Wednesday, March 22, 2017

Ransomware General Guidelines by Microsoft

The goal of this document is to share general actions to put in place against ransomwares from a reactive and preventive perspective. If those actions could avoid certain infections, this document isn’t a full guarantee against all type of ransomware infections. If even after applying those recommendations one of your machine is infected, Microsoft can’t be taken as responsible for it. In addition, this document contains references to third party blogs and tools. Thus it’s your responsibility to use it or not and Microsoft can’t be taken as responsible if any third party tools are breaking anything on your machine or aren’t working as expected.

What to do in case of attack? The first actions:

1. Supply a sample of the ransomware

If the ransomware managed to pass through the anti-malware installed on your machine(s), there’s a high potential it’s not able to detect it. In order to solve this problem, it’s important to supply a sample of the malware to the anti-malware editor to let him check if it’s well detected or not. If it’s not, a definition update will be asked as quickly as possible. Regarding SCEP/Windows Defender, a ticket should be opened with Microsoft Support or the sample could be directly submitted through the public portal:

Don’t submit samples anonymously, please log in with you Microsoft account else the request won’t be prioritized in the queue. This Technet article explains how to submit a sample:

The file which has initiated the ransomware infection should be collected and sent by e-mail to your support contact in a password protected compressed archive using the password "infected" (without quotes and using lowercase). If you have the original e-mail containing the ransomware, please, include it in the compressed archived. It will allow Microsoft Support to check if the ransomware is well detected. If it’s not, a sample will be supplied to the laboratory (MMPC) in order to update definitions and allow the detection of the ransomware.

There’s a double interest doing this action: First of all, the anti-malware will be able to delete the ransomware from your organization once the definitions will be updated. Then, the new definition will be shared with all users of the anti-malware and will avoid others to be infected. It could also avoid other organizations you own to be infected if they’re not located at the same place.

The easiest way to collect a sample is generally to check in the Startup folder

(C:\users\XXXX\appdata\roaming\microsoft\windows\start menu\programs\startup) if a file named XXX.tmp or XXX.exe you don’t know has been created. The ransomware looks to stay active and will generally put itself in the Startup folder to start when the machine starts. Other common locations:

 C:\users\XXXX\appdata\
 C:\users\XXXX\appdata\Local
 C:\users\XXXX\appdata\Local\Temp
 C:\users\XXXX\appdata\Roaming
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Another method using Process Explorer and the Virus Total integration could be used, however the infected machine has to be connected to Internet:

If you can’t identify the infected machine, have a look to the entry N° 5 in this section. In addition, if you can’t identify the malware, the Microsoft Support could send you a tool (WOLF) to collect data on your machine and will help to try to identify the ransomware.

2. Enable the SCEP behavior monitoring and MAPS

Ransomwares continuously modify their shape to avoid being detected by anti-malwares and this could happen several time in the same day. Their goal is to cipher a maximum of data on shares and locally. The mandatory private key to decrypt is sent to the attacker and a ransom is asked to supply the private key. The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key. The behavior monitoring allows to reduce the impact of ransomwares, even without signatures, by blocking a suspect behavior, like programs doing massive encryption.

You’ll find more information on the real-time protection (with the behavior monitoring) by consulting the following links:

- Understanding real-time protection options :         us/library/ff823769.aspx
- Using System Center Endpoint Protection :
- Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform :

Don’t forget to watch SCCM or the Event Viewer for event logs related to malware detection like the event 1116:

MAPS on its side, allows to enforce the security by providing real-time blocking responses via a cloud service and customers feedbacks.

3. Set the shared folders to Read-Only during the security crisis

It will limits the propagations of the ransomware and will avoid the encryption of additional data. The ShareEnum tools from Sysinternals could help to identify active shares with their security configuration:

Else, you could use the following PowerShell script:

4. Enable the Security Auditing

Enabling the Security Auditing (Success & Failure) on the impacted server(s) could allow to monitor the activity and identify an intrusion vector. For more information on the subject don’t hesitate to consult the following articles:

- What's New in Windows Security Auditing :
- Security Audit Policy Reference :

5. Identify the machine(s) where the infection started and remove it from the network

If you discover a share with several encrypted files and you don’t know the source of the infection, you could try to identify the machine or the user by following those steps:

 Check the owner on several encrypted files and, if possible, on the explanation file generaly created during the encryption (naming examples of this file: Howtodecrypt.TXT/.HTML or READ IF YOU WANT YOUR FILES BACK.HTML/.TXT). To do so:
         o Right click on the file and select "Properties"
         o Select the "Security" tab
         o In the "Security" tab, click on "Advanced"
         o At the top of the window you should see the owner

From our experience, when a ransomware encrypts a file hosted on Windows, the file owner is modified to match the identity who executed the ransomware and did the encryption.

If it’s not possible to match the user with a specific machine, go on the server hosting the share and compare the encryption time with the logon entries for the user in the Security Event Log (it should be a logon type 3 – Network Logon). You should be able to correlate the logon for the user, the encryption time and thus the machine name.

If you don’t have access to this kind of data (for example with a NAS scenario) you could analyse the logon audit on a Domain Controller and realise the same comparison operation.

It’s also feasible to do port mirroring if the share is connected to a switch and/or collect a network trace to identify the source IP for the encryption. The following blog article explains how to filter the network trace to identify it:

Once you’ve configured the filtering rule for example like ((ex : smb.file contains "frtrss") and (smb.create.action == 2)), the recommendation is to do a quick test to confirm it’s working as expected. Just create a file on the share with the extension used for the encryption (with a CMD, for the frtrss extension it gives: echo test.frtrss >\\server\share\test.frtrss). If you’re using Wireshark, result should be similar to this:

The article provides other methods with Procmon for example.
If the encryption goes on, you could also use the MMC.exe and load the "Shared Folders" to identify users and machines with an opened connection to your share(s):

To go further: Reduce the impact of an attack and prevent the next ones:

1. Educate users:
Users are the first factor of infections in a company. Thus it’s essential to ensure users have the right level of knowledge to NEVER click on an e-mail attachment or a suspicious link even if it comes from a known source (colleague, family, friend…) because some ransomwares versions propagate themselves by e-mail, using the infected machine as a relay, with the infected user as sender. Furthermore, a familiar icon isn’t a guarantee of safety (Office document, PDF, folder…) as some ransomwares use those icons to dupe the user vigilance.
In addition, if an e-mail attachment asks for the execution of an application, users should NEVER accept the execution. If a user has any doubt, he has to take the habit to contact the competent IT service. It will allow you to check in a sandboxed environment the validity of the e-mail attachment or to check the link reputation:

2. Scan with Microsoft Security Essentials
If the Microsoft anti-virus detects the ransomware, you could install the "Microsoft Security Essentials" tool on every client machines to run a full scan and detect/remove the ransomware. For more information, you could consult the following link:
If you want to check the last available signatures you can visit the following link:

3. Check backup availability
As the decryption key isn’t findable, the best way to get your files back is to restore them from a backup system like Shadow Volume Copy or System Restore if they’re enabled or by using the Previous versions of files or Restore files or folders using File History (Windows 8.1). The best is to put in place an Offline Backup System disconnected from the network to avoid getting the backup infected by the ransomware. This article very well describes the principles:

4. Update machines and softwares
It’s extremely important to keep your OS updated with the last security updates and to check if all your machines have been updated to avoid an attack using a known and fixed security issue. Microsoft (Office, …) and non-Microsoft (JAVA, Adobe, …) software have to be updated too. Actually, JAVA and Adobe represent 90% of the intrusion vectors.
Check the SIR (security Intelligence Report) for more information about intrusion vectors:

5. Avoid letting Local Administrative right to users
It’s highly recommended to not let users as a Local Administrator of their machine. It will limit their possibility of intrusion because some specific actions won’t be allowed. In addition, any intrusion on their session will take the control of the machine and could compromised the integrity of the Active Directory.

6. Avoid the use of accounts with the Domain Administration right
The use of accounts which are able to administrate the domain should be reduce to the minimum as long as you’re not sure the system is no more compromised. If one of the domain admin account is compromised, it’s easy to imagine the consequences. Don’t hesitate to dress a list of the accounts which have the right to administrate the domain and change all the passwords once the attack is over.

7. Pay attention to the propagation
Share, e-mail,… a ransomware could use various ways to propagate itself. Limit the use of shares with write permissions and enforce the security on e-mail attachment is a very good best practice to limit infections possibilities.

