This guide is intend to provide as complement of Ransomware published by Microsoft Protection Center. It is recommend you to use feed update functionality in this page to keep update with new recommendations, as new variants of ransomware should be released in the future. Also, review and subscribe the feed of Top 10 Ransomwares, also review this video: Ransomware 101: How to Protect and Mitigate your environment from Malware.



How my computer gets infected by ransomware?

  • Usually ransomwares com are delivery by phishing email  that contains file attachments  or links (URLs) to websites that will explore unpatched software vulnerabilities including 3rd party software such as Adobe Flash, Adobe Acrobat Reader and Java. 
  • Phishing emails with attachments are delivered with compressed files such as ZIP, CAB, RAR. Users will open the zip and inside there's an executable (mostly seen recently using extenstions .exe or .scr). 
    • The first action is to ensure is Email Server block those kind of extensions as quick as possible in order to prevent users to open those attachments. 
  • Phishing emails using links that redirect users to websites usually will run script that will explore a software vulnerability (Java, Flash) that will create executable in the victim computer and get a Trojan horse installed and then download the ransomware from a botnet on Internet. As first line of protection, it is very important to instruct your users to not click on any email from untrusted sources. Additionally, verify if you email server software or antivirus has capability of implement phishing countermeasures to protect against phishing email. 
  • Review this blog post with more details on:  The dangers of opening suspicious emails: Crowti ransomware. Also, for the most recent ransomware in action, check this: Crowti update - CryptoWall 3.0 


Should Antivirus detect and remove the malware immediately?

  • Antivirus with updated definition should be able to detect/remove the ransomware but if new a variant in the wild, antivirus maybe not have a definition yet to catch it. If you suspect you were infected but your antivirus software does not alert you about it, please reach your antivirus provider to check if a new signature is available. Sometimes even using the newest signature antivirus still may not be able to detect the ransomware. In that case, the best is to contact your antivirus provider to review the suspicious content. After they review and confirm the presence of malicious code a new signature should be released.  
  • To obtain latest signatures for Microsoft Antimalware Software use the following guidance: Updating your Microsoft antimalware and antispyware software. For Microsoft Forefront Client Security, the Microsoft Forefront Endpoint Protection 2010, or the Microsoft System Center 2012 Endpoint Protection you can go to:  How to manually download the latest antimalware definition updates. 
    • Newer versions of Microsoft Antimalware Software can be more efficient detecting malwares by using behaving monitoring by using MAPS. It is recommended customers to enable MAPS functionality to get extra protection. For more information: MAPS in the cloud: How can it help your enterprise?
  • You can also submit suspicious sample content to review using the instructions in: Submitting malware to Microsoft for analysis. 
***Note*** Keep in mind Antivirus Software is not the only way of defense against ransomware. You should also work in other fronts of protection such as software updates, user awareness, backup and others actions listed in this article.


How do I stop this ransomware to spread to other users in my network?

  • In the past ransomwares did not spread like a worm in the network (see note below). Users had to run the malware to be affected. Therefore, you should also work on instructing your users (Security Awareness) to not open attachments from email from untrusted sources. That will be the only way to avoid this kind of issue on your environment. Also, avoid ransomwares by block email with executables as well as inside compressed files. More information here: How to recognize phishing email messages.  
  • Recently ransomwares have incorporated worms to spreed out, such as recently used by WannaCrypt attacks (The worm that spreads WanaCrypt0r).


How do I restore the affected files encrypted by the ransomware?  

  • It is not recommended you pay. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
  • How to recover your files depends on where your files are stored and what version of Windows you are using. If the files are store in the File Server get a restore of the files from the latest Backup. File server can have files encrypted by affected users.
    • On the Client side you can leverage features such as File History (Windows 8.1) and System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. Be aware new ransomware variants will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History, if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn't connected when you were infected with the ransomware, might still work.
  • OneDrive - Check this full guidance on How to Deal with Ransomware.
  • Older variants of ransomware that use encryption keys that can be decrypted. There is web site you can try to submit in and check if can get decrypt but new variants can't : FireEye and Fox-IT tool can help recover Crilock-encrypted files.  


How do I protect myself against ransomware?  

  • Regularly backup your important files for another location (offline location). More details see section below: Backup is the best strategy against ransomware.
  • Make sure your software is up-to-date (Microsoft, Java, Adobe).  Vulnerabilities that are present in older versions of missing updates are the cause of most ransomware, malware and security incidents. Even with antivirus up to date you may still be able to get recurrence of infection because ransomeware can explore a vulnerability due unpatched software. Microsoft offers ways to manage and deliver updates automatically but you need also to check with your software vendor if there's options to automate the updates.
    ***Note*** There are reports that recently some ransomwares are getting injected in victims due Zero Day vulnerability in Flash Player:
  • Avoid clicking on links or opening attachments or emails from people you do not know or companies you don't do business with. Additionally, ensure your corporate email does not allow executables as well as in compressed attachment files.
  • Install and use an up-to-date antivirus solution.
    • Check if you antivirus have additional features such as behavior monitoring that helps to track extra malwares even for new variants that maybe not covered by the current signature. For Microsoft Anti Malware Software enable MAPS.
  • Use Modern browser such as IE 11 which includes better Smart Screen Filter helping protect you from phishing attacks.  


Extra protections against Ransomwares

  • AppLocker - Provide a way to mitigate ransomwares by blocking executable not signed. Use AppLocker to block executable on common places ransomwares use such as:
    • <users profile>\AppData\Local\Temp
    • <users profile>\AppData\Local\Temp\*
    • <users profile>\AppData\Local\Temp\*\*
  • EMET - The Enhanced Mitigation Experience Toolkit (EMET) is tool that helps customer against cyberattacks, by helping detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. More information: The Enhanced Mitigation Experience Toolkit
    ***Note***It is important to note that EMET helps prevent exploits from unknown exploits.  It would prevent the exploit from dropping the Trojan, however, if you double click on a file EMET won't help in that situation.


Backup is the best defense

  • Antivirus up to date, Firewall, Software Updates, Block of processes are layers of defense. There's also human factor opening untrusted attachments. A classical security statement mentions that you should always be prepared and assume that you will be affected by a threat. For example, event with all layers of protection in place, plus user awareness, you may get affected because security is very dynamic and ransomware builders are very smart and everyday the bad guys try to find new ways to make more victims. 
  • You need to work on a strategy also to recover from a ransomware. Therefore, the best strategy to defend yourself is by having good backups to recover from this kind of malware. Review the article: Backup the best defense against (Cri)locked files.   


Additional References: