Skip to content

Hide Navigation Hide TOC

Edit

Preventive Measure

Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.

Authors
Authors and/or Contributors
Various

Backup and Restore Process

Make sure to have adequate backup processes on place and frequently test a restore of these backups. (Schrödinger's backup - it is both existent and non-existent until you've tried a restore

Internal MISP references

UUID 5f942376-ea5b-4b23-9c26-81d3aeba7fb4 which can be used as unique global reference for Backup and Restore Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness High
impact Low
type ['Recovery']

Block Macros

Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: A.) Open downloaded documents in 'Protected View' B.) Open downloaded documents and block all macros

Internal MISP references

UUID 79563662-8d92-4fd1-929a-9b8926a62685 which can be used as unique global reference for Block Macros in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness High
impact Low
type ['GPO']

Disable WSH

Disable Windows Script Host

Internal MISP references

UUID e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f which can be used as unique global reference for Disable WSH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Medium
possible_issues Administrative VBS scripts on Workstations
type ['GPO']

Filter Attachments Level 1

Filter the following attachments on your mail gateway: .ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub

Internal MISP references

UUID 7055b72b-b113-4f93-8387-e6f58ce5fc92 which can be used as unique global reference for Filter Attachments Level 1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Low
type ['Mail Gateway']

Filter Attachments Level 2

Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm

Internal MISP references

UUID 8c9bbbf5-a321-4eb1-8c03-a399a9687687 which can be used as unique global reference for Filter Attachments Level 2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Low
effectiveness High
impact High
possible_issues Office Communication with old versions of Microsoft Office files (.doc, .xls)
type ['Mail Gateway']

Restrict program execution

Block all program executions from the %LocalAppData% and %AppData% folder

Internal MISP references

UUID 6a234b1d-8e86-49c4-91d6-cc3be3d04f74 which can be used as unique global reference for Restrict program execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
impact Medium
possible_issues Web embedded software installers
type ['GPO']

Show File Extensions

Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")

Internal MISP references

UUID 5b911d46-66c8-4180-ab97-663a0868264e which can be used as unique global reference for Show File Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Low
impact Low
type ['User Assistence']

Enforce UAC Prompt

Enforce administrative users to confirm an action that requires elevated rights

Internal MISP references

UUID 3f8c55db-611e-4831-b624-f9cbdc3b0e11 which can be used as unique global reference for Enforce UAC Prompt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Low
possible_issues administrator resentment
type ['GPO']

Remove Admin Privileges

Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.

Internal MISP references

UUID 168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6 which can be used as unique global reference for Remove Admin Privileges in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
impact Medium
possible_issues Higher administrative costs
type ['Best Practice']

Restrict Workstation Communication

Activate the Windows Firewall to restrict workstation to workstation communication

Internal MISP references

UUID fb25c345-0cee-4ae7-ab31-c1c801cde1c2 which can be used as unique global reference for Restrict Workstation Communication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Medium
effectiveness Low
impact Low
type ['Best Practice']

Sandboxing Email Input

Using sandbox that opens email attachments and removes attachments based on behavior analysis

Internal MISP references

UUID 7960740f-71a5-42db-8a1a-1c7ccbf83349 which can be used as unique global reference for Sandboxing Email Input in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Medium
effectiveness High
type ['Advanced Malware Protection']

Execution Prevention

Software that allows to control the execution of processes - sometimes integrated in Antivirus software Free: AntiHook, ProcessGuard, System Safety Monitor

Internal MISP references

UUID bfda0c9e-1303-4861-b028-e0506dd8861c which can be used as unique global reference for Execution Prevention in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
type ['3rd Party Tools']

Change Default "Open With" to Notepad

Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer

Internal MISP references

UUID 3b7bc1b2-e04f-4492-b3b1-87bb6701635b which can be used as unique global reference for Change Default "Open With" to Notepad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Medium
possible_issues Some extensions will have legitimate uses, e.g., .vbs for logon scripts.
type ['GPO']

File Screening

Server-side file screening with the help of File Server Resource Manager

Internal MISP references

UUID 79769940-7cd2-4aaa-80da-b90c0372b898 which can be used as unique global reference for File Screening in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Low
type ['Monitoring']

Restrict program execution #2

Block program executions (AppLocker)

Internal MISP references

UUID feb6cddb-4182-4515-94dc-0eadffcdc098 which can be used as unique global reference for Restrict program execution #2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
impact Medium
possible_issues Configure & test extensively
type ['GPO']

EMET

Detect and block exploitation techniques

Internal MISP references

UUID 5f0a749f-88f2-4e6e-8fd8-46307f8439f6 which can be used as unique global reference for EMET in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
impact Low
type ['GPO']

Sysmon

Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring

Internal MISP references

UUID 1b1e5664-4250-459b-adbb-f0b33f64bf7e which can be used as unique global reference for Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness Low
impact Low
type ['3rd Party Tools']

Blacklist-phone-numbers

Filter the numbers at phone routing level including PABX

Internal MISP references

UUID 123e20c5-8f44-4de5-a183-6890788e5a81 which can be used as unique global reference for Blacklist-phone-numbers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Medium

ACL

Restrict access to shares users should not be allowed to write to

Internal MISP references

UUID 3e7a7fb5-8db2-4033-8f4f-d76721819765 which can be used as unique global reference for ACL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Medium
effectiveness Medium
impact Medium

Packet filtering

Limit access to a service by network/packet filtering the access to

Internal MISP references

UUID 19c98fa6-45f7-47cc-830d-2d4f39301b06 which can be used as unique global reference for Packet filtering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
complexity Low
effectiveness Medium
impact Low