8. Manage macros in Office
Many infections are coming from Office documents received by e-mail containing malicious macros. Handling macros management is a good idea to prevent users from executing macros without thinking twice about it. First of all you need to disable the automatic execution of macros:

It’s a first step to avoid being automatically infected once you’ve opened the Office document containing the malicious macro. However it doesn’t prevent the user of clicking on "Enable" to execute the macro once the document is opened. Thus, you should put in place a Trusted Location for macros. A user will be able to execute macros only from this configured path:

It could seems useless, but a user is generally tempted to click on every warnings until the macro is executed. This will prevent a user to execute the macro without moving the file to a specific location which should mean the user knows he wants to execute a macro and knows why he needs to move the file to a Trusted Location. It will help to enforce user education and thus a user may think twice before executing a macro contained in an untrusted Office document.

In addition, Office 2016 is offering a better protection against malicious macros which is configurable through GPO:

9. Enable "File Screening Management" if you use File Server

"File Screening Management" allows to protect your files and shared folders by preventing, in function of specific rules defined by yourself, the creation of files with the mentioned extension and allows to receive an alert if someone tries to create a file with a not allowed extension. For example, it’s possible to block the creation of files with the extension *.encrypted or any other extensions used to encrypt your data. You could also prevent the creation of anything except extensions listed in your whitelist. The following links should help you to configure this feature:

- File Screening Management :
- The basics of Windows Server 2008 FSRM (File Server Resource Manager) :
- CryptoLocker – File Screens :

10. Enable AppLocker (or SRP Software Restriction Policy on XP)

It’s one of the most efficient protection against ransomware with the URL filtering and compressed file filtering containing executables at proxy level and messaging level. This tool allow to block or explicitly authorize the execution of particular programs in function of various criteria as collections (a set of extensions), file versions, signatures, paths… and this for specific users/groups. Those two articles should help to configure it (don’t forget to check the Configured check box:

- Free, almost perfect, malware protection with GPO App Locker :
- Stopping CryptoLocker and other ransomware :

In addition, here are the CryptoLocker and some other malwares most used paths/extensions:
%OSDRIVE%\Users\*\AppData\*\*.tmp %temp%\*.tmp %OSDRIVE%\Users\*\AppData\Local\Temp\*.exe
%OSDRIVE%\Users\*\AppData\*\*.exe %temp%\*.exe

The biggest disadvantage with this tool is it could block legitimate applications to run. However, it’s possible to configure exception rules to avoid compatibility issues:

11. Implement Strong Filtering in Office 365

Lots of malwares use automatic execution to install and propagate themselves. It’s then recommended to configure an Exchange Transport Rule to block or mark e-mails containing executable content. The engine is based on extensions list and content scanning to determine if a file is an executable or not. I invite you to consult the following link detailing the procedure and giving additional information:

This is based on EOP (Exchange Online Protection). You’ll find below three articles bringing precisions on EOP:

- Exchange Online Protection overview:
- Best Practices for configuring EOP:
- Configure content filter policies:
- Using transport rules to inspect message attachments: (generic explanations available here

12. Exchange Online Advanced Threat Protection

This Exchange Online Protection feature allows to execute attachments with unknown signatures into a sandboxed environment to determine if this is safe or not:

13. Put in place filtering rules at the messaging transport server level

This action is similar to the step N° 11 but for your internal servers. It will allow to filter e-mail attachments with zip files containing executables for example.

14. Put in place URL Filtering

You could also put in place URL filtering on your proxy servers (For example on TMG: This action is your first line of defence.

15. Enable PUA (Potential Unwanted Application) in SCEP

PUA are a type of application that could increase the risk of malware infection. This article brings all the needed information on this feature:
An important note: when enabling this option it will only catch incoming PUA, not the one already installed.

As a complement, here are some useful links which give additional advices:
On ransomwares:
- Help prevent malware infection on your PC:
- Ransomware :
- The dangers of opening suspicious emails: Crowti ransomware:
- Ransomware: Ways to Protect Yourself & Your Business:
- How can I prevent encryption viruses such as 'Cryptolocker' and 'Cryptowall'?:


- URL Filtering:
- Content Filtering:
- Capacity Planning:

Useful Tools to know:

- FireEye and Fox-IT tool can help recover Crilock-encrypted files (Uses known keys collected during the police operation takedown of a Zeus/Gameover CnC server to try to decrypt your data)
- (Uses known keys to try to decrypt your data)
- (Tool that could decrypt data encrypted by a variant of CryptoLocker named TeslaCrypt)
- ShadowExplorer (Browse Shadow Copies)
- Recuva (Recovery tool for deleted data)
- Kaspersky RakhniDecryptor to decrypt ransomware:
- TeslaDecoder:\

Source: Microsoft


Post a Comment