In recent years, users and organizations of all kinds are facing a computer threat known as “ransomware,” which is nothing more than a malware whose purpose is to prevent victims from accessing files or even the entire infected computer system, until the payment of a certain amount as redemption(“ransom”).


Thus, the ransomware has become one of the most troublesome forms of malware, especially because it can cause damage or at least inconvenience to almost all types of users. Most of us have stored on our devices, whether they are PCs or mobile phones, at least some pictures we care for and for which we would most probably be willing to make some effortsin orderto have them recovered, including by paying a sum of money.This is precisely what the individuals involved with the creation and distribution of ransomware malware are counting on, and the international statistics on their earnings show us that this is a very profitable business.
In the following lines, there are a number of recommendations / measures for ransomware infection preventing, but also to reduce damage in the event of infection. These measures are taken from the “Guide to Combating Ransomware Computer Threats” published by CERT-RO – the national cyber security and incident response team, from whose draftingteam I was part of.
Prevention measures
1. Be cautious – This recommendation is generally valid for enhancing the security of the IT systems you use / manage.
It is already well-known that the user is the weakest link in the chain of cyber security, which is why most attacks target the exploitation of the human component (social engineering, phishing, spear phishing, spam etc.). As a result, we recommend that you do not access the links or attachments contained in suspicious email messages before verifying their source / legitimacy. Also, increased attention should be paid to the websites you visit and the online sources you use for downloading or updating the apps.
2. Back up your data – The most effective way to combat the ransomware threat is to periodically backup the data stored / processed by computer systems. So even if the data access is blocked by a ransomware, your data can be quickly restored,and the damage caused is minimal.
IMPORTANT! For backup, use an external data storage that is not permanently connected to the system, otherwise there is the risk of the files on that storage mediato also being encrypted in case of ransomware infection.
3. Enable “System Restore”– For Windows operating systems, we recommend enabling “System Restore” for all storage partitions. In case of malware infection or files compromising (even system files) the data can be quickly restored by bringing the system to a previous state.
BEWARE! Do not rely solely on this feature because some recent versions of ransomware are erasing data from the “System Restore”.
4. Implement “Application Whitelisting” type of mechanisms – The “Application Whit authorized / known software runs within an IT system. The concept itself is not something newrepresenting practically an application-level extension of the “default deny” approach (not allowed by default) long-used by firewall technologies. Currently, the “Application Whitelisting” is considered to be one of the most important strategies for combating malware threats, and there are already several technical solutions that can be implemented, including by home users, especially in Windows operating systems where implementation can be done using the tools already contained by the operating system: SRP (Software Restriction Policies), AppLocker (the recommended tool from the Windows 7 operating system, with the same purpose as the SRP facility of the Group Policy).
5. Disable program run from directories such as%AppData% and %Temp% – An alternative solution to the “Application Whitelisting”kind of mechanism (not as efficient, but which brings a ignificant security boost) is blocking the program run from directories such as%AppData% and%Temp%, through the security policy (GPO – Group Policy Object), or using a typeof IPS solution (Intrusion Prevention Software).
6. View file extensions – Some types of ransomware are delivered as known extensions (.doc, .docx, .xls, .xlsx, .txt, etc.), to which the extension .exe is added. This kind of feature of executable files results in extensions like “.docx.exe”,”.txt.exe”, etc. Thus, displaying the file extensions can make it easier to notice the suspicious / malicious files. It is recommended that you never run executable files received by emails.
7. Always update operating systems and applications – Updating the applications / programs used is a mandatory measure to ensure a high level of security of the IT system. Most of the time, a non-upgraded software is the equivalent of a backdoor for cyber offenders. Generally, software manufacturers regularly publish updates for operating systems and applications;this way the usersare able to configure their download and auto-installation. Therefore, we recommend that you enable the option for automatic updates wherever possible and consider the most effective way to update other programs (periodic review of the available versions on the manufacturer’s site).
BEWARE! Often malware has been delivered as a software update. Carefully check the sources used for software download / update.
8. Use efficient and up-to-date security solutions – An absolute necessity to prevent malware infections is the use of one or more effective and up-to-date security software solutions that have facilities / services such as antivirus, anti- malware, anti-spyware, anti-spam, firewall, etc. More recently, some anti-malware products offer dedicated anti-ransomware protection.
9. Use software tools for file monitoring – The use of file monitoring software (access, modification, deletion, etc.) can help to quickly detect suspicious behaviors in computer or network systems.
10. Pay close attention while accessing web commercials – Some of the recent versions of ransomware have been delivered through malware advertisements (malvertising) displayed on popular websites (news, online stores, etc.). We recommend that you avoid advertising as much as possible, and even use “add block” software tools to automatically block the upload / display of commercial ads.


