Since our last on Ransomware avoidance post new and more sophisticated variants of Ransomware have been appearing making the SysAdmin’s life more difficult trying to avoid them.
Here are some extra steps you can use in your fight against Ransomware –
- Use Windows Server File Screening – Built in to Windows Server 2008 onwards file screens can block certain files from being created and alert you. This will help stop you files being encrypted and give you a heads up if there is an active infection. Here is a great guide from Experiant Consulting on how to set them up – https://fsrm.experiant.ca/
- Use Windows Software Restriction Policies – Again, built into windows, SRP’s can stop any unwanted files from executing on computers. So even if a unwitting user downloads some ransomware it will not be able to execute on their computer. Branko Vucinec has a great guide on using SRP’s here https://blog.brankovucinec.com/2014/10/24/use-software-restriction-policies-to-block-viruses-and-malware/
- Block Office Macros – There has been a resurgence in the macro virus lately so it’s a good idea to block macros for any users who don’t have a good reason to use them. Block them in all Microsoft Office applications if you can. MS have a set of Administrative Templates you can use with Group Policy to disable Office macros and a lot more.
- Finally, it should go without saying up-to-date antivirus, firewalls, Windows updates and WORKING backups are essential too.
If you are unlucky enough to get hit you could always try one of the many ‘Decryptor’ sites that are appearing. They are not guaranteed but it’s worth a go –
NoMoreRansom.org – https://www.nomoreransom.org/decryption-tools.html
Kaspersky – https://noransom.kaspersky.com/
Its estimated that 20% of people who actually pay the Ransomware bad guys don’t get their files back anyway!