Ransomware Protection

Discussion in 'polls' started by emmjay, Dec 21, 2015.

?

How do you combat ransomware?

  1. I rely on my existing install base (AV, AM and Anti-exploit products)

    57 vote(s)
    53.3%
  2. I rely on HIPs

    11 vote(s)
    10.3%
  3. CryptoPrevent

    11 vote(s)
    10.3%
  4. Ruiware WAR

    3 vote(s)
    2.8%
  5. TrendMicro AR prevention

    1 vote(s)
    0.9%
  6. HitmanPro AR prevention

    23 vote(s)
    21.5%
  7. CryptoMonitor

    0 vote(s)
    0.0%
  8. Other

    44 vote(s)
    41.1%
Multiple votes are allowed.
  1. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    Do you use a specific anti-ransomware software product ?

    Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).

    or do you rely on your current install base for protection ?
     
  2. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    239
    (1) I rely on my AV.
    (2) I rely on HMP.A.
    (3) Other: backup, backup, backup
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I use CryptoPrevent and HitmanPro.Alert (which specifically has a file encryption blocking feature called CryptoGuard). By the way, what do you mean by "current install base"?
     
  4. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Zemana anti malware, Voodooshield, MBAE, Software restriction policies.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    I would say a combination between anti-executable/application whitelisting and anti-exploit protection along with LUA.
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Just Sandboxie. Infections through the browser is my main concern. Use Mbae for outlook. Also AX64 for my backup.
     
  7. Nutty Kutchie

    Nutty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    68
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Looks interesting, but not sure it's essential if you have other protection
     
  9. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    'Current install base' meaning your selection of security products you have installed. Some products that you may already have installed say they cover certain types of ransomware intrusions. For instance, EMET and MBAE if you have them installed. Also MBAM has a feature to block malicious web sites which can add a layer of protection. AVs make claims that they can detect certain types of ransomware.
     
  10. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    Appguard with "Deny write access to data partition"
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    By using NoScript and Sandboxie, I believe theres no need for me to use anything specifically designed to protect against that kind of malware.

    Bo
     
  12. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,765
    Location:
    Mexico
    I pretend to "combat" it using the config found in my signature. However my real combat is "passive defense", so to speak. I rather use SecureFolders to lock a USB stick with my important sensitive data to make it impenetrable and if by any chance my security config doesn't prevent running a very advanced cryptomalware, if so I reboot my machine and Shadow Defender gets rid of cryptomalware while data in my external USB stick still all well.

    Edit: I forgot to mention I lock that USB stick permanently. In fact it is a mirror of the original folder placed on desktop. All changes are made to that folder in desktop (it stills susceptible for cryptomalware attack) at the end of the day/night I make sure one txt file stills fine, i.e., non-encrypted then I unlock with SecureFolders the USB stick and fire-up SyncBackFree (mirror mode) to backup all data into that stick (in my case it only takes 1-2 minutes to scan changes) then I wait until dropbox and jottacloud clients finish to up everything into the cloud, finally lock the stick up once again.

    Any critic is very welcome.
     
    Last edited: Dec 21, 2015
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Backup + SRP + UAC + common sense.
     
    Last edited: Dec 21, 2015
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Below is a new one called WinAntiRansom by the makers of WinPatrol. It works really well. It protected against a few that got by HMPA, and CryptoPrevent. CruelSister tested it against the nastiest Crypto-Malware available. https://www.youtube.com/watch?v=q2h7SfpVHj8

    https://www.winpatrol.com/winantiransom/

    Edited: Be advised it's currently not compatible with XP.
     
    Last edited: Dec 21, 2015
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I rely on AppGuard, Bouncer, and ERP. I don't have them all 3 installed together, but those are the applications I rely on at the moment. I may give WinAntiRansom a try soon by WinPatrol. It was just released, and it's already doing amazing.
     
  16. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,765
    Location:
    Mexico
    I believe sooner or a later a very advanced form of ransomware could penetrate any security/s barriers but the key is to put a 10-inches thick steel wall between computer and a single point of entry to your sensitive data, done by a robust powerful impenetrable mini-filter driver.
    The machine files can be infected altered tampered you name it, a drive image restore puts your machine up in minutes.
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I don't have anything specific for ransomware. After reading about it a bit, I did an inventory of what data I had that could conceivably be worth a ransom. It was all on one computer consisting of mostly word and pdf files I'd written and some photos. The total was 22gb of which maybe a few mbs hadn't been backed up in cold storage already. As it was, not much. The amount of data was small enough that I just moved it all onto a ntfs formated 32gb SD card which is not inserted in the computer when I'm not working with that data. Backup was reduced to simple imaging of the sd disk.

    My systems are locked down enough and the software on them so vetted that even that precaution is probably not necessary but it is simple and procedural, and costs nothing.
     
  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Voted "HIPS" and "Other" - I'm using SpyShelter with active option "User defined protected files" (the list of my own monitored folders).
     
  19. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I don't have anything in my data that is very important, but for the sake of the argument data backup, OS backup, AV, and Sandboxie with restrictions should make it hard to start such a process...
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,875
    Location:
    Australia
    4. Keep that backup disconnected when not in use.
     
  21. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    239
    Good point, Krusty13. I always keep my backups disconnected from my computer.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Same over here, I rely on SS, but the plan is to also add a specialized behavior monitor like the one in HMPA for example. Of course Sandboxie can also be used to safely run apps virtualized, with no write access to the real file system.
     
  23. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    Ransomware will most likely evolve its methods of propagation, encryption, and target types. The most obvious new targets being cloud based storage solutions and IoT devices. Users will have to protect their stored credentials so as not to get locked out.
     
  24. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    I voted for CryptoPrevent and Other. CP is my main defense against RW, but my other security (in my sig) will also help prevent such attacks.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I voted "Other."

    I'm careful about clicking.

    This article has a nice summary:
    http://www.mcafee.com/us/resources/solution-briefs/sb-quarterly-threat-q1-2015-2.pdf

    Another method is Malvertising. Browser configuration is important to combat malvertising. I found these in my notes:
    • The way the malvertising works is that the first redirect, written in Javascript and protected with SSL, does not load an ad image but instead sends the site visitor to a completely different website. There, a second redirect, also using SSL, takes the reader to yet another destination. Finally, a third redirect, this one using the standard 302 HTTP redirect but also with SSL, goes to the site with the actual malicious download.
    • The infection is through exploit kits that use vulnerabilities on your computer to install this Trojan without your permission of knowledge.
    • You must be running the software or the browser that the exploit targets, he said.
    • Or the user may not have plug-ins enabled globally, meaning that upon being redirected to the attacker's (not trusted) site, the exploit would fail to start.
    • The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software, for instance a bogus update for Adobe Flash Player or another piece of software.
    ----
    rich
     
Loading...