Measures to eradicate and limit effects

1. Disconnect the external storage media – Remove all external storage media connected to your PC (USB memory, memory card, external hard drive, etc.), remove network cable and disconnect any other network connections ( WiFi, 3G, etc.) from your network cable. This prevents damaging the files stored on external storage or network accessible media (network share, cloud storage etc).
2. [Optional]. Create a memory capture (RAM) – If you later want to investigate the incident, and eventually attempt to recover the encryption keys used by the ransomware from memory, make a memory capture (RAM), as quickly as possible, before shutting down the PC by using a specialized tool.
BEWARE! There is the risk of affecting as many files as possible (or even all) until the process of memory capture is completed. The decision to stop your PC immediately or to initiate a memory capture first needs to be taken according to the priorities (“Is the data more important?”or “Is the possibility of further analysis needed?”). For example, if there is a backup for the data stored on the affected PC, or the files are not considered important, you can make the decision of performing a memory capture.
3. PC Shut down – If you suspect that a PC has been infected with ransomware and you decide not to make a memory capture (see 2), we recommend that you shut it down immediately in order to limit the number of encrypted files as much as
4. [Optional] Make a copy (image) of the HDD – If you are interested in further investigating the incident and possibly trying to recover some of the files using “Data Recovery” tools, make a “bit by bit” copy of your hard drives affected by the
ransomware,using a specialized tool.
5. Make an “offline” backup of the files – Boot your computer using an operating system that loads from an external storage medium (CD, DVD, USB memory, etc.).
This feature is being offered by most of the modern Linux distributions. Copy all the files you need, including those that have been compromised (encrypted) to another storage medium.
6. Restore the compromised files – The easiest way to recover the files affected by ransomware is to restore them from backups. If such copies are not available, we recommend that you try to recover the files by using “System Restore” or using “Data
Recovery” specialized software tools.
BEWARE! We recommend that you attempt to recover your data by using “Data Recovery” software only from HDD images (made in accordance with section 4 above). Otherwise, there is the risk of compromising the chances of success of more complex procedures that involve data recovery directly from the storage media. There are solutions for recovering data directly from the storage media, but they require a high level of expertise and special technical endowments.
7. Clean affected computer systems – The safest way to ensure that the computer system no longer contains malware (or malware remains) is to re-install the operating system by formatting all HDDs / partitions in advance. If this is not possible (for example, if it is intended to have the data recovered directly from the affected HDDs), we recommend that you use one or more antivirus / antimalware /
antispyware security solutions for system scanning and disinfection.
BEWARE! If you intend to try recovering the data from affected HDDs as described in section 6, we recommend that you do not attempt to disinfect them, but use other HDDs to re-install the operating system.
Ultimately, if your files have been compromised and no attempt to recover them has been successful, you must be cautious about the possibility of paying the requested redemption in the ransomware message. In addition to encouraging those involved in creating and distributing ransomware, there is no real guarantee that once the payment is done you will actually recover your data. More and more cases of users appear that have not recovered their data, even after paying the requested amount to the attackers.

Cătălin Pătraşcu | Head of Information Security and Monitoring Department, CERT-RO

Other Magazines