Description on Ransomware Attack Measures
- · Make sure to have adequate backup processes on place and frequently test a restore of these backups ("Schrödinger's backup - it is both existent and non-existent until you've tried a restore")
- · Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:
Open downloaded documents and block all macros
- · Disable Windows Script Host
- · Filter the following attachments on your mail gateway:.386, .ace, .acm, .acv, .ade, .adp, .adt, .ani, .app, .arc, .arj, .asd, .asp, .avb, .ax, .bas, .bat, .boo, .btm, .cab, .cbt, .cdr, .cer, .chm, .cla, .cmd, .cnv, .com, .cpl, .crt, .csc, .csh, .css, .dll, .drv, .dvb, .email, .exe, .fon, .fxp, .gms, .gvb, .hlp, .ht, .hta, .htlp, .htt, .inf, .ini, .ins, .iso, .isp, .its, .jar, .job, .js, .jse, .ksh, .lib, .lnk, .maf, .mam, .maq, .mar, .mat, .mau, .mav, .maw, .mch, .mda, .mde, .mdt, .mdw, .mdz, .mht, .mhtm, .mhtml, .mpd, .mpt, .msc, .msi, .mso (except oledata.mso), .msp, .mst, .nws, .obd, .obj, .obt, .obz, .ocx, .ops, .ovl, .ovr, .pcd, .pci, .perl, .pgm, .pif, .pl, .pot, .prf, .prg, .ps1, .pub, .pwz, .qpw, .reg, .sbf, .scf, .scr, .sct, .sfx, .sfx, .sh, .shb, .shs, .shtml, .shw, .smm, .svg, .sys, .td0, .tlb, .tmp, .torrent, .tsk, .tsp, .tt6, .url, .vb, .vbe, .vbs, .vbx, .vom, .vsmacro, .vss, .vst, .vsw, .vwp, .vxd, .vxe, .wbk, .wbt, .wIz, .wk, .wml, .wms, .wpc, .wpd, .ws, .wsc, .wsf, .wsh
- · Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm, .bin
- · Block all program executions from the %LocalAppData% and %AppData% folder
- · Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")
- · Enforce administrative users to confirm an action that requires elevated rights
- · Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.
- · Activate the Windows Firewall to restrict workstation to workstation communication
- · Using sandbox that opens email attachments and removes attachments based on behavior analysis
- · Software that allows to control the execution of processes - sometimes integrated in Antivirus software- Free: AntiHook, ProcessGuard, System Safety Monitor
- · Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer
- · Server-side file screening with the help of File Server Resource Manager
- · Block program executions (AppLocker)
- · Detect and block exploitation techniques
- · Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring
No comments:
Post a Comment