Ransomware is undoubtedly the most dangerous form of malware on the market. Apart from locking private users’ files, it is a great threat to businesses and institutions. In the U.S recently, police and hospital systems have been compromised – in the worst scenario possibly endangering lives. Ransomware encrypts files and the hacker demands a ransom for the key. As many variants can now spread to both mapped and un-mappped network shares, whole systems can be locked. In the case of the Californian hospital infection, this could have had fatal consequences.
The Space Race
In the ever increasing tide of malware, there is a pattern; an evolution. Current variants are almost always based on successful antecedents, or are patched versions of cracked or flawed coding in others. These generic similarities in behavior allow smart AV software to detect some of them (using ‘heuristic’ detection). But as the protection increases, the malware authors go overtime working on better ways to avoid detection. It is a little like the space race of the ‘sixties between the U.S and Russia.
Ransomware requires a work permit
Most ransomware runs on the %Temp% file-paths. From here it works to create the files needed to communicate with its command server, receives an encryption key and then launches the extortion routine. This malware is very cunning in avoiding detection. Some variants can even detect and avoid running in safe locations set up to detect them. But for the 90% that run on these paths, denying them a work permit stops them dead, should they get through border security.
How to harden a system with a change of policy
To deny this ninety percent of the right to work on your system, go to through the following: Control Panel>System and Security>Administrative Tools>Local Security Policy. When this last window is reached select Additional Rules. In the central panel, choose the right-hand option, New Rule Path. And make the following entries:
- % AppData% \ * exe – “Not allowed”
- % AppData% \ * \ * exe – “Not allowed”
- % LocalAppData% \ * exe – “Not allowed”
- % LocalAppData% \ * \ * exe – “Not allowed”
- % ProgramData% \ *.exe – “Not allowed”
- % Temp% \ * exe – “Not allowed”
- % Temp% \ * \ * exe – “Not allowed”
- % LocalAppData% \ Temp \ * zip \ * exe -. “Not allowed”
- % LocalAppData% \ Temp \ 7z * \ * exe -. “Not allowed”
- % LocalAppData% \ Temp \ Rar * \ * exe -. “Not Allowed”
- % LocalAppData% \ Temp \ wz * \ * exe -. “Not allowed”
- % ProgramData% \ *.exe – “Not allowed”
Once this has been done, reboot the computer and this will implement the changes. If ransomware does enter after this reboot, in these locations it will just be another file that needs trashing when your doing a clean-up next (which should be done regularly!).
Rename VSSADMIN.EXE
Every ransomware strain erases Volume Shadow Copies in the attacked machine. Thus, restoring the PC to an earlier state by using System Restore utility is impossible. To prevent that, users can (and are strongly advised) to rename the command-line utility vssadmin.exe, that deals with System Restore. Since, vssadmin.exe is a system file, it can not be renamed as an usual file. To do that, please download this batch file and run it as administrator.
Note! Your System Restore operations will not be affected by renaming vssadmin.exe!
There is no perfect solution
Remember that this will only disable ransomware that locates in these file-paths. And remember, if an If an app like Spotify is used, this copies files to different folders – where the disarmed ransomware could start up.
Ransomware will continue to evolve and become even more efficient. Remember the other 10%. The best way to insure yourself against the hackers is to back-up regularly to an external storage device. If more people did this, the bottom would fall out of the ransomware market.
