This solution addresses Webroot SecureAnywhere 
 

Ransomware Prevention Guide

As the impact and severity of crypto-ransomware threats and attacks has grown over the past 2½ years, we have published many blogs and articles on how best to defend against these modern day extortionists. We do not believe that our businesses or consumer customers should have to choose between extortion and losing precious, irreplaceable data. We often get asked the leading question: “which endpoint security solution will offer 100% prevention and protection from crypto-ransomware?” The simple answer is none. Even the best endpoint security (which we pride ourselves on innovating and striving towards) will only be 100% effective most of the time. At other times the cybercriminals will have found ways to circumvent endpoint security defenses and their attack will likely succeed. Each day many ransomware campaign operators create a new variant which is re-packed making it once again undetected for all of antivirus.

1. Use Reputable, Proven, Multi-Vector Endpoint Security

When it comes to endpoint security, there are many choices out there. While published detection tests help when it comes to crypto-ransomware, most detection testing is flawed – with many programs achieving 100% detection results that can’t be reproduced in the real world.

Webroot has built a strong reputation for stopping crypto-ransomware. Our goal, first and foremost, is to be 100% effective. Webroot was the first antivirus and antimalware vendor to move completely away from the standard, signature-based file detection method. By harnessing the power of cloud computing, Webroot replaced traditional, reactive antivirus with proactive, real-time endpoint monitoring and threat intelligence, defending each endpoint individually, while gathering, analyzing, and propagating threat data collectively.This predictive infection prevention model enables Webroot solutions to accurately categorize existing, modified, and new executable files and processes, at the point of execution, to determine their status.

Using this approach, Webroot rapidly identifies and blocks many more infections than signature-based approaches, and we are highly proficient at detecting and stopping crypto-ransomware.

Of course, you need protection that covers multiple threat vectors. For instance, real-time anti-phishing to stop email links to phishing sites, web browser protection to stop browser threats, and web reputation to block risky sites that might only occasionally be unsafe. Over the past four years, the Webroot approach to infection prevention has continuously proven its efficacy at stopping crypto-malware in real time by addressing threats the moment they attempt to infect a device, stopping the encryption process before it starts. Regardless of which endpoint security solution you choose, it’s essential it offers multi-dimensional protection and prevention against malware to ensure it quickly recognizes external threats and any suspicious behaviors. A next-generation endpoint security solution with protection beyond file-based threats is essential.

2. Back-up your data.

If you have failed to stop ransomware from successfully encrypting your data, then the next best protection is being able to restore your data and minimize business downtime.

Bear in mind when you are setting up your backup strategy that crypto-ransomware like CryptoLocker will also encrypt files on drives that are mapped, and some modern variants will look for unmapped drives too. Crypto-ransomware will look for external drives such as USB thumb drives, as well as any network or cloud file stores that you have assigned a drive letter to.

You need to set up a regular backup regimen that at a minimum backs up data to an external drive, or backup service, that is completely disconnected when it is not performing the backup.

The recommended best practice is that your data and systems are backed up in at least three different places.

» Your main storage area (file server)
» Local disk backup
» Mirrors in a cloud business continuity service

In the event of a ransomware disaster, this set-up will give you the ability to mitigate any takeover of your data and almost immediately regain the full functionality of your critical IT systems.

3. User Education.

The “human firewall” – your users – are often the weakest security link. A lot of lip service is paid to User Security Education, and with the advent of online self-paced courses there is no excuse not to look at using those tools to help educate your users of the risks they face in the office and from using the Internet at home.

If a user receives an invoice, receipt, or any other form of attachment from someone they are unfamiliar with, chances are it’s bad. For word document emails, it is also advised to warn users to avoid clicking “enable content” for emails from unfamiliar sources. 

4. Disable execution of script files.

Webroot has for years found many highly prevalent ransomware variants delivered through email attachments. These attachments are often a zip archive that contain a script, which serves the purpose of downloading/executing a ransomware/malware payload. Webroot recommends preventing the execution of script file types to avoid this type of attack.

Example Spam Email:
 

In order to prevent these types of documents and scripts from running we recommend choosing the most appropriate solution for your environment below.

Step 1: Block WSF, VBS, WSH, HTA, VBS and JS files:

There are three options to prevent script files from running on a system.

Option 1: REDIRECT SCRIPT FILE EXTENSIONS VIA GPO

To enable this policy setting, access the system set up for policy control and navigate to the following setting:

User Configuration - Preferences - Control Panel - Settings
Right-click on Folder Options and navigate to New > Open With .

Type in the each unwanted extension, i.e. wsf, js, vbs into the "File extension" box, then input the path of a program you want to have as default to open the file.
Tick Set as default and press OK.

Example of redirecting the extension .wsf, .js, and .vbs to notepad:


We recommend redirecting the file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, and .ps1.

If a system administrator needs to run a WSF, VBSJS, or any other script file, this can still be achieved by starting the WScript program with the script file as an argument.

