Last Updated on April 23, 2017 by Dave Farquhar
Last week at work, I noticed some odd events in an event log, and when I investigated them, I found they were part of a failed ransomware attack. This got me thinking about how to prevent ransomware at home.
Ransomware, if you aren’t familiar, is an attack that encrypts your data and demands a ransom, usually around $300, in bitcoins, and you get a short deadline until it destroys your files. More often than not, paying the ransom is the only way to get the files back, so it’s much better to prevent it.
There are two things that ought to go without saying, but I’ll say them anyway. If you pirate software, you will get a little something extra you didn’t intend, and that little something extra may very well be ransomware. Another common vector for ransomware is unexpected e-mail. So don’t open unexpected e-mail attachments.
But a good amount of ransomware comes in over the web. Here’s how to protect yourself from that.
Conventional wisdom says that if you don’t visit web sites you’re not supposed to be visiting, you won’t get hacked. That advice doesn’t work anymore, if it ever did. Even web sites run by respected publications can unintentionally serve up malware from time to time, so you have to take measures to protect yourself.
Create a non-admin account for everyday use. Usually accounts in Windows home versions have administrative rights. It’s a better practice to create a new account that doesn’t have admin rights, and use that account except for when you’re installing software or doing other administrative tasks.
Enable Microsoft’s automatic updates in Windows. This is very important. A lot of people turn off automatic updates because they’re afraid it will break something. The thing is, that’s rare. And even when Microsoft does release a problematic update, it doesn’t fail 100% of the time. And if you do have problems due to a security update, Microsoft will help you. For free. If you get ransomware, Microsoft can’t help you.
Install Secunia PSI to keep other software up to date. I’ve written about Secunia PSI before. Ransomware usually works by forcing Internet Explorer, Silverlight, Flash, or Java to crash, tricking it into running an installation program in the process of crashing. Enabling automatic updates and installing Secunia PSI fixes the software defects that the bad guys use to cause these crashes. Secunia PSI isn’t perfect. But it does a better job of installing updates than the manufacturer’s automatic updates. It also ensures you only get the update itself. It skips the unnecessary (and often harmful) bundleware that Adobe and Oracle love to include in their security updates.
Using an alternative PDF viewer isn’t a bad idea either.
Install Malwarebytes Anti-Exploit home version. I’ve written about EMET before. But if you’d prefer something a bit more user-friendly, Malwarebytes has a similar tool called Malwarebytes Anti Exploit. These products attempt to make it harder to intentionally crash buggy software and trick it into running other code in the process of crashing. They aren’t a substitute for patching. But they provide protection for instances where the bad guys know about a defect before a patch becomes available.
Install K9 Web Protection. K9 Web Protection is a proxy server that blocks certain broad categories of web sites. It’s the home version of Blue Coat, a web filter many corporations and governments use and respect. One of the categories it blocks is malware sites. Install it and block that category, even if you don’t block anything else.
Run antivirus, but don’t count on it to stop ransomware. You need to be running antivirus. But keep in mind that when I’ve found ransomware samples and scanned them, generally only 5-10 percent of antivirus programs recognized them. Which 5-10 percent varies. And given the many issues I’ve been seeing with antivirus programs lately, my advice is to run Microsoft Security Essentials (if you run Windows 7) or Windows Defender (if you run Windows 10). If you’re actually going to pay for antivirus, get Malwarebytes Anti-Malware and run it in addition to Microsoft’s free antivirus. Malwarebytes is more aggressive than conventional antivirus, so it catches things none of the conventional antivirus programs will.
Antivirus is a class of software where the valedictorian has a C-. So there’s no point in paying $50 a year for C- protection (and risk getting D- protection) when you can get D+ protection for free.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
I’ll toss in a related item here:
So you’re browsing one day looking for tech references; and you run across a place you recognize from past use; and you click four links as “open in a new tab” so you can quick-check them and move on; and out of flippin’ nowhere your sound comes on and a voice says your computer is locked and you’ll need to pay up. One browser tab now has the info for getting your life back.
Win7, Firefox, Malwarebytes Pro in place.
This one is easy, but the presentation ties in nicely with all the news stories and can send Aunt Minnie into a tailspin.
tl;dr: It’s a piece of javascript that loads with the web page. This particular one cannot touch the machine itself; it’s operating on the browser page only. …but it’s calling the audio function (overriding mute) and making way too much noise (adding to the sense of doom).
The page is resistant to close functions and will reappear when you restart the browser (I’m not sure if it used my restore settings or enabled a flag in the browser).
One cure:
Open several tabs (to force slower browser loading), leaving the bad one as the focus
Close the browser
Open the browser and hit +W before the script can load.
The one I had was not persistent, other than from the page with the original link (of course I went back!). The package, by its nature, is not visible to typical anti-malware software. The source page itself drew no warnings, and other links on that page worked properly.
This whole issue suggests a couple things, while not a magic pill using an internet browser other than internet explorer helps, also keep as few add ons as possible for your browser. and thirdly make it necessary to ENABLE java, javascript, silverlight, flash, AND cookies on a case by case ,site by site, basis. More trouble to surf? yeah a bit, but less likely to get hijacked.