. Sudo gives you root access for a short period of time. Su gives you root access until you exit it. Using “su” is not recommended for the same reason that you don’t want to use an Administrator account on Windows. If you don’t need the permissions, then don’t use an account that has them.

    The thing to remember is that ALL software runs with the permissions of the account that executes it. So, if you’re a limited user and are infected by ransomware, the effects are less than if you’re an Administrator.

  • AppBlocker and Application Whitelists – AppBlocker uses whitelists to determine what applications are allowed to run, and what locations they are allowed to run from. Think the AppStore or Google Play on your phone. If the application isn’t approved to run (or to run from the location it’s in), it won’t install. I’m planning a tutorial on how to use AppLocker in the future.
  • Limit network access – What this means (and it’s more for corporations than home users) is that you limit access to certain network assets. So, if a user doesn’t need access to the administrative side of a printer, they’re blocked. And if they are only allowed access to certain folders on a drive, that’s all their permissions allow. In tech speak, it’s called “Least Effective Permissions”. You are given the bare minimum permission to access anything that’s not directly connected to your computer.
  • Human nature – Humans are the worst part of the system. You can use things like social engineering (open this document or the infamous Nigerian Prince scams), phishing (send an email purportedly from your bank, which takes you to an attacker’s site, which looks like your bank login screen), or “whale phishing” (sending an infected document that appears to come from someone important, so the user is more likely to open it without question). The best mitigator for this is proper training–but that’s only as effective as the people that receive it.
  • Antivirus, Firewall, and Antimalware – These are listed on the lower end of the spectrum because while they’re important, they can be easily defeated. Antivirus programs use a signature (and in some cases heuristics) to determine if a file is malicious or not. The problem is that minor tweaks to the file will get past the signature checks. And most malware writers will test their work against the major AV offerings before releasing it.
  • User Behavior Analysis – What this does is create a baseline for what a normal user would do. If a program starts trying to do things that the normal user wouldn’t (like using nmap to scan ports, delete or encrypt a large number of files, run commands with a privilege level that they aren’t supposed to have, etc) then the program is stopped.

    The difference between UBA, and Antivirus/Antimalware is that UBA looks at the behavior of a program or user, while the AV and Antimalware looks at the signature or heuristic of the file itself. A heuristic is just an educated guess, sort of a mixture between the signature and UBA.

So that covers what you can do to defend yourself against ransomware and what you can do to recover without having to pay the ransom. I’m going to end this with some external links to more information about ransomware and how to defend against it.

US-Cert alert about Ransomware from 2016

General tips from US-CERT about computers and security

US-Cert bulletin about ransomware (most recent)

Software Engineering Institute – Best Practices for Ransomware Prevention and Response

Series NavigationRansomware: What is it, and how do you defend yourself against it? (Part 3) >>

Leave a comment

Your email address will not be published. Required fields are marked *