For example:

: C:\Windows\System32\WSCRIPT.exe C:\example.vbs
 

Option 2: REDIRECT SCRIPT FILE EXTENSIONS VIA WEBROOT CONSOLE 

If there is not a policy controller available, as an alternative, you can redirect file extensions with the utility below.

1. Sign into the Webroot Enterprise Console and click Group Management.
2. Select the hostnames which you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download and execute a file.
3. Input the following link into the URL field:

https://download.webroot.com/NoScrypts.exe

For the Command Line Options field, the following commands can be used:

-disable - This command will redirect the default action for the following file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, to instead show a message box like so:



To apply this from the Webroot Endpoint Console, refer to the screenshot below:



-disable “Custom Message” – This command will allow you to redirect the default action for the same file types, however it also allows you to specify the message you would like the user to see. Where “”Custom Message”” is the message you would like to display to a user that opens a script file. Quotes are required around this text. Optionally you may include %1 in your custom message. This will show the file that was blocked like so:



To apply this from the Webroot Endpoint Console, refer to the screenshot below:



-enable - This command restores the default execution program for the file types mentioned above.

To apply this from the Webroot Endpoint Console, refer to the screenshot below:



4. Click “Download and Execute” to send the command to the system.

Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”.

5. Ensure script files are blocked by attempting to open a file with a blocked file type.

Option 3: DISABLE WSCRIPT HOST

WScript Host (C:\Windows\System32\WSCRIPT.exe) is  application within Windows that interprets .vbs, .vbe, .js, .jse, .wsf and other types of script files. When a script is run, it will execute the script through this program. Because of this, you may want to disable WScript Host entirely. To do so, use one of the following procedures.
 
From the Webroot Console:
 
1. Sign into the Webroot Enterprise Console and click Group Management.
2. Select the hostnames that you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download, and execute a file.
3. Enter the following link into the URL field:
    https://download.webroot.com/DisableWSCRYPT.exe    
4. For the Command Line Options field, the following commands can be used:
  
 -disable - This command will disable WScript and disallow execution of script files.
 
 
  -enable - This command will enable WScript and allow execution of script files.

5. Click “Download and Execute” to send the command to the system.

Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”.

6. Ensure WScript is blocked by opening a command prompt, typing “WScript”, and pressing enter. You should be presented with the following message:

 

Manually - 64 BIT:

To disable Windows Script Host, execute the following in an elevated command prompt:

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:32

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:64

To re-enable Windows Script Host, execute the following:

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:32

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:64

Manually - 32 BIT:

To disable Windows Script Host, execute the following in an elevated command prompt:

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f

To re-enable Windows Script Host, execute the following:

REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f

Step 2: Disable Macro execution.

Office Macros can be beneficial to some work environments, however in most cases they are not necessary to have enabled and are only a security risk. Some ransomware utilize macro scripts within documents as a channel for payload delivery.

Macro example:

To enable this policy setting, Run gpedit.msc and navigate to the following setting:

User configuration > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
Double-click on Block macros from running in Office files from the Internet setting and Enable it.

 

Office 2013: https://technet.microsoft.com/en-us/library/ee857085.aspx

Note: If there is not a policy controller available, as an alternative you can disable macros without notification manually:

Step 3: Prevent Users from running Powershell via GPO.

To enable this policy setting, Run gpedit.msc and navigate to the following setting:

User configuration > Administrative templates > System

1. Double-click on Don't run specified Windows applications.
 

2. Click the radio button Enabled to enable the policy.

3. Click the Show button next to List of disallowed applications and add powershell.exe to the list and click OK.
 

4. Test by attempting to run Powershell.

5. Patch and keep software up to date.

Ransomware such as: CryptMic, CryptXXX, Cerber, and Locky can be distributed via exploit kits, which target the software vulnerabilities of Adobe Flash Player, Oracle Java, Internet Explorer, Microsoft Silverlight and other vulnerable applications. If this software is exploited, an exploit kit landing page can execute arbitrary code and initiate a silent drive by download. It is critical for system administrators to keep this type of software up to date as most infections dropped by Exploit Kits are known as "zero days" (malware which is fully undetected by all antivirus). If outdated software must be present in your environment, we recommend you download and install Microsoft's EMET to mitigate attacks.

Download EMET

6. Secure weak username/passwords which have Remote Desktop access.

Cybercriminals scan the internet daily for systems with commonly used RDP ports and bruteforce  with weak usernames/passwords and attempt to gain access. Once access has been gained, they can deploy variants of ransomware, create user accounts, and download other unwanted malicious software.

Here’s some tips you can use to help secure RDP and prevent this type of attack.

Preventing scanning for an open port:

It is also important to monitor possible intrusions with Windows Event Viewer. This will show you what cybercriminals may be doing to try and get in, and help you adjust and use different security measures in your environment. Here’s an example to filter event logs for the event ID “4625” (An account failed to log on).


 

 
Is the above information helpful?   Yes   Somewhat   No   
Powered by noHold, Inc. U.S. Patent No. 6,604,141